如何完整保存网站并做修改wordpress盲注

当前位置： 首页 > news >正文

如何完整保存网站并做修改,wordpress盲注,门户网网站建设功能需求表,网站建设无广告Android11应用自启动限制 大纲 Android11应用自启动限制分析验证猜想#xff1a;Android11 AOSP是否自带禁止三方应用监听BOOT_COMPLETED​方案禁止执行非系统应用监听到BOOT_COMPLETED​后的代码逻辑在执行启动时判断其启动的广播接收器一棍子打死方案#xff08;慎用#…Android11应用自启动限制 大纲 Android11应用自启动限制分析验证猜想Android11 AOSP是否自带禁止三方应用监听BOOT_COMPLETED​方案禁止执行非系统应用监听到BOOT_COMPLETED​后的代码逻辑在执行启动时判断其启动的广播接收器一棍子打死方案慎用补充 分析 按理说三方应用应该收不到开机启动广播(后文会证实这个说法是假的)但是很神奇的是还是有应用能自启动体现为比如秋秋启动后通过ps命令能看到其进程存活但是静置后进程会启动失败从而导致被清理 07-18 05:59:02.132367 938 967 I ActivityManager: Start proc 1930:com.tencent.mobileqq:MSF/u0a110 for broadcast {com.tencent.mobileqq/com.tencent.mobileqq.msf.core.NetConnInfoCenter}​ log如上 参照这篇博客Android系统层面限制应用开机自启动详解此时通过Android Studio查看其apk的manifest其NetConnInfoCenter​内容如下 可以看到其监听了开机广播外还监听了各种各样的广播比如TIMEZONE_CHANGED​看起来是时区变换的广播这边尝试了一下在没有启动秋秋的情况下去切换时区果然打印了启动秋秋的log虽然没有启动成功但是之前在这个项目中自己遇到过秋秋启动成功的情况所以还是要处理 ​ receiverandroid:namecom.tencent.mobileqq.msf.core.NetConnInfoCenterandroid:exportedfalseandroid:process:MSFintent-filterandroid:priority2147483647actionandroid:nameandroid.intent.action.BOOT_COMPLETED //intent-filterintent-filteractionandroid:nameandroid.intent.action.MY_PACKAGE_REPLACED //intent-filterintent-filteractionandroid:nameandroid.net.conn.CONNECTIVITY_CHANGE //intent-filterintent-filteractionandroid:nameandroid.intent.action.TIME_SET //intent-filterintent-filteractionandroid:nameandroid.intent.action.TIMEZONE_CHANGED //intent-filterintent-filteractionandroid:namecom.tencent.mobileqq.rdm.report //intent-filterintent-filteractionandroid:namecom.tencent.mobileqq.msf.receiveofflinepush //intent-filterintent-filteractionandroid:namecom.tencent.mobileqq.msf.offlinepushclearall //intent-filterintent-filteractionandroid:namecom.tencent.mobileqq.msf.receiveofflinepushav //intent-filterintent-filteractionandroid:namecom.tencent.mobileqq.msf.offlinepushclearallav //intent-filterintent-filteractionandroid:namecom.tencent.mobileqq.msf.startmsf //intent-filterintent-filteractionandroid:nameandroid.intent.action.MEDIA_BAD_REMOVAL /actionandroid:nameandroid.intent.action.MEDIA_EJECT /actionandroid:nameandroid.intent.action.MEDIA_MOUNTED /actionandroid:nameandroid.intent.action.MEDIA_REMOVED /actionandroid:nameandroid.intent.action.MEDIA_SCANNER_FINISHED /actionandroid:nameandroid.intent.action.MEDIA_SCANNER_STARTED /actionandroid:nameandroid.intent.action.MEDIA_SHARED /actionandroid:nameandroid.intent.action.MEDIA_UNMOUNTED /dataandroid:schemefile //intent-filterintent-filteractionandroid:nameandroid.net.wifi.WIFI_STATE_CHANGED //intent-filter/receiver验证猜想Android11 AOSP是否自带禁止三方应用监听BOOT_COMPLETED​ 因为前面提到Android11三方应用到底能不能监听开机广播这边写了个demo仅监听BOOT_COMPLETED​重启后验证进程会正常被创建所以Android11并没有原生的禁止三方监听BOOT_COMPLETED​的策略。至少AOSP没有国内手机带此功能是手机厂商自己实现的 public class BootReceiver extends BroadcastReceiver {Overridepublic void onReceive(Context context, Intent intent) {if (Intent.ACTION_BOOT_COMPLETED.equals(intent.getAction())) {Intent mIntent new Intent(context, MainActivity.class);mIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);context.startActivity(mIntent); // 启动你的应用程序}} }uses-permissionandroid:nameandroid.permission.RECEIVE_BOOT_COMPLETED /receiver android:name.BootReceiverandroid:exportedfalseintent-filteraction android:nameandroid.intent.action.BOOT_COMPLETED //intent-filter /receiver​ ​ 结论Android11上普通三方应用是可以接收到开机广播的此时如果应用去自启动后台会有进程存活因此需要做处理 方案 禁止执行非系统应用监听到BOOT_COMPLETED​后的代码逻辑 在处理广播的地方 过滤掉所有的三方应用并预留白名单 在AMS的broadcastIntentLocked​方法中 diff –git a/frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java b/frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java index f26ae929ef..6b906ced4f 100644 — a/frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.javab/frameworks/base/services/core/java/com/android/server/am/ActivityManagerService.java-16736,7 16736,30 public class ActivityManagerService extends IActivityManager.Stubfinal int broadcastIntentLocked(ProcessRecord callerApp, String callerPackage,Nullable String callerFeatureId, Intent intent, String resolvedType,IIntentReceiver resultTo, int resultCode, String resultData,Bundle resultExtras, String[] requiredPermissions, int appOp, Bundle bOptions,boolean ordered, boolean sticky, int callingPid, int callingUid, int realCallingUid,int realCallingPid, int userId, boolean allowBackgroundActivityStarts,Nullable int[] broadcastWhitelist) {…if (receivers ! null) {String skipPackages[] null;if (Intent.ACTION_PACKAGE_ADDED.equals(intent.getAction())|| Intent.ACTION_PACKAGE_RESTARTED.equals(intent.getAction())|| Intent.ACTION_PACKAGE_DATA_CLEARED.equals(intent.getAction())) {Uri data intent.getData();if (data ! null) {String pkgName data.getSchemeSpecificPart();if (pkgName ! null) {skipPackages new String[] { pkgName };}}} else if (Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE.equals(intent.getAction())) {skipPackages intent.getStringArrayExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST);

• }// add by xumaoxin start} else if (Intent.ACTION_BOOT_COMPLETED.equals(intent.getAction())) {//Resources res mContext.getResources();//String[] blacklist res.getStringArray(com.android.internal.R.array.blacklist_boot_receiver);ListString skipList new ArrayList();SetString whitelist new ArraySet();whitelist.add(com.example.test11);for (int i 0, j receivers.size(); i j; i) {ResolveInfo curt (ResolveInfo) receivers.get(i);String curPkgName curt.activityInfo.packageName;if ((curt.activityInfo.applicationInfo.flags ApplicationInfo.FLAG_SYSTEM) ! 0) {//Slog.i(ActivityManager, xumaoxin: curPkgName is system app, allow!);} else if (!whitelist.contains(curPkgName)) {Slog.i(ActivityManager, xumaoxin: curPkgName is not system app and not whitelist, not allow!);skipList.add(curPkgName);}else {Slog.i(ActivityManager, xumaoxin: curPkgName is not system app but is whitelist, allow!);}}skipPackages skipList.toArray(new String[0]);Slog.i(ActivityManager, xumaoxin: skipPackages Arrays.toString(skipPackages));//add by xumaoxin end} if (skipPackages ! null (skipPackages.length 0)) {for (String skipPackage : skipPackages) {if (skipPackage ! null) {判断是不是系统应用 curt.activityInfo.applicationInfo.flags ApplicationInfo.FLAG_SYSTEM) ! 0 //是系统应用注意此处只能禁止执行skipPackages中的应用去监听到​BOOT_COMPLETED​后的执行逻辑如果应用只做了这一个监听来自启比如我前面写的demo这样就足够了但是国内三方app一般会想方设法地自启动这边验证了秋秋还是会启动起来会有进程存在继续处理。 在执行启动时判断其启动的广播接收器 注意同样需要处理秋秋的同学请一定看到最后这一节的方案不完善 基于log ActivityManager: Start proc 2962:com.tencent.mobileqq:MSF/u0a112 for broadcast {com.tencent.mobileqq/com.tencent.mobileqq.msf.core.NetConnInfoCenter}​ 这里秋秋自己的广播接收器叫com.tencent.mobileqq/com.tencent.mobileqq.msf.core.NetConnInfoCenter​我们先找到这行log打印的地方 ActivityManager为tag的在server/am下去grep就好找到其文件 frameworks\base\services\core\java\com\android\server\am\ProcessList.java​ boolean handleProcessStartedLocked(ProcessRecord app, int pid, boolean usingWrapper,long expectedStartSeq, boolean procAttached) {mPendingStarts.remove(expectedStartSeq);final String reason isProcStartValidLocked(app, expectedStartSeq);if (reason ! null) {Slog.w(TAG_PROCESSES, app start not valid, killing pid pid , reason);app.pendingStart false;killProcessQuiet(pid);Process.killProcessGroup(app.uid, app.pid);noteAppKill(app, ApplicationExitInfo.REASON_OTHER,ApplicationExitInfo.SUBREASON_INVALID_START, reason);return false;}……StringBuilder buf mStringBuilder;buf.setLength(0);buf.append(Start proc );buf.append(pid);buf.append(:);buf.append(app.processName);buf.append(/);UserHandle.formatUid(buf, app.startUid);if (app.isolatedEntryPoint ! null) {buf.append( [);buf.append(app.isolatedEntryPoint);buf.append(]);}buf.append( for );buf.append(app.hostingRecord.getType());if (app.hostingRecord.getName() ! null) {buf.append( );buf.append(app.hostingRecord.getName());}能看到buf.append(Start proc );​这里开始的buf记录和我们log是一样的所以后面的app.hostingRecord.getType()​对应log中的广播接收器broadcast​而app.hostingRecord.getName()​对应log中的{com.tencent.mobileqq/com.tencent.mobileqq.msf.core.NetConnInfoCenter}​ 那就好处理了判断其name如果是NetConnInfoCenter​那就不允许启动。 代码往前能看到原生有一个退出的逻辑通过final String reason isProcStartValidLocked(app, expectedStartSeq);​赋值 在isProcStartValidLocked​方法中加入秋秋的判断返回一个reason这样此次启动能通过原生的逻辑进行拦截比较安全 diff –git a/frameworks/base/services/core/java/com/android/server/am/ProcessList.java b/frameworks/base/services/core/java/com/android/server/am/ProcessList.java index 9d4deb4d5b..271f99138f 100644 — a/frameworks/base/services/core/java/com/android/server/am/ProcessList.javab/frameworks/base/services/core/java/com/android/server/am/ProcessList.java-2462,6 2462,14 public final class ProcessList {GuardedBy(mService)private String isProcStartValidLocked(ProcessRecord app, long expectedStartSeq) {StringBuilder sb null;if (app.hostingRecord.getName() ! null) {String name app.hostingRecord.getName();Slog.i(ActivityManager, xumaoxin: broadcast name);if (name.contains(NetConnInfoCenter)) {if (sb null) sb new StringBuilder();sb.append(dont allow qq auto start);}}if (app.killedByAm) {if (sb null) sb new StringBuilder();sb.append(killedByAmtrue;);编译push验证秋秋在设备重启后不会再重启会被拦截 ​ 抑制秋秋自启动成功同时不会影响用户手动点击图标等方式的启动 应用多了可以写成白名单并配置到xml中 注意此方案的弊端就是只能对特定的应用单独加判断逻辑不能适用于所有应用 一棍子打死方案慎用 观察三方应用是否都是通过broadcast​类型进行自启动的能否判断type​是否是broadcast​来进行通用过滤风险就是这样一来一棍子打死了等于不再允许三方应用通过广播方式进行启动 diff –git a/frameworks/base/services/core/java/com/android/server/am/ProcessList.java b/frameworks/base/services/core/java/com/android/server/am/ProcessList.java index 9d4deb4d5b..03a4c1ddb2 100644 — a/frameworks/base/services/core/java/com/android/server/am/ProcessList.javab/frameworks/base/services/core/java/com/android/server/am/ProcessList.java-2462,6 2462,19 public final class ProcessList {GuardedBy(mService)private String isProcStartValidLocked(ProcessRecord app, long expectedStartSeq) {StringBuilder sb null;/if (app.hostingRecord.getName() ! null) {String name app.hostingRecord.getName();Slog.i(ActivityManager, xumaoxin: broadcast name);if (name.contains(NetConnInfoCenter)) {if (sb null) sb new StringBuilder();sb.append(dont allow qq auto start);}}/if (((app.info.flags ApplicationInfo.FLAG_SYSTEM) 0) broadcast.equals(app.hostingRecord.getType())) {String name app.hostingRecord.getName();if (sb null) sb new StringBuilder();sb.append(dont allow thirdapp auto start by broadcast: name);}if (app.killedByAm) {if (sb null) sb new StringBuilder();sb.append(killedByAmtrue;);编译后验证秋秋确实是没有问题主要不确定其他的广播场景会不会被拦截下来毕竟一棍子打死的办法杀伤面有点大 ​ 尽量还是使用第一种第二种不让三方应用执行开机广播逻辑特殊应用特殊过滤。第三种方案慎用 补充 对于秋秋前面通过广播想启动的只是其一个子进程在登陆的时候会用到如果一直不让其自动启动会导致登陆超时。 所以还需要加入判断启动的时候秋秋主进程是否存活如果存活我们认为秋秋不是在后台想自启动而是通过正常途径启动子进程。 而进行是否存活的判断调用较频繁而我们的系统应用不需要进行此判断所以调用前再加入是否系统应用的判断。实现代码diff如下 — a/frameworks/base/services/core/java/com/android/server/am/ProcessList.javab/frameworks/base/services/core/java/com/android/server/am/ProcessList.java-2459,14 2459,27 public final class ProcessList {return success ? app : null;} public boolean isAppRunning(String packageName) {ListActivityManager.RunningAppProcessInfo runningProcesses mService.getRunningAppProcesses();if (runningProcesses.size() 0) {for (ActivityManager.RunningAppProcessInfo info : runningProcesses) {if (info.processName.equals(packageName)) {return true;}}}return false;} GuardedBy(mService)private String isProcStartValidLocked(ProcessRecord app, long expectedStartSeq) {StringBuilder sb null;// add by sprocomm start
• if (app.hostingRecord.getName() ! null) {//非系统应用执行if中的逻辑if (((app.info.flags ApplicationInfo.FLAG_SYSTEM) 0) app.hostingRecord.getName() ! null) {String name app.hostingRecord.getName();
• Slog.i(ActivityManager, xumaoxin: broadcast name);
• if (name.contains(NetConnInfoCenter)) {//秋秋是否存活这个包名可以动态到白名单中和NetConnInfoCenter这个组件名放一起boolean isRunning isAppRunning(com.tencent.mobileqq);Slog.i(ActivityManager, xumaoxin: com.tencent.mobileqq isRunning isRunning , broadcast name);if (!isRunning name.contains(NetConnInfoCenter)) {if (sb null) sb new StringBuilder();sb.append(dont allow qq auto start);}