Tutorial How to: PHP Based Exploits (iOS applications)

[niro 1.2k 9 9.1.0]

 

                Hello, user!

 

Today I'm going to show you how I through this script together and how exactly I found it ! (url with the exploit for the followers will be up soon, (school project final )

 

Before we start off we must know what exactly this 'bot' does, and what it does is add the respected

followers or likes to the share url or the username provided.

If you are wanting to replicate this, or even replicate finding vulnerabilities you must understand that we aren't looking at the Instagram app at all, and instead we are targeting third party applications such as 'FollowGram' or 'InstaFamous' these applications provide the opportunity to use an in-game currency such as tokens or coins to redeem followers or likes.

 

Now we need a way to attempt to manipulate the data to increase our coins or tokens, we can first try using our local storage (File manager) on our iOS or Android device, once you have that downloaded you can go ahead and locate the application and you can try to attempt to modify the data, but in most cases this doesn't work for various reasons such as when the application is loaded it checks your local application storage files and compares them to the server and if they are in the slightest different they will reset to the default value (usually this is the first test I do).

 

Next is to MITM the application to try and find any PHP based exploits (which is the fun part) in order to intercept your application you will need to download a tool (Burp Suite is my personal favorite but there are many tools you can use, Charles and MITM-Proxy are a couple others.

There are many tutorials online on how to configure this with your device. Once that is setup comes the testing and you have to be patient for this as every application doesn't work. (tutorial with vuln. application coming soon)

 

But let's say you are trying to exploit your favorite application for Instagram followers. Once you have downloaded the application sign into your Instagram account and start intercepting the application, and here comes the part you need to pay attention to, when you have your application up and running you are going to want to do something in the application to get coins/tokens such as following someone or watching a video for 1 free coin, spending your coins, etc. If you have interception on correctly you will see JSON come up on your screen and this WILL vary for every application

 

EXAMPLE OF JSON: 

{'user'='instagramuser123','follow'='TRUE','coins'='1'}

or in some cases

user=instagramuser123&follow=TRUE&coins=1

great it's in plain text JSON ! From here you can send this item to the repeater and just repeat this process which makes the server think you are following more people but in reality you are not and this will then increase your balance on the application.

 

If you wanted to change the 'coins'='1' to 'coins'='100' you could try that aswell and see how it goes! Congrats! You found an exploit! But what if this doesn't work? What can I do? Well you can try spending your coins (which I have found effective)

 

Lets say the JSON resembles this when you purchase followers 

{'action'='spendPoints','coins'='500'} 

or 

action=spendPoints&coins=500

well you know how these apps have "if you unfollow a user you will get 5 coins back" or whatever if we change the 'coins'='-500' we are basically saying 500 people unfollowed us so give me my coins back, and so it does .

These are just a few of many tricks I have found while trying to find vulnerabilities within applications ! another thing I should have said is you are going to want to keep an eye out for POST requests instead of GET as I basically tell my self POST is for POSTing things to the server instead of GETting them.

Most if not all exploits will be with a POST request

 

If you have any questions let me know and I will try to help as much as I can I wont be giving out my personal exploits/scripts but I will be more than happy to help you make/find some Enjoy!

Updated June 3, 2016 by niro

[Guest]

Hey! 

 

I'm familiar with this kind of stuff... but, what repeater? How do you send the modified data back to the server?

Awesome tutorial!

[niro 1.2k 9 9.1.0]

Hey! 

 

I'm familiar with this kind of stuff... but, what repeater? How do you send the modified data back to the server?

Awesome tutorial!

repeater is an option within burp suite (should have mentioned that)

but the repeater can repeat certain tasks (like a POST or a GET) without you having to physically do it over again

lets say you search google on your phone and then you send it to the repeater you can keep repeating just that request from within burp so you dont have to do it on your phone

[DragonRising66 4.6k iPhone X 14.8]

Wow this is a very nice detailed tut love it

[l3lo3 537 23]

ok ! thx niro ~   

 

can you hack any good followers app ! and share it here ? 

 

like fastfollowers ! 5000 followers !

 

 

i hope u do ! 

[Multitask 0 10]

this is fresh dawg! how exactly do i repeat it within repeater though?

 

also would it work if i could get on the app on my computer instead of my device?

like for some of those apps, i can log in via computer, would that work with burp?

let me know dawg, thanks soooo much for this tut! you're the bombdiggity.

 

also im an experienced programmer/coder and have created a few apps.

i was wondering if its somehow possible to repeat the actions in python 2.7 or 3.0

to make the actions faster? let me know dawg. 

Updated June 8, 2016 by Multitask

[ObjectiveC 1.9k 20]

Hidden Content

React or reply to this topic to see the hidden content & download link. 👀

[aweawef 0 10]

 

 

what happened?

 

oh wtf

Updated June 12, 2016 by aweawef

[tester_21 5k iPhone 8 Plus 11.0.3]

nice

 

[glurexo 0]

damn nice man