mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 14:40:37 +00:00
Translated ['mobile-pentesting/android-app-pentesting/drozer-tutorial/RE
This commit is contained in:
parent
c2bbaad778
commit
d69062841a
1 changed files with 59 additions and 55 deletions
|
@ -54,16 +54,16 @@ drozer console connect
|
|||
| **命令** | **描述** |
|
||||
| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| **Help MODULE** | 显示所选模块的帮助信息 |
|
||||
| **list** | 显示当前会话中可以执行的所有drozer模块的列表。这将隐藏您没有适当权限运行的模块。 |
|
||||
| **list** | 显示当前会话中可以执行的所有drozer模块的列表。此命令隐藏您没有适当权限运行的模块。 |
|
||||
| **shell** | 在设备上以Agent的上下文启动一个交互式Linux shell。 |
|
||||
| **clean** | 删除Android设备上drozer存储的临时文件。 |
|
||||
| **load** | 加载包含drozer命令并按顺序执行它们的文件。 |
|
||||
| **module** | 从互联网上查找并安装额外的drozer模块。 |
|
||||
| **unset** | 删除drozer传递给它生成的任何Linux shell的命名变量。 |
|
||||
| **unset** | 删除drozer传递给任何它生成的Linux shell的命名变量。 |
|
||||
| **set** | 将一个值存储在变量中,该变量将作为环境变量传递给drozer生成的任何Linux shell。 |
|
||||
| **shell** | 在设备上以Agent的上下文启动一个交互式Linux shell。 |
|
||||
| **run MODULE** | 执行一个drozer模块。 |
|
||||
| **exploit** | Drozer可以创建在设备上执行的利用程序。`drozer exploit list` |
|
||||
| **exploit** | drozer可以创建在设备上执行的利用程序。`drozer exploit list` |
|
||||
| **payload** | 利用程序需要一个有效载荷。`drozer payload list` |
|
||||
|
||||
### 包
|
||||
|
@ -114,21 +114,37 @@ com.mwr.example.sieve
|
|||
- **`run app.package.providers -a com.example.app`**: Lists the content providers exposed by the app.
|
||||
- **`run app.package.exported -a com.example.app`**: Lists the exported components of the app.
|
||||
- **`run app.package.urlschemes -a com.example.app`**: Lists the URL schemes handled by the app.
|
||||
- **`run app.package.broadcast.send -a com.example.app --extra string message "Hello, World!"`**: Sends a broadcast to the app with an extra string message.
|
||||
- **`run app.activity.start --component com.example.app/.MainActivity`**: Starts the specified activity of the app.
|
||||
- **`run app.provider.query -a com.example.app --uri content://com.example.app/data`**: Queries the specified content provider of the app.
|
||||
- **`run app.provider.insert -a com.example.app --uri content://com.example.app/data --string name "John Doe" --string email "johndoe@example.com"`**: Inserts data into the specified content provider of the app.
|
||||
- **`run app.provider.delete -a com.example.app --uri content://com.example.app/data/1`**: Deletes data from the specified content provider of the app.
|
||||
- **`run app.provider.update -a com.example.app --uri content://com.example.app/data/1 --string name "Jane Doe"`**: Updates data in the specified content provider of the app.
|
||||
- **`run app.service.start -a com.example.app --action com.example.app.ACTION_START_SERVICE`**: Starts the specified service of the app.
|
||||
- **`run app.service.stop -a com.example.app --action com.example.app.ACTION_STOP_SERVICE`**: Stops the specified service of the app.
|
||||
- **`run app.package.broadcast.actions -a com.example.app`**: Lists the actions used by the app's broadcast receivers.
|
||||
- **`run app.package.broadcast.categories -a com.example.app`**: Lists the categories used by the app's broadcast receivers.
|
||||
- **`run app.package.broadcast.permissions -a com.example.app`**: Lists the permissions required by the app's broadcast receivers.
|
||||
- **`run app.package.activity.intents -a com.example.app`**: Lists the intents used by the app's activities.
|
||||
- **`run app.package.activity.permissions -a com.example.app`**: Lists the permissions required by the app's activities.
|
||||
- **`run app.package.service.intents -a com.example.app`**: Lists the intents used by the app's services.
|
||||
- **`run app.package.service.permissions -a com.example.app`**: Lists the permissions required by the app's services.
|
||||
- **`run app.package.provider.uris -a com.example.app`**: Lists the URIs exposed by the app's content providers.
|
||||
- **`run app.package.provider.permissions -a com.example.app`**: Lists the permissions required by the app's content providers.
|
||||
- **`run app.package.exported.components -a com.example.app`**: Lists the exported components of the app.
|
||||
- **`run app.package.exported.permissions -a com.example.app`**: Lists the permissions required by the app's exported components.
|
||||
- **`run app.package.exported.providers -a com.example.app`**: Lists the content providers exposed by the app's exported components.
|
||||
- **`run app.package.exported.activities -a com.example.app`**: Lists the activities defined by the app's exported components.
|
||||
- **`run app.package.exported.services -a com.example.app`**: Lists the services provided by the app's exported components.
|
||||
- **`run app.package.exported.broadcasts -a com.example.app`**: Lists the broadcast receivers registered by the app's exported components.
|
||||
- **`run app.package.exported.urlschemes -a com.example.app`**: Lists the URL schemes handled by the app's exported components.
|
||||
- **`run app.package.exported.broadcast.actions -a com.example.app`**: Lists the actions used by the app's exported broadcast receivers.
|
||||
- **`run app.package.exported.broadcast.categories -a com.example.app`**: Lists the categories used by the app's exported broadcast receivers.
|
||||
- **`run app.package.exported.broadcast.permissions -a com.example.app`**: Lists the permissions required by the app's exported broadcast receivers.
|
||||
- **`run app.package.exported.activity.intents -a com.example.app`**: Lists the intents used by the app's exported activities.
|
||||
- **`run app.package.exported.activity.permissions -a com.example.app`**: Lists the permissions required by the app's exported activities.
|
||||
- **`run app.package.exported.service.intents -a com.example.app`**: Lists the intents used by the app's exported services.
|
||||
- **`run app.package.exported.service.permissions -a com.example.app`**: Lists the permissions required by the app's exported services.
|
||||
- **`run app.package.exported.provider.uris -a com.example.app`**: Lists the URIs exposed by the app's exported content providers.
|
||||
- **`run app.package.exported.provider.permissions -a com.example.app`**: Lists the permissions required by the app's exported content providers.
|
||||
|
||||
---
|
||||
|
||||
**References**:
|
||||
**Uninstallation**:
|
||||
|
||||
- [Drozer Documentation](https://github.com/FSecureLABS/drozer/wiki)
|
||||
- [Drozer GitHub Repository](https://github.com/FSecureLABS/drozer)
|
||||
To uninstall the app from your Android device, use the following command: `adb uninstall com.example.app`
|
||||
```
|
||||
dz> run app.package.info -a com.mwr.example.sieve
|
||||
Package: com.mwr.example.sieve
|
||||
|
@ -169,7 +185,7 @@ is debuggable
|
|||
|
||||
### 活动
|
||||
|
||||
在AndroidManifest.xml文件中,导出的活动组件的“android:exported”值被设置为**“true”**:
|
||||
在AndroidManifest.xml文件中,一个导出的活动组件的“android:exported”值被设置为**“true”**:
|
||||
```markup
|
||||
<activity android:name="com.my.app.Initial" android:exported="true">
|
||||
</activity>
|
||||
|
@ -195,9 +211,7 @@ To list the exported activities using `drozer`, follow these steps:
|
|||
|
||||
Replace `<package_name>` with the package name of the app you want to analyze.
|
||||
|
||||
4. After running the above command, you will see a list of packages installed on the device. Find the package name of the app you want to analyze and note it down.
|
||||
|
||||
5. Run the following command to list the exported activities of the app:
|
||||
4. After obtaining the package details, run the following command to list the exported activities:
|
||||
|
||||
```
|
||||
run app.activity.info -a <package_name>
|
||||
|
@ -205,9 +219,9 @@ To list the exported activities using `drozer`, follow these steps:
|
|||
|
||||
Replace `<package_name>` with the package name of the app you want to analyze.
|
||||
|
||||
6. The `drozer` tool will display a list of exported activities along with their corresponding details, such as the activity name, exported status, and intent filters.
|
||||
The `drozer` tool will display a list of exported activities along with their corresponding details, such as the activity name, exported status, and the intent filters associated with each activity.
|
||||
|
||||
By listing the exported activities of an Android app, you can identify potential security vulnerabilities and assess the app's security posture.
|
||||
By listing the exported activities of an Android app, you can identify potential security vulnerabilities and assess the app's overall security posture.
|
||||
```bash
|
||||
dz> run app.activity.info -a com.mwr.example.sieve
|
||||
Package: com.mwr.example.sieve
|
||||
|
@ -287,11 +301,11 @@ app.service.stop Stop Service
|
|||
```
|
||||
#### 示例
|
||||
|
||||
查看`drozer`中`app.service.send`的帮助文档:
|
||||
查看`drozer`中`app.service.send`的帮助信息:
|
||||
|
||||
![](<../../../.gitbook/assets/image (196) (1).png>)
|
||||
|
||||
请注意,您将首先发送位于"_msg.what_"、"_msg.arg1_"和"_msg.arg2_"中的数据,您应该在代码中检查**正在使用的信息**以及其位置。\
|
||||
请注意,您将首先发送位于"_msg.what_"、"_msg.arg1_"和"_msg.arg2_"内的数据,您应该在代码中检查**正在使用的信息**以及其位置。\
|
||||
使用`--extra`选项,您可以发送由"_msg.replyTo"解释的内容,并使用`--bundle-as-obj`创建一个包含提供的详细信息的对象。
|
||||
|
||||
在以下示例中:
|
||||
|
@ -307,11 +321,11 @@ run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --m
|
|||
|
||||
### 广播接收器
|
||||
|
||||
Android应用程序可以从Android系统和其他Android应用程序发送或接收广播消息,类似于[发布-订阅](https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe_pattern)设计模式。这些广播在感兴趣的事件发生时发送。例如,当系统启动或设备开始充电时,Android系统会发送广播。应用程序还可以发送自定义广播,例如,通知其他应用程序可能感兴趣的内容(例如,已下载了一些新数据)。
|
||||
Android应用程序可以从Android系统和其他Android应用程序发送或接收广播消息,类似于[发布-订阅](https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe_pattern)设计模式。这些广播在感兴趣的事件发生时发送。例如,当系统启动或设备开始充电时,Android系统会发送广播。应用程序还可以发送自定义广播,例如,通知其他应用程序可能感兴趣的事情(例如,已下载一些新数据)。
|
||||
|
||||
应用程序可以注册接收特定的广播。当发送广播时,系统会自动将广播路由到已订阅接收该特定类型广播的应用程序。
|
||||
|
||||
这可能会出现在Manifest.xml文件中:
|
||||
这可能出现在Manifest.xml文件中:
|
||||
```markup
|
||||
<receiver android:name=".MyBroadcastReceiver" android:exported="true">
|
||||
<intent-filter>
|
||||
|
@ -334,29 +348,29 @@ To check the broadcast receivers of an app, you can use the `drozer` tool. This
|
|||
|
||||
要检查应用程序的广播接收器,您可以使用 `drozer` 工具。该工具允许您在应用程序层与 Android 操作系统进行交互,并执行各种安全评估。
|
||||
|
||||
To begin, you need to install `drozer` on your machine and connect your Android device to it. Once connected, you can start the `drozer` console by running the command `drozer console`.
|
||||
To begin, you need to install `drozer` on your machine and connect your Android device to it. Once connected, you can start the `drozer` console.
|
||||
|
||||
首先,您需要在计算机上安装 `drozer` 并将 Android 设备连接到计算机。连接成功后,您可以通过运行命令 `drozer console` 来启动 `drozer` 控制台。
|
||||
首先,您需要在计算机上安装 `drozer` 并将 Android 设备连接到计算机。连接成功后,您可以启动 `drozer` 控制台。
|
||||
|
||||
In the `drozer` console, you can use the `app.package.list` command to list all the installed packages on the device. Find the package name of the app you want to assess.
|
||||
To check the broadcast receivers of an app, you can use the following command:
|
||||
|
||||
在 `drozer` 控制台中,您可以使用 `app.package.list` 命令列出设备上安装的所有包。找到您想要评估的应用程序的包名。
|
||||
要检查应用程序的广播接收器,您可以使用以下命令:
|
||||
|
||||
Next, use the `app.broadcast.info` command followed by the package name to retrieve information about the broadcast receivers in the app. This command will display details such as the receiver's name, exported status, and the intent filters it listens for.
|
||||
```
|
||||
run app.broadcast.info -a <package_name>
|
||||
```
|
||||
|
||||
接下来,使用 `app.broadcast.info` 命令,后跟包名,以检索有关应用程序中广播接收器的信息。此命令将显示接收器的名称、导出状态以及它监听的意图过滤器等详细信息。
|
||||
Replace `<package_name>` with the package name of the app you want to assess. This command will display a list of all the broadcast receivers registered by the app.
|
||||
|
||||
For example, to check the broadcast receivers of an app with the package name `com.example.app`, you would run the command `app.broadcast.info com.example.app`.
|
||||
将 `<package_name>` 替换为您要评估的应用程序的包名。此命令将显示应用程序注册的所有广播接收器的列表。
|
||||
|
||||
例如,要检查包名为 `com.example.app` 的应用程序的广播接收器,您可以运行命令 `app.broadcast.info com.example.app`。
|
||||
By examining the broadcast receivers, you can identify potential security vulnerabilities or misconfigurations that may exist in the app.
|
||||
|
||||
By examining the output of this command, you can identify any potential security vulnerabilities related to the app's broadcast receivers, such as exported receivers that may be susceptible to unauthorized access.
|
||||
通过检查广播接收器,您可以识别应用程序中可能存在的潜在安全漏洞或配置错误。
|
||||
|
||||
通过检查此命令的输出,您可以确定与应用程序的广播接收器相关的任何潜在安全漏洞,例如可能容易受到未经授权访问的导出接收器。
|
||||
It is important to note that this process should only be performed on apps that you have permission to assess, such as your own apps or those for which you have explicit consent from the app owner.
|
||||
|
||||
It is important to assess the security of an app's broadcast receivers as they can be potential entry points for attackers to exploit and gain unauthorized access to sensitive information.
|
||||
|
||||
评估应用程序的广播接收器的安全性非常重要,因为它们可能成为攻击者利用的潜在入口点,并获得对敏感信息的未经授权访问。
|
||||
请注意,此过程仅适用于您有权限评估的应用程序,例如您自己的应用程序或您已获得应用程序所有者明确同意的应用程序。
|
||||
```bash
|
||||
#Check one negative
|
||||
run app.broadcast.info -a jakhar.aseem.diva
|
||||
|
@ -379,21 +393,9 @@ Permission: null
|
|||
```
|
||||
#### 广播 **交互**
|
||||
|
||||
Broadcasts are a way for different components within an Android app to communicate with each other. They allow one component to send a message, called an intent, and other components can receive and respond to that message.
|
||||
Broadcasts are a way for different components within an Android app to communicate with each other. They allow one component to send a message, called an intent, and other components can receive and respond to that message. This can be useful for coordinating actions between different parts of an app or for sending notifications to the user.
|
||||
|
||||
广播是Android应用程序中不同组件之间进行通信的一种方式。它们允许一个组件发送一条消息,称为意图(intent),其他组件可以接收并响应该消息。
|
||||
|
||||
Broadcasts can be sent within an app or even between different apps. This makes them a powerful tool for inter-app communication.
|
||||
|
||||
广播可以在应用程序内部发送,甚至可以在不同的应用程序之间发送。这使得它们成为应用程序间通信的强大工具。
|
||||
|
||||
In the context of mobile app pentesting, understanding how broadcasts work is important because they can be used to exploit vulnerabilities in an app. For example, an attacker could send a malicious broadcast to an app and trigger unintended behavior or gain unauthorized access to sensitive information.
|
||||
|
||||
在移动应用程序渗透测试的背景下,了解广播的工作原理非常重要,因为它们可以用于利用应用程序中的漏洞。例如,攻击者可以向应用程序发送恶意广播,触发意外行为或未经授权访问敏感信息。
|
||||
|
||||
In this tutorial, we will explore how to use the drozer tool to interact with broadcasts in Android apps. Drozer is a powerful security testing framework for Android that allows us to analyze and manipulate Android apps.
|
||||
|
||||
在本教程中,我们将探讨如何使用drozer工具与Android应用程序中的广播进行交互。Drozer是一个强大的用于Android的安全测试框架,它允许我们分析和操作Android应用程序。
|
||||
广播是Android应用程序中不同组件之间进行通信的一种方式。它们允许一个组件发送一条消息,称为意图(intent),其他组件可以接收并响应该消息。这对于协调应用程序的不同部分之间的操作或向用户发送通知非常有用。
|
||||
```
|
||||
app.broadcast.info Get information about broadcast receivers
|
||||
app.broadcast.send Send broadcast using an intent
|
||||
|
@ -427,7 +429,9 @@ run app.package.debuggable
|
|||
## 教程
|
||||
|
||||
* [https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref](https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref)
|
||||
* [http://mobiletools.mwrinfosecurity.com/Using-Drozer-for-application-security-assessments/](http://mobiletools.mwrinfosecurity.com/Using-Drozer-for-application-security-assessments/)
|
||||
* [https://github.com/mgcfish/mobiletools/blob/master/_posts/2016-08-01-Using-Drozer-for-application-security-assessments.md](https://github.com/mgcfish/mobiletools/blob/master/_posts/2016-08-01-Using-Drozer-for-application-security-assessments.md)
|
||||
* [https://www.hackingarticles.in/android-penetration-testing-drozer/](https://www.hackingarticles.in/android-penetration-testing-drozer/)
|
||||
* [https://medium.com/@ashrafrizvi3006/how-to-test-android-application-security-using-drozer-edc002c5dcac](https://medium.com/@ashrafrizvi3006/how-to-test-android-application-security-using-drozer-edc002c5dcac)
|
||||
|
||||
## 更多信息
|
||||
|
||||
|
@ -441,9 +445,9 @@ run app.package.debuggable
|
|||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
||||
* 你在**网络安全公司**工作吗?想要在HackTricks中**宣传你的公司**吗?或者你想要**获取PEASS的最新版本或下载HackTricks的PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||||
* 你在**网络安全公司**工作吗?想要在HackTricks中**宣传你的公司**吗?或者你想要**获取PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||||
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||||
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
||||
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
|
||||
|
|
Loading…
Reference in a new issue