神刀安全网

DrozerForMac

Drozer

Drozer, 一个用于Android App 安全测试的工具。 使用说明文档

安装

Drozer官网

  • 下载 Drozer(Python.egg)
  • 解压后查看安装文档 INSTALLING ,安装所需要的依赖,需要root权限

    sudo easy_install --allow-hosts pypi.python.org protobuf==2.4.1
    sudo easy_install twisted==10.2.0
    sudo easy_install ./drozer-2.3.0-py2.7.egg

  • 安装 agent.apk
  • 在Android设备上打开drozer Agent, 选择选择 Embedded Server
  • PC端执行命令:

    [xuxu:~]$ adb forward tcp:31415 tcp:31415
    [xuxu:~]$ drozer console connect
    Selecting 93cbb9e4b6133180 (Genymotion Google Nexus 5 - 4.4.4 - API 19 - 1080x1920 4.4.4)

    .. ..:.
    ..o.. .r..
    ..a.. . ....... . ..nd
    ro..idsnemesisand..pr
    .otectorandroidsneme.
    .,sisandprotectorandroids+.
    ..nemesisandprotectorandroidsn:.
    .emesisandprotectorandroidsnemes..
    ..isandp,..,rotectorandro,..,idsnem.
    .isisandp..rotectorandroid..snemisis.
    ,andprotectorandroidsnemisisandprotec.
    .torandroidsnemesisandprotectorandroid.
    .snemisisandprotectorandroidsnemesisan:
    .dprotectorandroidsnemesisandprotector.

    drozer Console (v2.3.4)

list

dz> list
app.activity.forintent Find activities that can handle the given intent
app.activity.info Gets information about exported activities.
app.activity.start Start an Activity
app.broadcast.info Get information about broadcast receivers
app.broadcast.send Send broadcast using an intent
app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
app.package.attacksurface Get attack surface of package
app.package.backup Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP)
app.package.debuggable Find debuggable packages
app.package.info Get information about installed packages
app.package.launchintent Get launch intent of package
app.package.list List Packages
app.package.manifest Get AndroidManifest.xml of package
app.package.native Find Native libraries embedded in the application.
app.package.shareduid Look for packages with shared UIDs
app.provider.columns List columns in content provider
app.provider.delete Delete from a content provider
app.provider.download Download a file from a content provider that supports files
app.provider.finduri Find referenced content URIs in a package
app.provider.info Get information about exported content providers
app.provider.insert Insert into a Content Provider
app.provider.query Query a content provider
app.provider.read Read from a content provider that supports files
app.provider.update Update a record in a content provider
app.service.info Get information about exported services
app.service.send Send a Message to a service, and display the reply
app.service.start Start Service
app.service.stop Stop Service
auxiliary.webcontentresolver Start a web service interface to content providers.
exploit.jdwp.check Open @jdwp-control and see which apps connect
exploit.pilfer.general.apnprovider Reads APN content provider
exploit.pilfer.general.settingsprovider Reads Settings content provider
information.datetime Print Date/Time
information.deviceinfo Get verbose device information
information.permissions Get a list of all permissions used by packages on the device
scanner.activity.browsable Get all BROWSABLE activities that can be invoked from the web browser
scanner.misc.native Find native components included in packages
scanner.misc.readablefiles Find world-readable files in the given folder
scanner.misc.secretcodes Search for secret codes that can be used from the dialer
scanner.misc.sflagbinaries Find suid/sgid binaries in the given folder (default is /system).
scanner.misc.writablefiles Find world-writable files in the given folder
scanner.provider.finduris Search for content providers that can be queried from our context.
scanner.provider.injection Test content providers for SQL injection vulnerabilities.
scanner.provider.sqltables Find tables accessible through SQL injection vulnerabilities.
scanner.provider.traversal Test content providers for basic directory traversal vulnerabilities.
shell.exec Execute a single Linux command.
shell.send Send an ASH shell to a remote listener.
shell.start Enter into an interactive Linux shell.
tools.file.download Download a File
tools.file.md5sum Get md5 Checksum of file
tools.file.size Get size of file
tools.file.upload Upload a File
tools.setup.busybox Install Busybox.
tools.setup.minimalsu Prepare 'minimal-su' binary installation on the device.

命令选项

Help内容,供查阅用

app.activity.forintent

dz> help app.activity.forintent
usage: run app.activity.forintent [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]

Find activities that can handle the formulated intent

Examples:
Find activities that can handle web addresses:

dz> run app.activity.forintent
--action android.intent.action.VIEW
--data http://www.google.com

Package name: com.android.browser
Target activity: com.android.browser.BrowserActivity

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent

app.activity.info

dz> help app.activity.info
usage: run app.activity.info [-h] [-a PACKAGE] [-f FILTER] [-i] [-u] [-v]

Gets information about exported activities.

Examples:
List activities exported by the Browser:

dz> run app.activity.info --package com.android.browser
Package: com.android.browser
com.android.browser.BrowserActivity
com.android.browser.ShortcutActivity
com.android.browser.BrowserPreferencesPage
com.android.browser.BookmarkSearch
com.android.browser.AddBookmarkPage
com.android.browser.widget.BookmarkWidgetConfigure

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify the package to inspect
-f FILTER, --filter FILTER
specify a filter term for the activity name
-i, --show-intent-filters
specify whether to include intent filters
-u, --unexported include activities that are not exported
-v, --verbose be verbose

app.activity.start

dz> help app.activity.start
usage: run app.activity.start [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]

Starts an Activity using the formulated intent.

Examples:
Start the Browser with an explicit intent:

dz> run app.activity.start
--component com.android.browser
com.android.browser.BrowserActivity
--flags ACTIVITY_NEW_TASK

If no flags are specified, drozer will add the ACTIVITY_NEW_TASK flag. To launch an activity with no flags:

dz> run app.activity.start
--component com.android.browser
com.android.browser.BrowserActivity
--flags 0x0

Starting the Browser with an implicit intent:

dz> run app.activity.start
--action android.intent.action.VIEW
--data-uri http://www.google.com
--flags ACTIVITY_NEW_TASK

For more information on how to formulate an Intent, type 'help intents'.

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent

app.broadcast.info

dz> help app.broadcast.info
usage: run app.broadcast.info [-h] [-a PACKAGE] [-f FILTER] [-p PERMISSION] [-i] [-u] [-v]

Get information about exported broadcast receivers.

Examples:
Get receivers exported by the platform:

dz> run app.broadcast.info -a android
Package: android
com.android.server.BootReceiver
Permission: null
com.android.server.updates.CertPinInstallReceiver
Permission: null
com.android.server.updates.IntentFirewallInstallReceiver
Permission: null
com.android.server.updates.SmsShortCodesInstallReceiver
Permission: null
com.android.server.updates.CarrierProvisioningUrlsInstallReceiver
Permission: null
com.android.server.updates.TZInfoInstallReceiver
Permission: null
com.android.server.updates.SELinuxPolicyInstallReceiver
Permission: null
com.android.server.MasterClearReceiver
Permission: android.permission.MASTER_CLEAR

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs), Luander (luander.r@samsung.com)
License: BSD (3 clause)

optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify the package to inspect
-f FILTER, --filter FILTER
specify filter conditions
-p PERMISSION, --permission PERMISSION
specify permission conditions
-i, --show-intent-filters
specify whether to include intent filters
-u, --unexported include receivers that are not exported
-v, --verbose be verbose

app.broadcast.send

dz> help app.broadcast.send
usage: run app.broadcast.send [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]

Sends an intent to broadcast receivers.

Examples:
Attempt to send the BOOT_COMPLETED broadcast message:

dz> run app.broadcast.send
--action android.intent.action.BOOT_COMPLETED
java.lang.SecurityException: Permission Denial: not allowed to send broadcast android.intent.action.BOOT_COMPLETED from pid=955,
uid=10044

For more information on how to formulate an Intent, type 'help intents'.

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent

app.broadcast.sniff

dz> help app.broadcast.sniff
usage: run app.broadcast.sniff [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--data-authority HOST PORT] [--data-path PATH TYPE]
[--data-scheme DATA_SCHEME [DATA_SCHEME ...]]
[--data-type DATA_TYPE [DATA_TYPE ...]]

Register a broadcast receiver that can sniff particular intents

Examples:
dz> run app.broadcast.sniff --action android.intent.action.BATTERY_CHANGED
[*] Broadcast receiver registered to sniff matching intents
[*] Output is updated once a second. Press Control+C to exit.

Action: android.intent.action.BATTERY_CHANGED
Raw: Intent { act=android.intent.action.BATTERY_CHANGED flg=x60000010 (has extras) }
Extra: technology=Li-ion (java.lang.String)
Extra: icon-small=17303411 (java.lang.Integer)
Extra: health=2 (java.lang.Integer)
Extra: online=4 (java.lang.Integer)
Extra: status=2 (java.lang.Integer)
Extra: plugged=2 (java.lang.Integer)
Extra: present=true (java.lang.Boolean)
Extra: level=80 (java.lang.Integer)
Extra: scale=100 (java.lang.Integer)
Extra: temperature=280 (java.lang.Integer)
Extra: current_avg=460 (java.lang.Integer)
Extra: voltage=4151 (java.lang.Integer)
Extra: charge_type=1 (java.lang.Integer)
Extra: invalid_charger=0 (java.lang.Integer)

Last Modified: 2014-06-27
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent Filter
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent Filter
--data-authority HOST PORT
specify the data authority to match against in the Intent Filter
--data-path PATH TYPE
specify the data path to match against in the Intent Filter
--data-scheme DATA_SCHEME [DATA_SCHEME ...]
specify the data scheme to match against in the Intent Filter
--data-type DATA_TYPE [DATA_TYPE ...]
specify the data type to match against in the Intent Filter

app.package.attacksurface

dz> help app.package.attacksurface
usage: run app.package.attacksurface [-h] package

Examine the attack surface of an installed package.

Examples:

Finding the attack surface of the built-in browser

dz> run app.package.attacksurface com.android.browser

6 activities exported
4 broadcast receivers exported
1 content providers exported
0 services exported

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
package the identifier of the package to inspect

optional arguments:
-h, --help

app.package.backup

dz> help app.package.attacksurface
usage: run app.package.attacksurface [-h] package

Examine the attack surface of an installed package.

Examples:

Finding the attack surface of the built-in browser

dz> run app.package.attacksurface com.android.browser

6 activities exported
4 broadcast receivers exported
1 content providers exported
0 services exported

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
package the identifier of the package to inspect

optional arguments:
-h, --help
dz>
dz>
dz> help app.package.backup
usage: run app.package.backup [-h] [-f FILTER] [-k]

Lists packages that use the backup API (retruns true on FLAG_ALLOW_BACKUP)

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-f FILTER, --filter FILTER
filter term (By Package Name)
-k, --api-keys Only print packages that contain api keys

app.package.debuggable

dz> help app.package.debuggable
usage: run app.package.debuggable [-h] [-f FILTER] [-v]

Lists packages which are debuggable.

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-f FILTER, --filter FILTER
filter term
-v, --verbose be verbose

app.package.info

dz> help app.package.info
usage: run app.package.info [-h] [-a PACKAGE] [-d DEFINES_PERMISSION] [-f FILTER] [-g GID]
[-p PERMISSION] [-u UID] [-i]

List all installed packages on the device with optional filters. Specify optional keywords to search for in the package information, or
granted permissions.

Examples:
Finding all packages with the keyword "browser" in their name:

dz> run app.package.info -f browser

Package: com.android.browser
Process name: com.android.browser
Version: 4.1.1
Data Directory: /data/data/com.android.browser
APK path: /system/app/Browser.apk
UID: 10014
GID: [3003, 1015, 1028]
Shared libraries: null
Permissions:
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.ACCESS_DOWNLOAD_MANAGER
- android.permission.ACCESS_FINE_LOCATION
...

Finding all packages with the "INSTALL_PACKAGES" permission:

dz> run app.package.info -p INSTALL_PACKAGES

Package: com.android.packageinstaller
Process Name: com.android.packageinstaller
Version: 4.1.1-403059
Data Directory: /data/data/com.android.packageinstaller
APK Path: /system/app/PackageInstaller.apk
UID: 10003
GID: [1028]
Shared Libraries: null
Shared User ID: null
Permissions:
- android.permission.INSTALL_PACKAGES
- android.permission.DELETE_PACKAGES
- android.permission.CLEAR_APP_CACHE
- android.permission.READ_PHONE_STATE
- android.permission.CLEAR_APP_USER_DATA
- android.permission.READ_EXTERNAL_STORAGE

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
the identifier of the package to inspect
-d DEFINES_PERMISSION, --defines-permission DEFINES_PERMISSION
filter by the permissions a package defines
-f FILTER, --filter FILTER
keyword filter conditions
-g GID, --gid GID filter packages by GID
-p PERMISSION, --permission PERMISSION
permission filter conditions
-u UID, --uid UID filter packages by UID
-i, --show-intent-filters
show intent filters

app.package.launchintent

dz> help app.package.launchintent
usage: run app.package.launchintent [-h] [-r] package

Get the launch intent of an installed package.

Examples:

Finding the launch intent of the Android browser package:

dz> run app.package.launchintent com.android.browser

Intent:

Action: android.intent.action.MAIN
Component: {com.android.browser/com.android.browser.BrowserActivity}
Data: null
Categories:
android.intent.category.LAUNCHER
Flags: [ACTIVITY_NEW_TASK]
Mime Type: null
Extras: null

Last Modified: 2013-03-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
package the identifier of the package to inspect

optional arguments:
-h, --help
-r, --raw display the raw output of the intent (as if you were calling intent.toString())

app.package.manifest

dz> help app.package.manifest
usage: run app.package.manifest [-h] package

Retrieves AndroidManifest.xml from an installed package.

Examples:

Getting the manifest for drozer

dz> run app.package.manifest com.mwr.dz

<manifest versionCode="2" versionName="1.1" package="com.mwr.dz">
<uses-sdk minSdkVersion="8" targetSdkVersion="4">
</uses-sdk>
<uses-permission name="android.permission.INTERNET">
</uses-permission>

...
</manifest>

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
package the identifier of the package

optional arguments:
-h, --help

app.package.list

dz> help app.package.list
usage: run app.package.list [-h] [-d DEFINES_PERMISSION] [-f FILTER] [-g GID]
[-p PERMISSION] [-u UID] [-n]

List all installed packages on the device. Specify optional keywords to search for in the package name.

Examples:
Finding all packages with the keyword "browser" in their name:

dz> run app.package.list -f browser

com.android.browser

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-d DEFINES_PERMISSION, --defines-permission DEFINES_PERMISSION
filter by the permissions a package defines
-f FILTER, --filter FILTER
keyword filter conditions
-g GID, --gid GID filter packages by GID
-p PERMISSION, --permission PERMISSION
permission filter conditions
-u UID, --uid UID filter packages by UID
-n, --no_app_name do not print the app name

app.package.native

dz> help app.package.native
usage: run app.package.native [-h] package

Find Native libraries embedded in the application.

Last Modified: 2013-03-23
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
package the identifier of the package

optional arguments:
-h, --help

app.package.shareduid

dz> help app.package.shareduid
usage: run app.package.shareduid [-h] [-u UID]

Finds packages that have shared UIDs and gives their accumulated permissions.

Examples:

Finding packages that share the UID 10011

dz> run app.package.shareduid -u 10011

UID: 10011 (com.motorola.blur.uid.provider_authenticator:10011)

Package Name: com.motorola.blur.provider.photobucket
Package Name: com.motorola.blur.provider.picasa
Package Name: com.motorola.blur.provider.yahoo
Package Name: com.motorola.blur.provider.twitter
Package Name: com.motorola.blur.provider.fixedemail
Package Name: com.motorola.blur.provider.motorola.app
Package Name: com.motorola.blur.provider.orkut
Package Name: com.motorola.blur.provider.email
Package Name: com.motorola.blur.provider.facebook
Package Name: com.motorola.blur.provider.lastfm
Package Name: com.motorola.blur.provider.linkedin
Package Name: com.motorola.blur.provider.youtube
Package Name: com.motorola.blur.provider.skyrock
Package Name: com.motorola.blur.provider.activesync
Package Name: com.motorola.blur.provider.flickr
Accumulated permissions: com.motorola.blur.setupprovider.Permissions.ACCESS_ACCOUNTS; ...

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-u UID, --uid UID specify uid

app.provider.columns

dz> help app.provider.columns
usage: run app.provider.columns [-h] uri

List the columns in the specified content provider URI.

Examples:
List the columns of content://settings/secure

dz> run app.provider.columns content://settings/secure
| _id | name | value |

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
uri the content provider uri to query

optional arguments:
-h, --help

app.provider.delete

dz> help app.provider.delete
usage: run app.provider.delete [-h] [--selection conditions] [--selection-args [arg [arg ...]]]
uri

Delete from the specified content provider URI.

Examples:
Delete from content://settings/secure, with name condition:

dz> run app.provider.delete content://settings/secure
--selection "name=?"
--selection-args my_setting

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
uri the content provider uri to query

optional arguments:
-h, --help
--selection conditions
the conditions to apply to the query, as in "WHERE <conditions>"
--selection-args [arg [arg ...]]
any parameters to replace '?' in --selection

app.provider.download

dz> help app.provider.download
usage: run app.provider.download [-h] uri destination

Read from the specified content uri using openInputStream, and download to the local file system

Examples:
Download, using directory traversal on a content provider:

dz> run app.provider.download content://vulnerable.provider/../../../system/etc/hosts /tmp/hostsfile
Written 25 bytes

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
uri the content provider URI to read a file through
destination path to save the downloaded file to

optional arguments:
-h, --help

app.provider.finduri

dz> help app.provider.finduri
usage: run app.provider.finduri [-h] package

Finds Content URIs within a package.

This module uses a number of strategies to identify a content URI, including inspecting the authorities, path permissions and searching for
strings inside the package.

Examples:
Find content provider URIs in the Browser:

dz> run app.provider.finduri com.android.browser
Scanning com.android.browser...
content://com.android.browser.home/res/raw/
content://browser/search_suggest_query
content://browser/
content://com.android.browser.snapshots/
content://com.android.browser/bookmarks/search_suggest_query
content://com.android.browser/
content://com.google.settings/partner
content://com.android.browser.snapshots
content://com.google.android.partnersetup.rlzappprovider/
content://com.android.browser.home/
content://browser/bookmarks/search_suggest_query

Last Modified: 2012-13-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
package the package to search for content provider uris

optional arguments:
-h, --help

app.provider.info

dz> help app.provider.info
usage: run app.provider.info [-h] [-a PACKAGE] [-f FILTER] [-p PERMISSION] [-u] [-v]

List information about exported content providers, with optional filters.

Examples:
Find content provider with the keyword "settings" in them:

dz> run app.provider.info -f settings

Package name: com.google.android.gsf
Authority: com.google.settings
Required Permission - Read: null
Required Permission - Write: com.google.android.providers.settings.permission.WRITE_GSETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false

Package name: com.android.providers.settings
Authority: settings
Required Permission - Read: null
Required Permission - Write: android.permission.WRITE_SETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false

Finding content providers that do not require permissions to read/write:

dz> run app.provider.info -p null

Package name: com.google.android.gsf
Authority: com.google.settings
Required Permission - Read: null
Required Permission - Write: com.google.android.providers.settings.permission.WRITE_GSETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false

...

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify the package to inspect
-f FILTER, --filter FILTER
specify filter conditions
-p PERMISSION, --permission PERMISSION
specify permission conditions
-u, --unexported include providers that are not exported
-v, --verbose be verbose

app.provider.insert

dz> help app.provider.insert
usage: run app.provider.insert [-h] [--boolean column data] [--double column data]
[--float column data] [--integer column data]
[--long column data] [--short column data]
[--string column data]
uri

Insert into a content provider.

Examples:
Insert into a vulnerable content provider:

dz> run app.provider.insert content://com.vulnerable.im/messages
--string date 1331763850325
--string type 0
--integer _id 7

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
uri the content provider uri to insert into

optional arguments:
-h, --help
--boolean column data
--double column data
--float column data
--integer column data
--long column data
--short column data
--string column data

app.provider.read

dz> help app.provider.read
usage: run app.provider.read [-h] uri

Read from the specified content uri using openInputStream

Examples:
Attempt directory traversal on a content provider:

dz> run app.provider.read content://settings/secure/../../../system/etc/hosts
java.io.FileNotFoundException: No files supported by provider at content://settings/secure/../../../system/etc/hosts

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
uri the content provider URI to read a file through

optional arguments:
-h, --help

app.provider.update

dz> help app.provider.update
usage: run app.provider.update [-h] [--selection conditions] [--selection-args [arg [arg ...]]]
[--boolean column data] [--double column data]
[--float column data] [--integer column data]
[--long column data] [--short column data]
[--string column data]
uri

Update the specified content provider URI

Examples:
Updating, the assisted_gps_enabled setting:

dz> run app.provider.update content://settings/secure
--selection "name=?"
--selection-args assisted_gps_enabled
--integer value 0
Done.

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
uri the content provider uri to update in

optional arguments:
-h, --help
--selection conditions
the conditions to apply to the query, as in "WHERE <conditions>"
--selection-args [arg [arg ...]]
any parameters to replace '?' in --selection
--boolean column data
--double column data
--float column data
--integer column data
--long column data
--short column data
--string column data

app.service.info

dz> help app.service.info
usage: run app.service.info [-h] [-a PACKAGE] [-f <filter>] [-i] [-p <filter>] [-u] [-v]

Gets information about exported services.

Examples:
List services exported by the Browser:

dz> run app.service.info --package com.android.browser
Package: com.android.browser
No exported services.

List exported services with no permissions required to interact with it:

dz> run app.service.info -p null
Package: com.android.email
com.android.email.service.EmailBroadcastProcessorService
Permission: null
com.android.email.Controller$ControllerService
Permission: null
com.android.email.service.PopImapAuthenticatorService
Permission: null
com.android.email.service.PopImapSyncAdapterService
Permission: null
com.android.email.service.EasAuthenticatorService
Permission: null

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify the package to inspect
-f <filter>, --filter <filter>
-i, --show-intent-filters
specify whether to include intent filters
-p <filter>, --permission <filter>
-u, --unexported include receivers that are not exported
-v

app.service.send

dz> help app.service.send
usage: run app.service.send [-h] [--msg what arg1 arg2] [--extra type key value]
[--no-response] [--timeout TIMEOUT] [--bundle-as-obj]
package component

Binds to an exported service, and sends a Message to it. If the service sends a reply, display the message received and any data it
contains.

NB: by default, this module will wait 20 seconds for a reply.

Examples:
Deliver a Message to a dummy application, that simply returns the message:

dz> run app.service.send com.example.srv com.example.srv.Service --msg 1 2 3 --extra float value 0.1324 --extra string test value
Got a reply from com.example.srv/com.example.srv.Service:
what: 1
arg1: 2
arg2: 3
Data:
value (float) : 0.1324
test (string) : value

Last Modified: 2013-05-20
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
package the package containing the target service
component the fully-qualified service name to bind to

optional arguments:
-h, --help
--msg what arg1 arg2 specify the what, arg1 and arg2 values to use when obtaining the message
--extra type key value
add an extra to the message's data bundle
--no-response do not wait for a response from the service
--timeout TIMEOUT specify a timeout in milliseconds (default is 20000)
--bundle-as-obj this is useful when the 'obj' parameter on the target is being cast back to a Bundle instead of using Message.getData()

app.service.start

dz> help app.service.start
usage: run app.service.start [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]

Formulate an Intent to start a service, and deliver it to another application.

For more information on how to formulate an Intent, type 'help intents'.

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent

app.service.stop

dz> help app.service.stop
usage: run app.service.stop [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]

Formulate an Intent to stop a service, and deliver it to another application.

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent

auxiliary.webcontentresolver

dz> help auxiliary.webcontentresolver
usage: run auxiliary.webcontentresolver [-h] [-p PORT]

Start a Web Service interface to Content Providers. This allows you to use web application testing capabilities and tools to test content
providers.

Examples:
dz> run auxiliary.webcontentresolver --port 8080

WebContentResolver started on port 8080.
Ctrl+C to Stop

Last Modified: 2012-11-06
Credit: Nils (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-p PORT, --port PORT the port to start the WebContentResolver on

exploit.jdwp.check

dz> help exploit.jdwp.check
usage: run exploit.jdwp.check [-h]

Open @jdwp-control and see which applications connect. This is an issue because then drozer can act as a debugger for the connected
application. This could be used to invoke arbitrary code within the context of the debuggable application. See
https://labs.mwrinfosecurity.com/blog/2011/07/07/debuggable-apps-in-android-market/ for more details.

Examples:
dz> run exploit.jdwp.check
[+] Opened @jdwp-control
[*] Accepting connections

[+] com.mwr.dz connected!
[+] Received PID = 4931
[+] This device is vulnerable!

[+] com.mwr.dz connected!
[+] Received PID = 4940
[+] This device is vulnerable!

Last Modified: 2014-07-29
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help

exploit.pilfer.general.apnprovider

dz> help exploit.pilfer.general.apnprovider
usage: run exploit.pilfer.general.apnprovider [-h]

Exploit a leaky content provider to read APN configuration information.

The target provider is content://telephony/carriers/preferapn

Examples:
dz> run exploit.pilfer.general.apnprovider
_id 1
name T-Mobile US
numeric 310260
mcc 310
mnc 260
apn epc.tmobile.com
... ...

Last Modified: 2012-11-06
Credit: Rob (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help

exploit.pilfer.general.settingsprovider

dz> help exploit.pilfer.general.settingsprovider
usage: run exploit.pilfer.general.settingsprovider [-h]

Reads Settings Information

Last Modified: 2012-11-06
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help

information.datetime

dz> run information.datetime
The time is 20160423T182546.

information.deviceinfo

dz> run information.deviceinfo
-----------------------------------------

/proc/version
-----------------------------------------

Linux version 3.4.0-g0c665cd-00561-g8238df2 (builder@qh-miui-ota-bd57) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Thu Apr 14 03:02:40 CST 2016


-----------------------------------------
/system/build.prop
-----------------------------------------


# begin build properties
# autogenerated by buildinfo.sh
ro.build.id=MMB29M
ro.build.display.id=MMB29M
ro.build.version.incremental=6.4.14
ro.build.version.sdk=23
ro.build.version.preview_sdk=0
ro.build.version.codename=REL
ro.build.version.all_codenames=REL

ro.build.version.release=6.0.1
...

information.permissions

dz> help information.permissions
usage: run information.permissions [-h] [--permission PERMISSION]
[--protectionlevel PROTECTIONLEVEL]

Get a list of all permissions used by packages on the device as well as their descriptions and protection levels

Examples:
dz> run information.permissions --permission android.permission.INSTALL_PACKAGES
Allows the app to install new or updated Android packages. Malicious apps may use this to add new apps with arbitrarily powerful
permissions.
18 - signature|system

Last Modified: 2014-06-17
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
--permission PERMISSION
filter by specific permission
--protectionlevel PROTECTIONLEVEL
filter by protection level

scanner.activity.browsable

dz> help scanner.activity.browsable
usage: run scanner.activity.browsable [-h] [-a PACKAGE] [-f FILTER]

Get all BROWSABLE activities that can be invoked from the web browser through the use of a custom data handler. This can indicate the
presence of an entry point into application code from a web browser.

Examples:
dz> run scanner.activity.browsable
Package: com.android.contacts
Invocable URIs:
tel://
Classes:
.activities.PeopleActivity
com.android.contacts.NonPhoneActivity

Package: com.android.calendar
Invocable URIs:
http://www.google.com/calendar/event (PATTERN_PREFIX)
Classes:
GoogleCalendarUriIntentFilter

Package: com.android.browser
Invocable URIs:
http://
Classes:
BrowserActivity

Package: com.android.music
Invocable URIs:
http://
content://
Classes:
AudioPreview

Package: com.android.mms
Invocable URIs:
sms://
mms://
Classes:
.ui.ComposeMessageActivity

Last Modified: 2014-10-31
Credit: Tyrone (@mwrlabs)
License: BSD (3-clause)

optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify a package to search
-f FILTER, --filter FILTER
filter term

scanner.misc.native

dz> help scanner.misc.native
usage: run scanner.misc.native [-h] [-a PACKAGE] [-f FILTER] [-v]

Lists packages which use native code.
NOTE: This only checks for libraries that are bundled inside the package APK. System packages often do not contain the libraries they use
inside their APK and so this module will miss them.

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify a package to search
-f FILTER, --filter FILTER
filter term
-v, --verbose be verbose

scanner.misc.readablefiles

dz> help scanner.misc.readablefiles
usage: run scanner.misc.readablefiles [-h] [-p] target

Find world-readable files in the given folder

Examples:
dz> run scanner.misc.readablefiles /data -p
Discovered world-readable files in /data:
/data/system/packages-stopped.xml
/data/system/packages.list
/data/system/packages.xml
/data/system/uiderrors.txt
...<snipped>...

Last Modified: 2013-04-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
target the target directory to search

optional arguments:
-h, --help
-p, --privileged request root to perform the task in a privileged context

scanner.misc.secretcodes

dz> help scanner.misc.secretcodes
usage: run scanner.misc.secretcodes [-h] [-v]

Finds Secret Codes from all installed packages.

Last Modified: 2012-11-06
Credit: Mike (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-v, --verbose be verbose

scanner.misc.sflagbinaries

dz> help scanner.misc.sflagbinaries
usage: run scanner.misc.sflagbinaries [-h] [-t TARGET] [-p]

Find suid/sgid binaries in the given folder (default is /system). Uses the method from
http://hexesec.wordpress.com/2009/10/14/exploiting-suid-binaries/.

Examples:
dz> run scanner.misc.sflagbinaries
Discovered suid/sgid files in /system:
/system/xbin/procmem
/system/xbin/librank
/system/xbin/tcpdump
/system/xbin/procrank
/system/bin/su
/system/bin/run-as
/system/bin/ping
/system/bin/netcfg

Last Modified: 2013-04-18
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-t TARGET, --target TARGET
the target directory to search
-p, --privileged request root to perform the task in a privileged context

scanner.misc.writablefiles

dz> help scanner.misc.writablefiles
usage: run scanner.misc.writablefiles [-h] [-p] target

Find world-writable files in the given folder

Examples:
dz> run scanner.misc.writablefiles /data --privileged
Discovered world-writable files in /data:
/data/anr/slow00.txt
/data/anr/slow01.txt
...<snipped>...

Last Modified: 2013-04-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

positional arguments:
target the target directory to search

optional arguments:
-h, --help
-p, --privileged request root to perform the task in a privileged context

scanner.provider.finduris

dz> help scanner.provider.finduris
usage: run scanner.provider.finduris [-h] [-a PACKAGE]

Search for content providers that can be queried from our context.

Examples:
run scanner.provider.finduris

Last Modified: 2012-11-06
Credit: Luander (luander.r@samsung.com)
License: BSD (3 clause)

optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify a package to search

scanner.provider.injection

dz> help scanner.provider.injection
usage: run scanner.provider.injection [-h] [-a <package or uri>]

Search for content providers with SQL Injection vulnerabilities.

Last Modified: 2012-11-06
Credit: Rob (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-a <package or uri>, --package <package or uri>, --uri <package or uri>
specify a package, or content uri to search

scanner.provider.sqltables

dz> help scanner.provider.sqltables
usage: run scanner.provider.sqltables [-h] [-a <package or uri>]

Enumerate SQL tables accessible through SQL (projection) Injection vulnerabilities.

Last Modified: 2013-01-23
Credit: Rijnard
License: BSD (3 clause)

optional arguments:
-h, --help
-a <package or uri>, --package <package or uri>, --uri <package or uri>
specify a package, or content uri to search

scanner.provider.traversal

dz> help scanner.provider.traversal
usage: run scanner.provider.traversal [-h] [-a <package or uri>]

Finds content providers with basic directory traversal vulnerabilities.

Last Modified: 2012-11-06
Credit: Nils (@mwrlabs)
License: BSD (3 clause)

optional arguments:
-h, --help
-a <package or uri>, --package <package or uri>, --uri <package or uri>
specify a package, or content uri to search

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » DrozerForMac

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址