app.activity.info Gets information about exported activities. app.activity.start Start an Activity app.broadcast.info Get information about broadcast receivers app.broadcast.send Send broadcast using an intent app.broadcast.sniff Register a broadcast receiver that can sniff particular intents app.package.attacksurface Get attack surface of package app.package.backup Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP) app.package.debuggable Find debuggable packages app.package.info Get information about installed packages app.package.launchintent Get launch intent of package app.package.list List Packages app.package.manifest Get AndroidManifest.xml of package app.package.native Find Native libraries embedded in the application. app.package.shareduid Look for packages with shared UIDs app.provider.columns List columns in content provider app.provider.delete Delete from a content provider app.provider.download Download a file from a content provider that supports files app.provider.finduri Find referenced content URIs in a package app.provider.info Get information about exported content providers app.provider.insert Insert into a Content Provider app.provider.query Query a content provider app.provider.read Read from a content provider that supports files app.provider.update Update a record in a content provider app.service.info Get information about exported services app.service.send Send a Message to a service, and display the reply app.service.start Start Service app.service.stop Stop Service auxiliary.webcontentresolver Start a web service interface to content providers. exploit.jdwp.check Open @jdwp-control and see which apps connect exploit.pilfer.general.apnprovider Reads APN content provider exploit.pilfer.general.settingsprovider Reads Settings content provider information.datetime Print Date/Time information.deviceinfo Get verbose device information information.permissions Get a list of all permissions used by packages on the device scanner.activity.browsable Get all BROWSABLE activities that can be invoked from the web browser scanner.misc.native Find native components included in packages scanner.misc.readablefiles Find world-readable files in the given folder scanner.misc.secretcodes Search for secret codes that can be used from the dialer scanner.misc.sflagbinaries Find suid/sgid binaries in the given folder (default is /system). scanner.misc.writablefiles Find world-writable files in the given folder scanner.provider.finduris Search for content providers that can be queried from our context. scanner.provider.injection Test content providers for SQL injection vulnerabilities. scanner.provider.sqltables Find tables accessible through SQL injection vulnerabilities. scanner.provider.traversal Test content providers for basic directory traversal vulnerabilities. shell.exec Execute a single Linux command. shell.send Send an ASH shell to a remote listener. shell.start Enter into an interactive Linux shell. tools.file.download Download a File tools.file.md5sum Get md5 Checksum of file tools.file.size Get size of file tools.file.upload Upload a File tools.setup.busybox Install Busybox. tools.setup.minimalsu Prepare 'minimal-su' binary installation on the device.
0x03 测试步骤
1.获取包名
dz> run app.package.list -f sieve com.mwr.example.sieve (Sieve)
2.获取应用的基本信息
dz> run app.package.info -a com.mwr.example.sieve Package: com.mwr.example.sieve Application Label: Sieve Process Name: com.mwr.example.sieve Version: 1.0 Data Directory: /data/user/0/com.mwr.example.sieve APK Path: /data/app/com.mwr.example.sieve-1/base.apk UID: 10065 GID: [3003] Shared Libraries: null Shared User ID: null Uses Permissions: - android.permission.READ_EXTERNAL_STORAGE - android.permission.WRITE_EXTERNAL_STORAGE - android.permission.INTERNET Defines Permissions: - com.mwr.example.sieve.READ_KEYS - com.mwr.example.sieve.WRITE_KEYS
dz> run app.activity.info -a com.mwr.example.sieve Package: com.mwr.example.sieve com.mwr.example.sieve.FileSelectActivity Permission: null com.mwr.example.sieve.MainLoginActivity Permission: null com.mwr.example.sieve.PWList Permission: null
( 2 )启动 activity
run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList help app.activity.start usage: run app.activity.start [-h] [--action ACTION] [--category CATEGORY] [--component PACKAGE COMPONENT] [--data-uri DATA_URI] [--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]] [--mimetype MIMETYPE]
5.Content Provider
( 1 )获取 Content Provider 信息
run app.provider.info -a com.mwr.example.sieve Package: com.mwr.example.sieve Authority: com.mwr.example.sieve.DBContentProvider Read Permission: null Write Permission: null Content Provider: com.mwr.example.sieve.DBContentProvider Multiprocess Allowed: True Grant Uri Permissions: False Path Permissions: Path: /Keys Type: PATTERN_LITERAL Read Permission: com.mwr.example.sieve.READ_KEYS Write Permission: com.mwr.example.sieve.WRITE_KEYS Authority: com.mwr.example.sieve.FileBackupProvider Read Permission: null Write Permission: null Content Provider: com.mwr.example.sieve.FileBackupProvider Multiprocess Allowed: True Grant Uri Permissions: False
(2)Content Providers (数据泄露)
先获取所有可以访问的 Uri :
run scanner.provider.finduris -a com.mwr.example.sieve Scanning com.mwr.example.sieve... Unable to Query content://com.mwr.example.sieve.DBContentProvider/ Unable to Query content://com.mwr.example.sieve.FileBackupProvider/ Unable to Query content://com.mwr.example.sieve.DBContentProvider Able to Query content://com.mwr.example.sieve.DBContentProvider/Passwords/ Able to Query content://com.mwr.example.sieve.DBContentProvider/Keys/ Unable to Query content://com.mwr.example.sieve.FileBackupProvider Able to Query content://com.mwr.example.sieve.DBContentProvider/Passwords Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys