Skip to content

frida-jdwp-loader JDWP-based Frida injection without root or... #1555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

frida-jdwp-loader JDWP-based Frida injection without root or... #1555

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 37 additions & 10 deletions src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,30 @@ Notes
- Gadget is detected by some protections; keep names/paths stealthy and load late/conditionally if needed.
- On hardened apps, prefer rooted testing with server + late attach, or combine with Magisk/Zygisk hiding.

## JDWP-based Frida injection without root/repackaging (frida-jdwp-loader)

If the APK is debuggable (android:debuggable="true"), you can attach over JDWP and inject a native library at a Java breakpoint. No root and no APK repackaging.

- Repo: https://github.com/frankheat/frida-jdwp-loader
- Requirements: ADB, Python 3, USB/Wireless debugging. App must be debuggable (emulator with `ro.debuggable=1`, rooted device with `resetprop`, or rebuild manifest).

Quick start
```bash
git clone https://github.com/frankheat/frida-jdwp-loader.git
cd frida-jdwp-loader
# Inject frida-gadget.so into a debuggable target
python frida-jdwp-loader.py frida -n com.example.myapplication
# Keep the breakpoint thread suspended for early hooks
python frida-jdwp-loader.py frida -n com.example.myapplication -s
# Networkless: run a local agent script via Gadget "script" mode
python frida-jdwp-loader.py frida -n com.example.myapplication -i script -l script.js
```

Notes
- Modes: spawn (break at Application.onCreate) or attach (break at Activity.onStart). Use `-b` to set a specific Java method, `-g` to select Gadget version/path, `-p` to choose JDWP port.
- Listen mode: forward Gadget (default 127.0.0.1:27042) if needed: `adb forward tcp:27042 tcp:27042`; then `frida-ps -H 127.0.0.1:27042`.
- This leverages JDWP debugging. Risk is shipping debuggable builds or exposing JDWP.

## Self-contained agent + Gadget embedding (Frida 17+; automated with Objection)

Frida 17 removed the built-in Java/ObjC bridges from GumJS. If your agent hooks Java, you must include the Java bridge inside your bundle.
Expand Down Expand Up @@ -165,7 +189,7 @@ diff -r org.secuso.privacyfriendlydicer org.secuso.privacyfriendlydicer.objectio
```
Expected changes:
- AndroidManifest.xml may include `<uses-permission android:name="android.permission.INTERNET"/>`
- New native libs under lib/<abi>/ as above
- New native libs under `lib/<abi>/` as above
- Launchable activity smali contains a static `<clinit>` that calls System.loadLibrary("frida-gadget")

5) Split APKs
Expand All @@ -180,11 +204,6 @@ adb install-multiple split1.apk split2.apk ...
```
- For distribution, you can merge splits into a single APK with APKEditor, then align/sign

Defensive notes (what to look for when hardening)
- Implement signature/repackage checks and runtime integrity/attestation
- Detect unexpected System.loadLibrary("frida-gadget") or suspicious native libs at startup
- Avoid declaring unused INTERNET permission; reduce gadget detection surface

## Tutorials

### [Tutorial 1](frida-tutorial-1.md)
Expand All @@ -200,7 +219,7 @@ Defensive notes (what to look for when hardening)
**From**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Parts 2, 3 & 4)\
**APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)

**Follow the[ link to read it.](frida-tutorial-2.md)**
**Follow the [link to read it.](frida-tutorial-2.md)**

### [Tutorial 3](owaspuncrackable-1.md)

Expand Down Expand Up @@ -247,9 +266,8 @@ Hook the function `a()` of the class `sg.vantagepoint.a.c`

```javascript
Java.perform(function () {
; rootcheck1.a.overload().implementation = function() {
rootcheck1.a.overload().implementation = function() {
send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()");
send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()")
return false;
};
});
Expand Down Expand Up @@ -296,6 +314,9 @@ activity.onCreate.overload("android.os.Bundle").implementation = function (

Hooking a decryption function. Print the input, call the original function decrypt the input and finally, print the plain data:

<details>
<summary>Hooking a decryption function (Java) — print inputs/outputs</summary>

```javascript
function getString(data) {
var ret = ""
Expand All @@ -321,6 +342,8 @@ aes_decrypt.a.overload("[B", "[B").implementation = function (var_0, var_1) {
}
```

</details>

### Hooking functions and calling them with our input

Hook a function that receives a string and call it with other string (from [here](https://11x256.github.io/Frida-hooking-android-part-2/))
Expand Down Expand Up @@ -368,5 +391,9 @@ Java.choose("com.example.a11x256.frida_test.my_activity", {
- [Frida releases (server binaries)](https://github.com/frida/frida/releases)
- [Objection (SensePost)](https://github.com/sensepost/objection)
- [Modding And Distributing Mobile Apps with Frida](https://pit.bearblog.dev/modding-and-distributing-mobile-apps-with-frida/)
- [frida-jdwp-loader](https://github.com/frankheat/frida-jdwp-loader)
- [Library injection for debuggable Android apps (blog)](https://koz.io/library-injection-for-debuggable-android-apps/)
- [jdwp-lib-injector (original idea/tool)](https://github.com/ikoz/jdwp-lib-injector)
- [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier)

{{#include ../../../banners/hacktricks-training.md}}
{{#include ../../../banners/hacktricks-training.md}}
7 changes: 5 additions & 2 deletions src/pentesting-web/xs-search/css-injection/less-code-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
## LESS Code Injection leading to SSRF & Local File Read
# LESS Code Injection leading to SSRF & Local File Read

{{#include ../../../banners/hacktricks-training.md}}

LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.

Expand Down Expand Up @@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \

* [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
* [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
{{#include ../../../banners/hacktricks-training.md}}