yay

pentesting-exploits-noted-in-smartphones/webview-setallowfileaccess.html

@@ -22,8 +22,17 @@
 <h3>Example - Exfiltrate files via WebView File Access</h3>
 <h2>This site is used with the Pentesting Exploits Noted In Smartphones training course.</h2>
 <h2>If you reached this site via Axolotl, then you've successfully reached out to the external website.</h2>
-This webpage has an interactive JavaScript window.
-<br>
+<p id="documentlocationcheck"></p>
+<script>
+    var locationHref = location.href;
+    var locationOrigin = location.origin;
+    var locationProtocol = location.protocol;
+    document.getElementById("documentlocationcheck").innerHTML = "" +
+        "<code>location.href</code>: " + locationHref + "<br>" +
+        "<code>location.origin</code>: " + locationOrigin + "<br>" +
+        "<code>location.protocol</code>: " + locationProtocol
+    ;
+</script>
 <br>
 Type your JavaScript into the text box below, and tap <code>eval</code>.
 <br>
@@ -53,4 +62,8 @@ <h2>If you reached this site via Axolotl, then you've successfully reached out t
 <br>
 <br>
 If you see the image below, then the image <code>_axolotl_phone.jpg</code> was loaded via a <code>file://</code> scheme.
-<img src="file:////sdcard/Android/data/com.maliciouserection.axolotl/files/_axolotl_phone.jpg" width="369">
+<img src="file:////sdcard/Android/data/com.maliciouserection.axolotl/files/_axolotl_phone.jpg" width="369">
+<br>
+<br>
+If you see the image below, then the image <code>_axolotl_phone_2.jpg</code> was loaded via a <code>content://</code> scheme.
+<img src="content://com.maliciouserection.axolotl.provider.FileProvider/yayrootyay/files/_axolotl_phone_2.jpg" width="369">