2024-02-08 04:42:06 +00:00
# 从已编译的应用程序中提取权限
2022-04-28 16:01:33 +00:00
< details >
2024-02-09 01:27:24 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, < / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( ) < / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-12 09:01:50 +00:00
支持HackTricks的其他方式:
2022-04-28 16:01:33 +00:00
2024-02-08 04:42:06 +00:00
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 01:27:24 +00:00
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks_live )**。**
2024-02-08 04:42:06 +00:00
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-02-09 01:27:24 +00:00
页面摘要[https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/#review-entitlements-embedded-in-the-compiled-app-binary](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0069/#review-entitlements-embedded-in-the-compiled-app-binary)
2024-02-08 04:42:06 +00:00
### **提取权限和移动配置文件**
2021-05-17 19:08:47 +00:00
2024-02-09 01:27:24 +00:00
当处理应用的IPA文件或越狱设备上安装的应用时, , , ,
2021-05-17 19:08:47 +00:00
2024-02-09 01:27:24 +00:00
即使是加密的二进制文件, , ( )
2021-05-17 19:08:47 +00:00
2024-02-08 04:42:06 +00:00
#### **从应用程序二进制文件中提取权限Plist**
2021-05-17 19:08:47 +00:00
2024-02-08 04:42:06 +00:00
在计算机上可以访问应用程序二进制文件时,可以使用**binwalk**来提取所有XML文件。下面的命令演示了如何执行此操作:
2021-05-17 19:08:47 +00:00
```bash
$ binwalk -e -y=xml ./Telegram\ X
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1430180 0x15D2A4 XML document, version: "1.0"
1458814 0x16427E XML document, version: "1.0"
```
2024-02-08 04:42:06 +00:00
或者,**radare2** 可以用来静默运行命令并退出,搜索应用程序二进制文件中包含 "PropertyList" 的所有字符串:
2021-05-17 19:08:47 +00:00
```bash
$ r2 -qc 'izz~PropertyList' ./Telegram\ X
2024-02-08 04:42:06 +00:00
0x0015d2a4 ascii <?xml version="1.0" encoding="UTF-8" standalone="yes"?> ...
0x0016427d ascii H<?xml version="1.0" encoding="UTF-8"?> ...
2021-05-17 19:08:47 +00:00
```
2024-02-08 04:42:06 +00:00
Both methods, binwalk and radare2, enable the extraction of `plist` files, with an inspection of the first one (0x0015d2a4) revealing a successful recovery of the [original entitlements file from Telegram ](https://github.com/peter-iakovlev/Telegram-iOS/blob/77ee5c4dabdd6eb5f1e2ff76219edf7e18b45c00/Telegram-iOS/Telegram-iOS-AppStoreLLC.entitlements ).
2021-05-17 19:08:47 +00:00
2024-02-08 04:42:06 +00:00
For app binaries accessed on jailbroken devices (e.g., via SSH), the **grep** command with the `-a, --text` flag can be used to treat all files as ASCII text:
2021-05-17 19:08:47 +00:00
```bash
2024-02-08 04:42:06 +00:00
$ grep -a -A 5 'PropertyList' /var/containers/Bundle/Application/...
2021-05-17 19:08:47 +00:00
```
2024-02-09 01:27:24 +00:00
调整 `-A num, --after-context=num` 标志允许显示更多或更少行。即使针对加密的应用程序二进制文件, , ,
2022-04-28 16:01:33 +00:00
2024-02-09 01:27:24 +00:00
**注意**:不建议直接使用 `strings` 命令执行此任务,因为它在查找相关信息方面存在局限性。相反,建议在二进制文件上使用带有 `-a` 标志的 grep 或利用 radare2 (`izz`)/rabin2 (`-zz`) 来获得更有效的结果。
