Activity提权

作者: 禅座 | 来源:发表于2019-06-14 13:51 被阅读0次

Activity提权
Vulnhub靶机：DC-6
17.提权
linux 提权-Crontab提权
linux 提权-SUID提权
linux 提权-sudo提权
mysql的提权的四种方案
提权
Windows提权/Linux提权，内网渗透，内网提权
windows提权

监控手机的锁屏状态，当手机屏幕锁屏是启动一个一像素的Activity，在用户解锁时再将Activity解锁掉，从而达到提高进程优先级的作用；
缺陷：存在一个Activity不够干净，同时也需要通过手机锁屏的时候来进行提权；

public class KeepActivity extends Activity {

    private static final String TAG = "KeepActivity";

    @Override
    protected void onCreate(@Nullable Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        Log.e(TAG,"启动Keep");
        Window window = getWindow();
        //设置这个act 左上角
        window.setGravity(Gravity.START | Gravity.TOP);
        //宽 高都为1
        WindowManager.LayoutParams attributes = window.getAttributes();
        attributes.width = 1;
        attributes.height = 1;
        attributes.x = 0;
        attributes.y = 0;
        window.setAttributes(attributes);

        KeepManager.getInstance().setKeep(this);
    }


    @Override
    protected void onDestroy() {
        super.onDestroy();
        Log.e(TAG,"关闭Keep");
    }
}


//广播接受者，收到广播之后对Activity提权或者销毁
public class KeepReceiver extends BroadcastReceiver {
    private static final String TAG = "KeepReceiver";

    @Override
    public void onReceive(Context context, Intent intent) {
        String action = intent.getAction();
        Log.e(TAG, "receive:" + action);
        if (TextUtils.equals(action, Intent.ACTION_SCREEN_OFF)) {
            //关屏 开启1px activity
            KeepManager.getInstance().startKeep(context);
        } else if (TextUtils.equals(action, Intent.ACTION_SCREEN_ON)) {
            KeepManager.getInstance().finishKeep();
        }
    }
}



//注册广播 同时管理activity的创建和销毁
public class KeepManager {
    private static final KeepManager ourInstance = new KeepManager();

    public static KeepManager getInstance() {
        return ourInstance;
    }

    private WeakReference<Activity> mKeepAct;

    private KeepManager() {
    }

    private KeepReceiver keepReceiver;

    /**
     * 注册 开屏 关屏
     *
     * @param context
     */
    public void registerKeep(Context context) {
        IntentFilter filter = new IntentFilter();
        filter.addAction(Intent.ACTION_SCREEN_OFF);
        filter.addAction(Intent.ACTION_SCREEN_ON);
        keepReceiver = new KeepReceiver();
        context.registerReceiver(keepReceiver, filter);
    }

    /**
     * 反注册广播接收者
     *
     * @param context
     */
    public void unregisterKeep(Context context) {
        if (null != keepReceiver) {
            context.unregisterReceiver(keepReceiver);
        }
    }

    /**
     * 开启Activity
     * @param context
     */
    public void startKeep(Context context) {
        Intent intent = new Intent(context, KeepActivity.class);
        intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
        context.startActivity(intent);
    }

    public void finishKeep() {
        if (null != mKeepAct) {
            Activity activity = mKeepAct.get();
            if (null != activity) {
                activity.finish();
            }
            mKeepAct = null;
        }
    }

    public void setKeep(KeepActivity keep) {
        mKeepAct = new WeakReference<Activity>(keep);
    }
}

然后在MainActivity中调用即可

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        //通过Activity 提权
        KeepManager.getInstance().registerKeep(this);
    }
}