其他
Android App漏洞入门学习小记
1
概述
2
组件通讯--Intent
Intent intent = new Intent (MainActivity.this,FirstActivity.class);startActivity (intent);
Intent intent = new Intent ();intent.setClass(this,FirstActivity.class);startActivity (intent);Intent intent = new Intent ();intent.setClassName (this,"com.itlong.mytwoactivtiy.FirstActivity");startActivity (intent);Intent intent = new Intent ();intent.setClassName("com.itlong.mytwoactivtiy","com.itlong.mytwoactivtiy.FirstActivity");startActivity (intent);
Intent intent = new Intent ();ComponentName componentName = new ComponentName (MainActivity.this,"com.itlong.mytwoactivtiy.FirstActivity");intent.setComponent (componentName);startActivity (intent);Intent intent = new Intent ();ComponentName componentName = new ComponentName (MainActivity.this,FirstActivity.class);intent.setComponent (componentName);startActivity (intent);Intent intent = new Intent ();ComponentName componentName = new ComponentName ("com.itlong.mytwoactivtiy","com.itlong.mytwoactivtiy.FirstActivity");intent.setComponent (componentName);startActivity (intent);
setClasssetClassName setClass
public @NonNull Intent setClass(@NonNull Context packageContext, @NonNull Class<?> cls) {
mComponent = new ComponentName(packageContext, cls);return this;
}public @NonNull Intent setClassName(@NonNull Context packageContext,
@NonNull String className) {mComponent = new ComponentName(packageContext, className);return this;
public @NonNull Intent setClass(@NonNull Context packageContext, @NonNull Class<?> cls) { mComponent = new ComponentName(packageContext, cls);return this; }
<activity android:name=".MainActivity"><intent-filter><action android:name="android.intent.action.MAIN" /><category android:name="android.intent.category.LAUNCHER" /></intent-filter><intent-filter><action android:name="com.myaction" /><category android:name="android.intent.category.DEFAULT" /></intent-filter></activity><activity android:name=".VulnActivity" >
<intent-filter android:autoVerify="true"><action android:name="android.intent.action.VIEW" /><category android:name="android.intent.category.DEFAULT" /><category android:name="android.intent.category.BROWSABLE" /><dataandroid:host="AndroidHtml"android:scheme="app"tools:ignore="AppLinkUrlError" /></intent-filter>
<intent-filter android:autoVerify="true"><action android:name="com.myaction" /><category android:name="android.intent.category.BROWSABLE" /><dataandroid:host="test"android:path="/detail"android:port="8000"android:scheme="openapp" /></intent-filter></activity>
Intent intent = new Intent("com.myaction"); //action 可以自定义//intent.addCategory(Intent.CATEGORY_DEFAULT); intent.setData(Uri.parse("openapp://test:8000/detail")); //还有别的方式,这里不演示了 startActivity(intent);
Intent intent = new Intent();intent.setClassName("com.example.webviewapplication", "com.example.webviewapplication.VulnActivity");intent.setData(Uri.parse("openapp://test:8000/detail"));startActivity(intent);log: START u0 {dat=openapp://test:8000/detail cmp=com.example.webviewapplication/.VulnActivity} from uid 10701
Log.i("ActivityTaskManager",intent.toString());out = Intent { dat=openapp://test:8000/detail cmp=com.example.webviewapplication/.VulnActivity }Log.i("ActivityTaskManager",intent.toUri(Intent.URI_INTENT_SCHEME));out = intent://test:8000/detail#Intent;scheme=openapp;component=com.example.webviewapplication/.VulnActivity;end
Intent intent = null;try { intent = Intent.parseUri("intent://test:8000/detail#Intent;scheme=openapp;component=com.example.webviewapplication/.VulnActivity;end",Intent.URI_INTENT_SCHEME);} catch (URISyntaxException e) { e.printStackTrace();}startActivity(intent);
Intent intent = new Intent("com.myaction", Uri.parse("openapp://test:8000/detail")); startActivity(intent);log: I/ActivityTaskManager: START u0 {act=com.myaction dat=openapp://test:8000/detail cmp=com.example.webviewapplication/.VulnActivity} from uid 10701
Log.i("ActivityTaskManager",intent.toString());out = Intent { act=com.myaction dat=openapp://test:8000/detail } Log.i("ActivityTaskManager",intent.toUri(Intent.URI_INTENT_SCHEME));out = intent://test:8000/detail#Intent;scheme=openapp;action=com.myaction;end
Intent intent = null;try { intent = Intent.parseUri("intent://test:8000/detail#Intent;scheme=openapp;action=com.myaction;end",Intent.URI_INTENT_SCHEME); } catch (URISyntaxException e) { e.printStackTrace(); } startActivity(intent);
String str = "intent:#Intent;component=com.example.123456/.MainActivity;S.url=dwqdwqdwqfqf;end"; Intent intent = null;try { intent = Intent.parseUri(str,Intent.URI_INTENT_SCHEME); } catch (URISyntaxException e) { e.printStackTrace(); } Log.i("ActivityTaskManager",intent.getStringExtra("url")); out :dwqdwqdwqfqf
Intent intent = new Intent("com.myaction", Uri.parse("openapp://test:8000/detail")); Log.i("ActivityTaskManager",intent.toUri(Intent.URI_INTENT_SCHEME));out: intent://test:8000/detail#Intent;scheme=openapp;action=com.myaction;end
ntent intent = new Intent();intent.setClassName("com.example.serviceapplication", "com.example.serviceapplication.MyService");
Intent nonOrderIntent = new Intent();nonOrderIntent.setAction(ACTION);sendBroadcast(nonOrderIntent);
public abstract void sendOrderedBroadcast (Intent intent, String receiverPermission, BroadcastReceiver resultReceiver, Handler scheduler, int initialCode, String initialData, Bundle initialExtras)
Intent intent = new Intent();intent.setAction(ACTION);sendOrderedBroadcast(intent, null, new Priority2BroadcastReceiver(), null, Activity.RESULT_OK, "MainActivity发送了一个有序广播", null);
public class MyBroadcastReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) {// if("com.victim.messenger.IN_APP_MESSAGE".equals(intent.getAction())) {// Log.d("evil", "From: " + intent.getStringExtra("from") + ", text: " + intent.getStringExtra("text"));// } }}
6、动态注册
private void initBroadcast() {mBroadcastReceiver = new TestBroadcastReceiver();IntentFilter filter = new IntentFilter(action);// 过滤registerReceiver(mBroadcastReceiver, filter);}private class TestBroadcastReceiver extends BroadcastReceiver {
@Overridepublic void onReceive(Context context, Intent intent) { Log.e("接受广播的状态-----", "收到广播"); Log.e("收到的action-----", intent.getAction()); Log.e("收到的name-------", intent.getExtras().getString("name"));}}
@Overrideprotected void onDestroy() {if (mBroadcastReceiver != null) { unregisterReceiver(mBroadcastReceiver);}super.onDestroy();}
Intent intent = new Intent();ComponentName componentName=new ComponentName(getApplicationContext(),"com.example.vulnerableapplication.BroadcastReceiver.MyBroadcastReceiver");intent.setComponent(componentName);intent.putExtra("from", "123456");intent.putExtra("text", "text");sendBroadcast(intent);
Intent intent = new Intent();intent.setAction(action);intent.putExtra("name", "zzw");MainActivity.this.sendBroadcast(intent);Log.e("发送广播的状态-----","发送成功");
Intent intent = new Intent();// intent.setAction(action);// intent.putExtra("name", "zzw");// Log.i("ActivityTaskManager",intent.toUri(Intent.URI_INTENT_SCHEME));// intent:#Intent;action=com.zzw;S.name=zzw;end Intent intent = null;try { intent = Intent.parseUri("intent:#Intent;action=com.zzw;S.name=zzw;end",Intent.URI_INTENT_SCHEME); } catch (URISyntaxException e) { e.printStackTrace(); } MainActivity.this.sendBroadcast(intent); Log.e("发送广播的状态-----","发送成功");// Intent intent = new Intent();// ComponentName componentName=new ComponentName(getApplicationContext(),"com.example.vulnerableapplication.BroadcastReceiver.MyBroadcastReceiver");// intent.setComponent(componentName);// intent.putExtra("from", "123456");// intent.putExtra("text", "text");// Log.i("ActivityTaskManager",intent.toUri(Intent.URI_INTENT_SCHEME));// intent:#Intent;component=com.example.vulnerableapplication/.BroadcastReceiver.MyBroadcastReceiver;S.from=123456;S.text=text;end Intent intent = null;try { intent = Intent.parseUri("intent:#Intent;component=com.example.vulnerableapplication/.BroadcastReceiver.MyBroadcastReceiver;S.from=123456;S.text=text;end",Intent.URI_INTENT_SCHEME); } catch (URISyntaxException e) { e.printStackTrace(); } sendBroadcast(intent);这两种方式也是可以的。跨进程发送广播显示发送广播,context参数,改成包名才行,隐式广播,上面的就可以Intent intent = new Intent(); ComponentName componentName=new ComponentName("com.example.vulnerableapplication","com.example.vulnerableapplication.BroadcastReceiver.MyBroadcastReceiver"); intent.setComponent(componentName); intent.putExtra("from", "123456"); intent.putExtra("text", "text"); Log.i("ActivityTaskManager",intent.toUri(Intent.URI_INTENT_SCHEME));
Intent intent1 = new Intent(context, TestActivity.class); intent1.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK ); context.startActivity(intent1);
@Overrideprotected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); loginUtils = LoginUtils.getInstance(this); Intent intent = getIntent(); Uri uri;if(intent != null && Intent.ACTION_VIEW.equals(intent.getAction()) && (uri = intent.getData()) != null) { processDeeplink(uri); } finish();}private void processDeeplink(Uri uri) {if("oversecured".equals(uri.getScheme()) && "ovaa".equals(uri.getHost())) { String path = uri.getPath(); Log.e("rzx",path);if("/logout".equals(path)) { loginUtils.logout(); startActivity(new Intent(this, EntranceActivity.class)); }else if("/login".equals(path)) { String url = uri.getQueryParameter("url");if(url != null) { loginUtils.setLoginUrl(url); } startActivity(new Intent(this, EntranceActivity.class)); }else if("/grant_uri_permissions".equals(path)) { Intent i = new Intent("oversecured.ovaa.action.GRANT_PERMISSIONS");if(getPackageManager().resolveActivity(i, 0) != null) { startActivityForResult(i, URI_GRANT_CODE); } }else if("/webview".equals(path)) { String url = uri.getQueryParameter("url");if(url != null) { String host = Uri.parse(url).getHost();if(host != null && host.endsWith("example.com")) { Intent i = new Intent(this, WebViewActivity.class); i.putExtra("url", url); startActivity(i); } } } }else{ Log.e("rzx","url == null"); }}
3
<a href="openapp://test:8000/detail">
(openapp://test:8000/detail)</a>
<action android:name="android.intent.action.VIEW" /><category android:name="android.intent.category.DEFAULT" /><category android:name="android.intent.category.BROWSABLE" />
<!DOCTYPE html><html><head><meta charset="utf-8"/><title>这是标题啊</title><style type="text/css">dd {margin-top:30px; /* 上外边距30像素 */ }</style></head><body><div id="wrap"><div id="header"><h1>Webview简单使用</h1></div><div id="main"><dl><dd><a href="https://www.baidu.com">点击跳转到百度</a></dd><dd><a href="http://www.google.com">点击跳转到google</a></dd><a href="openapp://test:8000/detail">打开app页面(openapp://test:8000/detail)</a><br><br><br><a href="app://AndroidHtml">打开app页面(app://AndroidHtml)</a><br><br><br><dd><button id='callback_client' onclick="callBackClient()" type="button">用js调用客户端</button></dd></dl></div></body><script>function callBackClient(){ alert("Js alert");//弹窗 javascript:android.getClient("传一个字符串给客户端");//调用客户端}</script></html>
<a href="openapp://test:8000/detail">打开app页面(openapp://test:8000/detail)</a><br><br><br><a href="app://AndroidHtml">打开app页面(app://AndroidHtml)</a><br><br><br>
<action android:name="android.intent.action.VIEW" /><category android:name="android.intent.category.DEFAULT" /><category android:name="android.intent.category.BROWSABLE" />
2021-06-17 20:26:09.396 1573-4418/? I/ActivityManager: START u0 {act=android.intent.action.VIEW cat=[android.intent.category.BROWSABLE] dat=openapp://test:8000/detail cmp=com.example.webviewapplication/.VulnActivity (has extras)} from uid 1020
看雪ID:ChicWalk
https://bbs.pediy.com/user-home-767217.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!