Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 22:52:06 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/mobile-pentesting/android-app-pentesting/drozer-tutorial
History
Translator d69062841a Translated ['mobile-pentesting/android-app-pentesting/drozer-tutorial/RE
2023-08-27 20:07:13 +00:00
..
exploiting-content-providers.md Translated to Chinese 2023-08-03 19:12:22 +00:00
README.md Translated ['mobile-pentesting/android-app-pentesting/drozer-tutorial/RE 2023-08-27 20:07:13 +00:00

README.md

Drozer 教程

☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

赏金漏洞提示注册 Intigriti一个由黑客创建的高级 赏金漏洞平台!立即加入我们 https://go.intigriti.com/hacktricks,开始赚取高达 $100,000 的赏金!

{% embed url="https://go.intigriti.com/hacktricks" %}

要测试的 APK

安装

在主机上安装 Drozer 客户端。从 最新版本 下载它。

pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
pip install service_identity

最新版本下载并安装drozer APK。目前的版本是这个

adb install drozer.apk

启动服务器

代理正在端口31415上运行我们需要进行端口转发以建立Drozer客户端和代理之间的通信以下是执行此操作的命令

adb forward tcp:31415 tcp:31415

最后,启动应用程序并点击底部的“ON”按钮。

然后连接到它:

drozer console connect

有趣的命令

命令 描述
Help MODULE 显示所选模块的帮助信息
list 显示当前会话中可以执行的所有drozer模块的列表。此命令隐藏您没有适当权限运行的模块。
shell 在设备上以Agent的上下文启动一个交互式Linux shell。
clean 删除Android设备上drozer存储的临时文件。
load 加载包含drozer命令并按顺序执行它们的文件。
module 从互联网上查找并安装额外的drozer模块。
unset 删除drozer传递给任何它生成的Linux shell的命名变量。
set 将一个值存储在变量中该变量将作为环境变量传递给drozer生成的任何Linux shell。
shell 在设备上以Agent的上下文启动一个交互式Linux shell。
run MODULE 执行一个drozer模块。
exploit drozer可以创建在设备上执行的利用程序。drozer exploit list
payload 利用程序需要一个有效载荷。drozer payload list

通过部分名称过滤,找到包的名称

dz> run app.package.list -f sieve
com.mwr.example.sieve

软件包的基本信息

  • Package Name: com.example.app
  • Version: 1.0
  • Target SDK Version: 28
  • Min SDK Version: 21
  • Permissions: INTERNET, ACCESS_NETWORK_STATE, READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE

Installation:

  1. Download the APK file from the link.
  2. Connect your Android device to your computer.
  3. Open a terminal and navigate to the directory where the APK file is located.
  4. Install the APK using the following command: adb install app.apk

Usage:

  1. Launch the app on your Android device.
  2. Explore the app's features and functionalities.
  3. Take note of any suspicious behavior or vulnerabilities.
  4. Use drozer to perform dynamic analysis and penetration testing on the app.

Drozer Commands:

  • drozer console connect: Connects to the drozer server running on the Android device.
  • run app.package.info -a com.example.app: Retrieves information about the target app.
  • run app.package.attacksurface -a com.example.app: Identifies the attack surface of the target app.
  • run app.package.manifest -a com.example.app: Retrieves the app's manifest file.
  • run app.package.permissions -a com.example.app: Lists the permissions requested by the app.
  • run app.package.broadcasts -a com.example.app: Lists the broadcast receivers registered by the app.
  • run app.package.activities -a com.example.app: Lists the activities defined by the app.
  • run app.package.services -a com.example.app: Lists the services provided by the app.
  • run app.package.providers -a com.example.app: Lists the content providers exposed by the app.
  • run app.package.exported -a com.example.app: Lists the exported components of the app.
  • run app.package.urlschemes -a com.example.app: Lists the URL schemes handled by the app.
  • run app.package.broadcast.actions -a com.example.app: Lists the actions used by the app's broadcast receivers.
  • run app.package.broadcast.categories -a com.example.app: Lists the categories used by the app's broadcast receivers.
  • run app.package.broadcast.permissions -a com.example.app: Lists the permissions required by the app's broadcast receivers.
  • run app.package.activity.intents -a com.example.app: Lists the intents used by the app's activities.
  • run app.package.activity.permissions -a com.example.app: Lists the permissions required by the app's activities.
  • run app.package.service.intents -a com.example.app: Lists the intents used by the app's services.
  • run app.package.service.permissions -a com.example.app: Lists the permissions required by the app's services.
  • run app.package.provider.uris -a com.example.app: Lists the URIs exposed by the app's content providers.
  • run app.package.provider.permissions -a com.example.app: Lists the permissions required by the app's content providers.
  • run app.package.exported.components -a com.example.app: Lists the exported components of the app.
  • run app.package.exported.permissions -a com.example.app: Lists the permissions required by the app's exported components.
  • run app.package.exported.providers -a com.example.app: Lists the content providers exposed by the app's exported components.
  • run app.package.exported.activities -a com.example.app: Lists the activities defined by the app's exported components.
  • run app.package.exported.services -a com.example.app: Lists the services provided by the app's exported components.
  • run app.package.exported.broadcasts -a com.example.app: Lists the broadcast receivers registered by the app's exported components.
  • run app.package.exported.urlschemes -a com.example.app: Lists the URL schemes handled by the app's exported components.
  • run app.package.exported.broadcast.actions -a com.example.app: Lists the actions used by the app's exported broadcast receivers.
  • run app.package.exported.broadcast.categories -a com.example.app: Lists the categories used by the app's exported broadcast receivers.
  • run app.package.exported.broadcast.permissions -a com.example.app: Lists the permissions required by the app's exported broadcast receivers.
  • run app.package.exported.activity.intents -a com.example.app: Lists the intents used by the app's exported activities.
  • run app.package.exported.activity.permissions -a com.example.app: Lists the permissions required by the app's exported activities.
  • run app.package.exported.service.intents -a com.example.app: Lists the intents used by the app's exported services.
  • run app.package.exported.service.permissions -a com.example.app: Lists the permissions required by the app's exported services.
  • run app.package.exported.provider.uris -a com.example.app: Lists the URIs exposed by the app's exported content providers.
  • run app.package.exported.provider.permissions -a com.example.app: Lists the permissions required by the app's exported content providers.

Uninstallation:

To uninstall the app from your Android device, use the following command: adb uninstall com.example.app

dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/data/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS

阅读清单

run app.package.manifest jakhar.aseem.diva

攻击面的范围:

dz> run app.package.attacksurface com.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable
  • 活动:也许你可以启动一个活动并绕过某种应该阻止你启动的授权。
  • 内容提供者也许你可以访问私有数据或利用一些漏洞SQL注入或路径遍历
  • 服务
  • is debuggable了解更多

活动

在AndroidManifest.xml文件中一个导出的活动组件的“android:exported”值被设置为**“true”**

<activity android:name="com.my.app.Initial" android:exported="true">
</activity>

列出导出的活动

To list the exported activities of an Android app, you can use the drozer tool. The exported activities are components of an app that can be accessed by other apps or external entities. These activities are declared in the app's manifest file with the exported attribute set to true.

To list the exported activities using drozer, follow these steps:

  1. Install drozer on your computer and connect your Android device to it.

  2. Open a terminal or command prompt and run the following command to start the drozer console:

    drozer console connect

  3. Once the drozer console is open, run the following command to start the app's package:

    run app.package.list -f <package_name>

    Replace <package_name> with the package name of the app you want to analyze.

  4. After obtaining the package details, run the following command to list the exported activities:

    run app.activity.info -a <package_name>

    Replace <package_name> with the package name of the app you want to analyze.

    The drozer tool will display a list of exported activities along with their corresponding details, such as the activity name, exported status, and the intent filters associated with each activity.

By listing the exported activities of an Android app, you can identify potential security vulnerabilities and assess the app's overall security posture.

dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
com.mwr.example.sieve.MainLoginActivity
com.mwr.example.sieve.PWList

启动活动

也许你可以启动一个活动并绕过某种应该阻止你启动它的授权。

{% code overflow="wrap" %}

dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList

{% endcode %}

您还可以通过adb启动导出的活动:

  • 包名为com.example.demo
  • 导出的活动名为com.example.test.MainActivity
adb shell am start -n com.example.demo/com.example.test.MainActivity

内容提供者

这篇文章太长了,所以你可以在这里访问它的独立页面

服务

一个导出的服务在 Manifest.xml 中声明:

{% code overflow="wrap" %}

<service android:name=".AuthService" android:exported="true" android:process=":remote"/>

{% endcode %}

在代码中查找handleMessage函数,该函数将接收消息:

列出服务

dz> run app.service.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.AuthService
Permission: null
com.mwr.example.sieve.CryptoService
Permission: null

与服务进行交互

To interact with a service, you can use the run command in drozer. This command allows you to execute various actions on the target service. The syntax for the run command is as follows:

run <module> <action> [options]

Here, <module> refers to the module you want to use, <action> refers to the action you want to perform, and [options] refers to any additional options or parameters required by the action.

For example, to interact with the activity module and launch an activity, you can use the following command:

run app.activity.start --component <component_name>

Replace <component_name> with the name of the component you want to launch.

You can also use the run command to perform other actions, such as sending intents, querying content providers, and executing shell commands. Each module has its own set of actions and options, so make sure to refer to the module's documentation for more information.

Remember to always exercise caution when interacting with a service, as certain actions may have unintended consequences or security implications.

app.service.send            Send a Message to a service, and display the reply
app.service.start           Start Service
app.service.stop            Stop Service

示例

查看drozerapp.service.send的帮助信息:

请注意,您将首先发送位于"msg.what"、"msg.arg1"和"msg.arg2"内的数据,您应该在代码中检查正在使用的信息以及其位置。
使用--extra选项,您可以发送由"_msg.replyTo"解释的内容,并使用--bundle-as-obj创建一个包含提供的详细信息的对象。

在以下示例中:

  • what == 2354
  • arg1 == 9234
  • arg2 == 1
  • replyTo == object(string com.mwr.example.sieve.PIN 1337)
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj

广播接收器

Android应用程序可以从Android系统和其他Android应用程序发送或接收广播消息类似于发布-订阅设计模式。这些广播在感兴趣的事件发生时发送。例如当系统启动或设备开始充电时Android系统会发送广播。应用程序还可以发送自定义广播例如通知其他应用程序可能感兴趣的事情例如已下载一些新数据

应用程序可以注册接收特定的广播。当发送广播时,系统会自动将广播路由到已订阅接收该特定类型广播的应用程序。

这可能出现在Manifest.xml文件中

<receiver android:name=".MyBroadcastReceiver"  android:exported="true">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/>
<action android:name="android.intent.action.INPUT_METHOD_CHANGED" />
</intent-filter>
</receiver>

从:https://developer.android.com/guide/components/broadcasts

在发现这些广播接收器之后,您应该检查它们的代码。特别注意**onReceive**函数,因为它将处理接收到的消息。

检测所有广播接收器

run app.broadcast.info #Detects all

检查应用程序的广播接收器

To check the broadcast receivers of an app, you can use the drozer tool. This tool allows you to interact with the Android operating system at the application layer and perform various security assessments.

要检查应用程序的广播接收器,您可以使用 drozer 工具。该工具允许您在应用程序层与 Android 操作系统进行交互,并执行各种安全评估。

To begin, you need to install drozer on your machine and connect your Android device to it. Once connected, you can start the drozer console.

首先,您需要在计算机上安装 drozer 并将 Android 设备连接到计算机。连接成功后,您可以启动 drozer 控制台。

To check the broadcast receivers of an app, you can use the following command:

要检查应用程序的广播接收器,您可以使用以下命令:

run app.broadcast.info -a <package_name>

Replace <package_name> with the package name of the app you want to assess. This command will display a list of all the broadcast receivers registered by the app.

<package_name> 替换为您要评估的应用程序的包名。此命令将显示应用程序注册的所有广播接收器的列表。

By examining the broadcast receivers, you can identify potential security vulnerabilities or misconfigurations that may exist in the app.

通过检查广播接收器,您可以识别应用程序中可能存在的潜在安全漏洞或配置错误。

It is important to note that this process should only be performed on apps that you have permission to assess, such as your own apps or those for which you have explicit consent from the app owner.

请注意,此过程仅适用于您有权限评估的应用程序,例如您自己的应用程序或您已获得应用程序所有者明确同意的应用程序。

#Check one negative
run app.broadcast.info -a jakhar.aseem.diva
Package: jakhar.aseem.diva
No matching receivers.

# Check one positive
run app.broadcast.info -a com.google.android.youtube
Package: com.google.android.youtube
com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
Permission: null
com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
Permission: com.google.android.c2dm.permission.SEND
com.google.android.apps.youtube.app.PackageReplacedReceiver
Permission: null
com.google.android.libraries.youtube.account.AccountsChangedReceiver
Permission: null
com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
Permission: null

广播 交互

Broadcasts are a way for different components within an Android app to communicate with each other. They allow one component to send a message, called an intent, and other components can receive and respond to that message. This can be useful for coordinating actions between different parts of an app or for sending notifications to the user.

广播是Android应用程序中不同组件之间进行通信的一种方式。它们允许一个组件发送一条消息称为意图intent其他组件可以接收并响应该消息。这对于协调应用程序的不同部分之间的操作或向用户发送通知非常有用。

app.broadcast.info          Get information about broadcast receivers
app.broadcast.send          Send broadcast using an intent
app.broadcast.sniff         Register a broadcast receiver that can sniff particular intents

发送消息

在这个例子中,通过滥用 FourGoats apk 的内容提供者,你可以向任何非高级目的地发送任意短信,而无需请求用户的权限。

如果你阅读代码,你会发现需要将参数 "phoneNumber" 和 "message" 发送给内容提供者。

run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"

是否可调试

一个生产环境的 APK 应该永远不可调试。
这意味着你可以附加 Java 调试器到正在运行的应用程序,实时检查它,设置断点,逐步执行,收集变量值甚至修改它们。InfoSec 研究所有一篇很好的文章介绍了当你的应用程序可调试时如何深入挖掘并注入运行时代码。

当一个应用程序可调试时,它会出现在清单文件中:

<application theme="@2131296387" debuggable="true"

您可以使用Drozer找到所有可调试的应用程序:

run app.package.debuggable

教程

更多信息

Bug赏金提示: 注册Intigriti一个由黑客创建的高级Bug赏金平台!立即加入我们的https://go.intigriti.com/hacktricks,开始赚取高达**$100,000**的赏金!

{% embed url="https://go.intigriti.com/hacktricks" %}

☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥