Add content from: frida-jdwp-loader: JDWP-based Frida injection without root o...

HackTricks News Bot · HackTricks News Bot · commit 1847c9a6e585 · 2025-11-05T12:53:36.000Z
diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
@@ -84,6 +84,30 @@ Notes
 - Gadget is detected by some protections; keep names/paths stealthy and load late/conditionally if needed.
 - On hardened apps, prefer rooted testing with server + late attach, or combine with Magisk/Zygisk hiding.
 
+## JDWP-based Frida injection without root/repackaging (frida-jdwp-loader)
+
+If the APK is debuggable (android:debuggable="true"), you can attach over JDWP and inject a native library at a Java breakpoint. No root and no APK repackaging.
+
+- Repo: https://github.com/frankheat/frida-jdwp-loader
+- Requirements: ADB, Python 3, USB/Wireless debugging. App must be debuggable (emulator with `ro.debuggable=1`, rooted device with `resetprop`, or rebuild manifest).
+
+Quick start
+```bash
+git clone https://github.com/frankheat/frida-jdwp-loader.git
+cd frida-jdwp-loader
+# Inject frida-gadget.so into a debuggable target
+python frida-jdwp-loader.py frida -n com.example.myapplication
+# Keep the breakpoint thread suspended for early hooks
+python frida-jdwp-loader.py frida -n com.example.myapplication -s
+# Networkless: run a local agent script via Gadget "script" mode
+python frida-jdwp-loader.py frida -n com.example.myapplication -i script -l script.js
+```
+
+Notes
+- Modes: spawn (break at Application.onCreate) or attach (break at Activity.onStart). Use `-b` to set a specific Java method, `-g` to select Gadget version/path, `-p` to choose JDWP port.
+- Listen mode: forward Gadget (default 127.0.0.1:27042) if needed: `adb forward tcp:27042 tcp:27042`; then `frida-ps -H 127.0.0.1:27042`.
+- This leverages JDWP debugging. Risk is shipping debuggable builds or exposing JDWP.
+
 ## Self-contained agent + Gadget embedding (Frida 17+; automated with Objection)
 
 Frida 17 removed the built-in Java/ObjC bridges from GumJS. If your agent hooks Java, you must include the Java bridge inside your bundle.
@@ -165,7 +189,7 @@ diff -r org.secuso.privacyfriendlydicer org.secuso.privacyfriendlydicer.objectio
 ```
 Expected changes:
 - AndroidManifest.xml may include `<uses-permission android:name="android.permission.INTERNET"/>`
-- New native libs under lib/<abi>/ as above
+- New native libs under `lib/<abi>/` as above
 - Launchable activity smali contains a static `<clinit>` that calls System.loadLibrary("frida-gadget")
 
 5) Split APKs
@@ -180,11 +204,6 @@ adb install-multiple split1.apk split2.apk ...
 ```
 - For distribution, you can merge splits into a single APK with APKEditor, then align/sign
 
-Defensive notes (what to look for when hardening)
-- Implement signature/repackage checks and runtime integrity/attestation
-- Detect unexpected System.loadLibrary("frida-gadget") or suspicious native libs at startup
-- Avoid declaring unused INTERNET permission; reduce gadget detection surface
-
 ## Tutorials
 
 ### [Tutorial 1](frida-tutorial-1.md)
@@ -200,7 +219,7 @@ Defensive notes (what to look for when hardening)
 **From**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Parts 2, 3 & 4)\
 **APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
 
-**Follow the[ link to read it.](frida-tutorial-2.md)**
+**Follow the [link to read it.](frida-tutorial-2.md)**
 
 ### [Tutorial 3](owaspuncrackable-1.md)
 
@@ -247,9 +266,8 @@ Hook the function `a()` of the class `sg.vantagepoint.a.c`
 
 ```javascript
 Java.perform(function () {
-;  rootcheck1.a.overload().implementation = function() {
   rootcheck1.a.overload().implementation = function() {
-    send("sg.vantagepoint.a.c.a()Z   Root check 1 HIT!  su.exists()");
+    send("sg.vantagepoint.a.c.a()Z   Root check 1 HIT!  su.exists()")
     return false;
   };
 });
@@ -296,6 +314,9 @@ activity.onCreate.overload("android.os.Bundle").implementation = function (
 
 Hooking a decryption function. Print the input, call the original function decrypt the input and finally, print the plain data:
 
+<details>
+<summary>Hooking a decryption function (Java) — print inputs/outputs</summary>
+
 ```javascript
 function getString(data) {
   var ret = ""
@@ -321,6 +342,8 @@ aes_decrypt.a.overload("[B", "[B").implementation = function (var_0, var_1) {
 }
 ```
 
+</details>
+
 ### Hooking functions and calling them with our input
 
 Hook a function that receives a string and call it with other string (from [here](https://11x256.github.io/Frida-hooking-android-part-2/))
@@ -368,5 +391,9 @@ Java.choose("com.example.a11x256.frida_test.my_activity", {
 - [Frida releases (server binaries)](https://github.com/frida/frida/releases)
 - [Objection (SensePost)](https://github.com/sensepost/objection)
 - [Modding And Distributing Mobile Apps with Frida](https://pit.bearblog.dev/modding-and-distributing-mobile-apps-with-frida/)
+- [frida-jdwp-loader](https://github.com/frankheat/frida-jdwp-loader)
+- [Library injection for debuggable Android apps (blog)](https://koz.io/library-injection-for-debuggable-android-apps/)
+- [jdwp-lib-injector (original idea/tool)](https://github.com/ikoz/jdwp-lib-injector)
+- [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier)
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md
@@ -1,4 +1,6 @@
-## LESS Code Injection leading to SSRF & Local File Read
+# LESS Code Injection leading to SSRF & Local File Read
+
+{{#include ../../../banners/hacktricks-training.md}}
 
 LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
 
@@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
 
 * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
 * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
-* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+{{#include ../../../banners/hacktricks-training.md}}
