Drozer, 一个用于Android App 安全测试的工具。 使用说明文档
Drozer官网
Drozer(Python.egg)
解压后查看安装文档 INSTALLING
,安装所需要的依赖,需要root权限
sudo easy_install --allow-hosts pypi.python.org protobuf==2.4.1
sudo easy_install twisted==10.2.0
sudo easy_install ./drozer-2.3.0-py2.7.egg
agent.apk
Embedded Server
PC端执行命令:
[xuxu:~]$ adb forward tcp:31415 tcp:31415
[xuxu:~]$ drozer console connect
Selecting 93cbb9e4b6133180 (Genymotion Google Nexus 5 - 4.4.4 - API 19 - 1080x1920 4.4.4)
.. ..:.
..o.. .r..
..a.. . ....... . ..nd
ro..idsnemesisand..pr
.otectorandroidsneme.
.,sisandprotectorandroids+.
..nemesisandprotectorandroidsn:.
.emesisandprotectorandroidsnemes..
..isandp,..,rotectorandro,..,idsnem.
.isisandp..rotectorandroid..snemisis.
,andprotectorandroidsnemisisandprotec.
.torandroidsnemesisandprotectorandroid.
.snemisisandprotectorandroidsnemesisan:
.dprotectorandroidsnemesisandprotector.
drozer Console (v2.3.4)
dz> list
app.activity.forintent Find activities that can handle the given intent
app.activity.info Gets information about exported activities.
app.activity.start Start an Activity
app.broadcast.info Get information about broadcast receivers
app.broadcast.send Send broadcast using an intent
app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
app.package.attacksurface Get attack surface of package
app.package.backup Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP)
app.package.debuggable Find debuggable packages
app.package.info Get information about installed packages
app.package.launchintent Get launch intent of package
app.package.list List Packages
app.package.manifest Get AndroidManifest.xml of package
app.package.native Find Native libraries embedded in the application.
app.package.shareduid Look for packages with shared UIDs
app.provider.columns List columns in content provider
app.provider.delete Delete from a content provider
app.provider.download Download a file from a content provider that supports files
app.provider.finduri Find referenced content URIs in a package
app.provider.info Get information about exported content providers
app.provider.insert Insert into a Content Provider
app.provider.query Query a content provider
app.provider.read Read from a content provider that supports files
app.provider.update Update a record in a content provider
app.service.info Get information about exported services
app.service.send Send a Message to a service, and display the reply
app.service.start Start Service
app.service.stop Stop Service
auxiliary.webcontentresolver Start a web service interface to content providers.
exploit.jdwp.check Open @jdwp-control and see which apps connect
exploit.pilfer.general.apnprovider Reads APN content provider
exploit.pilfer.general.settingsprovider Reads Settings content provider
information.datetime Print Date/Time
information.deviceinfo Get verbose device information
information.permissions Get a list of all permissions used by packages on the device
scanner.activity.browsable Get all BROWSABLE activities that can be invoked from the web browser
scanner.misc.native Find native components included in packages
scanner.misc.readablefiles Find world-readable files in the given folder
scanner.misc.secretcodes Search for secret codes that can be used from the dialer
scanner.misc.sflagbinaries Find suid/sgid binaries in the given folder (default is /system).
scanner.misc.writablefiles Find world-writable files in the given folder
scanner.provider.finduris Search for content providers that can be queried from our context.
scanner.provider.injection Test content providers for SQL injection vulnerabilities.
scanner.provider.sqltables Find tables accessible through SQL injection vulnerabilities.
scanner.provider.traversal Test content providers for basic directory traversal vulnerabilities.
shell.exec Execute a single Linux command.
shell.send Send an ASH shell to a remote listener.
shell.start Enter into an interactive Linux shell.
tools.file.download Download a File
tools.file.md5sum Get md5 Checksum of file
tools.file.size Get size of file
tools.file.upload Upload a File
tools.setup.busybox Install Busybox.
tools.setup.minimalsu Prepare 'minimal-su' binary installation on the device.
Help内容,供查阅用
dz> help app.activity.forintent
usage: run app.activity.forintent [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]
Find activities that can handle the formulated intent
Examples:
Find activities that can handle web addresses:
dz> run app.activity.forintent
--action android.intent.action.VIEW
--data http://www.google.com
Package name: com.android.browser
Target activity: com.android.browser.BrowserActivity
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent
dz> help app.activity.info
usage: run app.activity.info [-h] [-a PACKAGE] [-f FILTER] [-i] [-u] [-v]
Gets information about exported activities.
Examples:
List activities exported by the Browser:
dz> run app.activity.info --package com.android.browser
Package: com.android.browser
com.android.browser.BrowserActivity
com.android.browser.ShortcutActivity
com.android.browser.BrowserPreferencesPage
com.android.browser.BookmarkSearch
com.android.browser.AddBookmarkPage
com.android.browser.widget.BookmarkWidgetConfigure
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify the package to inspect
-f FILTER, --filter FILTER
specify a filter term for the activity name
-i, --show-intent-filters
specify whether to include intent filters
-u, --unexported include activities that are not exported
-v, --verbose be verbose
dz> help app.activity.start
usage: run app.activity.start [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]
Starts an Activity using the formulated intent.
Examples:
Start the Browser with an explicit intent:
dz> run app.activity.start
--component com.android.browser
com.android.browser.BrowserActivity
--flags ACTIVITY_NEW_TASK
If no flags are specified, drozer will add the ACTIVITY_NEW_TASK flag. To launch an activity with no flags:
dz> run app.activity.start
--component com.android.browser
com.android.browser.BrowserActivity
--flags 0x0
Starting the Browser with an implicit intent:
dz> run app.activity.start
--action android.intent.action.VIEW
--data-uri http://www.google.com
--flags ACTIVITY_NEW_TASK
For more information on how to formulate an Intent, type 'help intents'.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent
dz> help app.broadcast.info
usage: run app.broadcast.info [-h] [-a PACKAGE] [-f FILTER] [-p PERMISSION] [-i] [-u] [-v]
Get information about exported broadcast receivers.
Examples:
Get receivers exported by the platform:
dz> run app.broadcast.info -a android
Package: android
com.android.server.BootReceiver
Permission: null
com.android.server.updates.CertPinInstallReceiver
Permission: null
com.android.server.updates.IntentFirewallInstallReceiver
Permission: null
com.android.server.updates.SmsShortCodesInstallReceiver
Permission: null
com.android.server.updates.CarrierProvisioningUrlsInstallReceiver
Permission: null
com.android.server.updates.TZInfoInstallReceiver
Permission: null
com.android.server.updates.SELinuxPolicyInstallReceiver
Permission: null
com.android.server.MasterClearReceiver
Permission: android.permission.MASTER_CLEAR
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs), Luander (luander.r@samsung.com)
License: BSD (3 clause)
optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify the package to inspect
-f FILTER, --filter FILTER
specify filter conditions
-p PERMISSION, --permission PERMISSION
specify permission conditions
-i, --show-intent-filters
specify whether to include intent filters
-u, --unexported include receivers that are not exported
-v, --verbose be verbose
dz> help app.broadcast.send
usage: run app.broadcast.send [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]
Sends an intent to broadcast receivers.
Examples:
Attempt to send the BOOT_COMPLETED broadcast message:
dz> run app.broadcast.send
--action android.intent.action.BOOT_COMPLETED
java.lang.SecurityException: Permission Denial: not allowed to send broadcast android.intent.action.BOOT_COMPLETED from pid=955,
uid=10044
For more information on how to formulate an Intent, type 'help intents'.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent
dz> help app.broadcast.sniff
usage: run app.broadcast.sniff [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--data-authority HOST PORT] [--data-path PATH TYPE]
[--data-scheme DATA_SCHEME [DATA_SCHEME ...]]
[--data-type DATA_TYPE [DATA_TYPE ...]]
Register a broadcast receiver that can sniff particular intents
Examples:
dz> run app.broadcast.sniff --action android.intent.action.BATTERY_CHANGED
[*] Broadcast receiver registered to sniff matching intents
[*] Output is updated once a second. Press Control+C to exit.
Action: android.intent.action.BATTERY_CHANGED
Raw: Intent { act=android.intent.action.BATTERY_CHANGED flg=x60000010 (has extras) }
Extra: technology=Li-ion (java.lang.String)
Extra: icon-small=17303411 (java.lang.Integer)
Extra: health=2 (java.lang.Integer)
Extra: online=4 (java.lang.Integer)
Extra: status=2 (java.lang.Integer)
Extra: plugged=2 (java.lang.Integer)
Extra: present=true (java.lang.Boolean)
Extra: level=80 (java.lang.Integer)
Extra: scale=100 (java.lang.Integer)
Extra: temperature=280 (java.lang.Integer)
Extra: current_avg=460 (java.lang.Integer)
Extra: voltage=4151 (java.lang.Integer)
Extra: charge_type=1 (java.lang.Integer)
Extra: invalid_charger=0 (java.lang.Integer)
Last Modified: 2014-06-27
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent Filter
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent Filter
--data-authority HOST PORT
specify the data authority to match against in the Intent Filter
--data-path PATH TYPE
specify the data path to match against in the Intent Filter
--data-scheme DATA_SCHEME [DATA_SCHEME ...]
specify the data scheme to match against in the Intent Filter
--data-type DATA_TYPE [DATA_TYPE ...]
specify the data type to match against in the Intent Filter
dz> help app.package.attacksurface
usage: run app.package.attacksurface [-h] package
Examine the attack surface of an installed package.
Examples:
Finding the attack surface of the built-in browser
dz> run app.package.attacksurface com.android.browser
6 activities exported
4 broadcast receivers exported
1 content providers exported
0 services exported
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package to inspect
optional arguments:
-h, --help
dz> help app.package.attacksurface
usage: run app.package.attacksurface [-h] package
Examine the attack surface of an installed package.
Examples:
Finding the attack surface of the built-in browser
dz> run app.package.attacksurface com.android.browser
6 activities exported
4 broadcast receivers exported
1 content providers exported
0 services exported
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package to inspect
optional arguments:
-h, --help
dz>
dz>
dz> help app.package.backup
usage: run app.package.backup [-h] [-f FILTER] [-k]
Lists packages that use the backup API (retruns true on FLAG_ALLOW_BACKUP)
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-f FILTER, --filter FILTER
filter term (By Package Name)
-k, --api-keys Only print packages that contain api keys
dz> help app.package.debuggable
usage: run app.package.debuggable [-h] [-f FILTER] [-v]
Lists packages which are debuggable.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-f FILTER, --filter FILTER
filter term
-v, --verbose be verbose
dz> help app.package.info
usage: run app.package.info [-h] [-a PACKAGE] [-d DEFINES_PERMISSION] [-f FILTER] [-g GID]
[-p PERMISSION] [-u UID] [-i]
List all installed packages on the device with optional filters. Specify optional keywords to search for in the package information, or
granted permissions.
Examples:
Finding all packages with the keyword "browser" in their name:
dz> run app.package.info -f browser
Package: com.android.browser
Process name: com.android.browser
Version: 4.1.1
Data Directory: /data/data/com.android.browser
APK path: /system/app/Browser.apk
UID: 10014
GID: [3003, 1015, 1028]
Shared libraries: null
Permissions:
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.ACCESS_DOWNLOAD_MANAGER
- android.permission.ACCESS_FINE_LOCATION
...
Finding all packages with the "INSTALL_PACKAGES" permission:
dz> run app.package.info -p INSTALL_PACKAGES
Package: com.android.packageinstaller
Process Name: com.android.packageinstaller
Version: 4.1.1-403059
Data Directory: /data/data/com.android.packageinstaller
APK Path: /system/app/PackageInstaller.apk
UID: 10003
GID: [1028]
Shared Libraries: null
Shared User ID: null
Permissions:
- android.permission.INSTALL_PACKAGES
- android.permission.DELETE_PACKAGES
- android.permission.CLEAR_APP_CACHE
- android.permission.READ_PHONE_STATE
- android.permission.CLEAR_APP_USER_DATA
- android.permission.READ_EXTERNAL_STORAGE
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
the identifier of the package to inspect
-d DEFINES_PERMISSION, --defines-permission DEFINES_PERMISSION
filter by the permissions a package defines
-f FILTER, --filter FILTER
keyword filter conditions
-g GID, --gid GID filter packages by GID
-p PERMISSION, --permission PERMISSION
permission filter conditions
-u UID, --uid UID filter packages by UID
-i, --show-intent-filters
show intent filters
dz> help app.package.launchintent
usage: run app.package.launchintent [-h] [-r] package
Get the launch intent of an installed package.
Examples:
Finding the launch intent of the Android browser package:
dz> run app.package.launchintent com.android.browser
Intent:
Action: android.intent.action.MAIN
Component: {com.android.browser/com.android.browser.BrowserActivity}
Data: null
Categories:
android.intent.category.LAUNCHER
Flags: [ACTIVITY_NEW_TASK]
Mime Type: null
Extras: null
Last Modified: 2013-03-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package to inspect
optional arguments:
-h, --help
-r, --raw display the raw output of the intent (as if you were calling intent.toString())
dz> help app.package.manifest
usage: run app.package.manifest [-h] package
Retrieves AndroidManifest.xml from an installed package.
Examples:
Getting the manifest for drozer
dz> run app.package.manifest com.mwr.dz
<manifest versionCode="2" versionName="1.1" package="com.mwr.dz">
<uses-sdk minSdkVersion="8" targetSdkVersion="4">
</uses-sdk>
<uses-permission name="android.permission.INTERNET">
</uses-permission>
...
</manifest>
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package
optional arguments:
-h, --help
dz> help app.package.list
usage: run app.package.list [-h] [-d DEFINES_PERMISSION] [-f FILTER] [-g GID]
[-p PERMISSION] [-u UID] [-n]
List all installed packages on the device. Specify optional keywords to search for in the package name.
Examples:
Finding all packages with the keyword "browser" in their name:
dz> run app.package.list -f browser
com.android.browser
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-d DEFINES_PERMISSION, --defines-permission DEFINES_PERMISSION
filter by the permissions a package defines
-f FILTER, --filter FILTER
keyword filter conditions
-g GID, --gid GID filter packages by GID
-p PERMISSION, --permission PERMISSION
permission filter conditions
-u UID, --uid UID filter packages by UID
-n, --no_app_name do not print the app name
dz> help app.package.native
usage: run app.package.native [-h] package
Find Native libraries embedded in the application.
Last Modified: 2013-03-23
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package
optional arguments:
-h, --help
dz> help app.package.shareduid
usage: run app.package.shareduid [-h] [-u UID]
Finds packages that have shared UIDs and gives their accumulated permissions.
Examples:
Finding packages that share the UID 10011
dz> run app.package.shareduid -u 10011
UID: 10011 (com.motorola.blur.uid.provider_authenticator:10011)
Package Name: com.motorola.blur.provider.photobucket
Package Name: com.motorola.blur.provider.picasa
Package Name: com.motorola.blur.provider.yahoo
Package Name: com.motorola.blur.provider.twitter
Package Name: com.motorola.blur.provider.fixedemail
Package Name: com.motorola.blur.provider.motorola.app
Package Name: com.motorola.blur.provider.orkut
Package Name: com.motorola.blur.provider.email
Package Name: com.motorola.blur.provider.facebook
Package Name: com.motorola.blur.provider.lastfm
Package Name: com.motorola.blur.provider.linkedin
Package Name: com.motorola.blur.provider.youtube
Package Name: com.motorola.blur.provider.skyrock
Package Name: com.motorola.blur.provider.activesync
Package Name: com.motorola.blur.provider.flickr
Accumulated permissions: com.motorola.blur.setupprovider.Permissions.ACCESS_ACCOUNTS; ...
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-u UID, --uid UID specify uid
dz> help app.provider.columns
usage: run app.provider.columns [-h] uri
List the columns in the specified content provider URI.
Examples:
List the columns of content://settings/secure
dz> run app.provider.columns content://settings/secure
| _id | name | value |
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to query
optional arguments:
-h, --help
dz> help app.provider.delete
usage: run app.provider.delete [-h] [--selection conditions] [--selection-args [arg [arg ...]]]
uri
Delete from the specified content provider URI.
Examples:
Delete from content://settings/secure, with name condition:
dz> run app.provider.delete content://settings/secure
--selection "name=?"
--selection-args my_setting
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to query
optional arguments:
-h, --help
--selection conditions
the conditions to apply to the query, as in "WHERE <conditions>"
--selection-args [arg [arg ...]]
any parameters to replace '?' in --selection
dz> help app.provider.download
usage: run app.provider.download [-h] uri destination
Read from the specified content uri using openInputStream, and download to the local file system
Examples:
Download, using directory traversal on a content provider:
dz> run app.provider.download content://vulnerable.provider/../../../system/etc/hosts /tmp/hostsfile
Written 25 bytes
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider URI to read a file through
destination path to save the downloaded file to
optional arguments:
-h, --help
dz> help app.provider.finduri
usage: run app.provider.finduri [-h] package
Finds Content URIs within a package.
This module uses a number of strategies to identify a content URI, including inspecting the authorities, path permissions and searching for
strings inside the package.
Examples:
Find content provider URIs in the Browser:
dz> run app.provider.finduri com.android.browser
Scanning com.android.browser...
content://com.android.browser.home/res/raw/
content://browser/search_suggest_query
content://browser/
content://com.android.browser.snapshots/
content://com.android.browser/bookmarks/search_suggest_query
content://com.android.browser/
content://com.google.settings/partner
content://com.android.browser.snapshots
content://com.google.android.partnersetup.rlzappprovider/
content://com.android.browser.home/
content://browser/bookmarks/search_suggest_query
Last Modified: 2012-13-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the package to search for content provider uris
optional arguments:
-h, --help
dz> help app.provider.info
usage: run app.provider.info [-h] [-a PACKAGE] [-f FILTER] [-p PERMISSION] [-u] [-v]
List information about exported content providers, with optional filters.
Examples:
Find content provider with the keyword "settings" in them:
dz> run app.provider.info -f settings
Package name: com.google.android.gsf
Authority: com.google.settings
Required Permission - Read: null
Required Permission - Write: com.google.android.providers.settings.permission.WRITE_GSETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false
Package name: com.android.providers.settings
Authority: settings
Required Permission - Read: null
Required Permission - Write: android.permission.WRITE_SETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false
Finding content providers that do not require permissions to read/write:
dz> run app.provider.info -p null
Package name: com.google.android.gsf
Authority: com.google.settings
Required Permission - Read: null
Required Permission - Write: com.google.android.providers.settings.permission.WRITE_GSETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false
...
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify the package to inspect
-f FILTER, --filter FILTER
specify filter conditions
-p PERMISSION, --permission PERMISSION
specify permission conditions
-u, --unexported include providers that are not exported
-v, --verbose be verbose
dz> help app.provider.insert
usage: run app.provider.insert [-h] [--boolean column data] [--double column data]
[--float column data] [--integer column data]
[--long column data] [--short column data]
[--string column data]
uri
Insert into a content provider.
Examples:
Insert into a vulnerable content provider:
dz> run app.provider.insert content://com.vulnerable.im/messages
--string date 1331763850325
--string type 0
--integer _id 7
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to insert into
optional arguments:
-h, --help
--boolean column data
--double column data
--float column data
--integer column data
--long column data
--short column data
--string column data
dz> help app.provider.read
usage: run app.provider.read [-h] uri
Read from the specified content uri using openInputStream
Examples:
Attempt directory traversal on a content provider:
dz> run app.provider.read content://settings/secure/../../../system/etc/hosts
java.io.FileNotFoundException: No files supported by provider at content://settings/secure/../../../system/etc/hosts
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider URI to read a file through
optional arguments:
-h, --help
dz> help app.provider.update
usage: run app.provider.update [-h] [--selection conditions] [--selection-args [arg [arg ...]]]
[--boolean column data] [--double column data]
[--float column data] [--integer column data]
[--long column data] [--short column data]
[--string column data]
uri
Update the specified content provider URI
Examples:
Updating, the assisted_gps_enabled setting:
dz> run app.provider.update content://settings/secure
--selection "name=?"
--selection-args assisted_gps_enabled
--integer value 0
Done.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to update in
optional arguments:
-h, --help
--selection conditions
the conditions to apply to the query, as in "WHERE <conditions>"
--selection-args [arg [arg ...]]
any parameters to replace '?' in --selection
--boolean column data
--double column data
--float column data
--integer column data
--long column data
--short column data
--string column data
dz> help app.service.info
usage: run app.service.info [-h] [-a PACKAGE] [-f <filter>] [-i] [-p <filter>] [-u] [-v]
Gets information about exported services.
Examples:
List services exported by the Browser:
dz> run app.service.info --package com.android.browser
Package: com.android.browser
No exported services.
List exported services with no permissions required to interact with it:
dz> run app.service.info -p null
Package: com.android.email
com.android.email.service.EmailBroadcastProcessorService
Permission: null
com.android.email.Controller$ControllerService
Permission: null
com.android.email.service.PopImapAuthenticatorService
Permission: null
com.android.email.service.PopImapSyncAdapterService
Permission: null
com.android.email.service.EasAuthenticatorService
Permission: null
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify the package to inspect
-f <filter>, --filter <filter>
-i, --show-intent-filters
specify whether to include intent filters
-p <filter>, --permission <filter>
-u, --unexported include receivers that are not exported
-v
dz> help app.service.send
usage: run app.service.send [-h] [--msg what arg1 arg2] [--extra type key value]
[--no-response] [--timeout TIMEOUT] [--bundle-as-obj]
package component
Binds to an exported service, and sends a Message to it. If the service sends a reply, display the message received and any data it
contains.
NB: by default, this module will wait 20 seconds for a reply.
Examples:
Deliver a Message to a dummy application, that simply returns the message:
dz> run app.service.send com.example.srv com.example.srv.Service --msg 1 2 3 --extra float value 0.1324 --extra string test value
Got a reply from com.example.srv/com.example.srv.Service:
what: 1
arg1: 2
arg2: 3
Data:
value (float) : 0.1324
test (string) : value
Last Modified: 2013-05-20
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the package containing the target service
component the fully-qualified service name to bind to
optional arguments:
-h, --help
--msg what arg1 arg2 specify the what, arg1 and arg2 values to use when obtaining the message
--extra type key value
add an extra to the message's data bundle
--no-response do not wait for a response from the service
--timeout TIMEOUT specify a timeout in milliseconds (default is 20000)
--bundle-as-obj this is useful when the 'obj' parameter on the target is being cast back to a Bundle instead of using Message.getData()
dz> help app.service.start
usage: run app.service.start [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]
Formulate an Intent to start a service, and deliver it to another application.
For more information on how to formulate an Intent, type 'help intents'.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent
dz> help app.service.stop
usage: run app.service.stop [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]
Formulate an Intent to stop a service, and deliver it to another application.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent
dz> help auxiliary.webcontentresolver
usage: run auxiliary.webcontentresolver [-h] [-p PORT]
Start a Web Service interface to Content Providers. This allows you to use web application testing capabilities and tools to test content
providers.
Examples:
dz> run auxiliary.webcontentresolver --port 8080
WebContentResolver started on port 8080.
Ctrl+C to Stop
Last Modified: 2012-11-06
Credit: Nils (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-p PORT, --port PORT the port to start the WebContentResolver on
dz> help exploit.jdwp.check
usage: run exploit.jdwp.check [-h]
Open @jdwp-control and see which applications connect. This is an issue because then drozer can act as a debugger for the connected
application. This could be used to invoke arbitrary code within the context of the debuggable application. See
https://labs.mwrinfosecurity.com/blog/2011/07/07/debuggable-apps-in-android-market/ for more details.
Examples:
dz> run exploit.jdwp.check
[+] Opened @jdwp-control
[*] Accepting connections
[+] com.mwr.dz connected!
[+] Received PID = 4931
[+] This device is vulnerable!
[+] com.mwr.dz connected!
[+] Received PID = 4940
[+] This device is vulnerable!
Last Modified: 2014-07-29
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
dz> help exploit.pilfer.general.apnprovider
usage: run exploit.pilfer.general.apnprovider [-h]
Exploit a leaky content provider to read APN configuration information.
The target provider is content://telephony/carriers/preferapn
Examples:
dz> run exploit.pilfer.general.apnprovider
_id 1
name T-Mobile US
numeric 310260
mcc 310
mnc 260
apn epc.tmobile.com
... ...
Last Modified: 2012-11-06
Credit: Rob (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
dz> help exploit.pilfer.general.settingsprovider
usage: run exploit.pilfer.general.settingsprovider [-h]
Reads Settings Information
Last Modified: 2012-11-06
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
dz> run information.datetime
The time is 20160423T182546.
dz> run information.deviceinfo
-----------------------------------------
/proc/version
-----------------------------------------
Linux version 3.4.0-g0c665cd-00561-g8238df2 (builder@qh-miui-ota-bd57) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Thu Apr 14 03:02:40 CST 2016
-----------------------------------------
/system/build.prop
-----------------------------------------
# begin build properties
# autogenerated by buildinfo.sh
ro.build.id=MMB29M
ro.build.display.id=MMB29M
ro.build.version.incremental=6.4.14
ro.build.version.sdk=23
ro.build.version.preview_sdk=0
ro.build.version.codename=REL
ro.build.version.all_codenames=REL
ro.build.version.release=6.0.1
...
dz> help information.permissions
usage: run information.permissions [-h] [--permission PERMISSION]
[--protectionlevel PROTECTIONLEVEL]
Get a list of all permissions used by packages on the device as well as their descriptions and protection levels
Examples:
dz> run information.permissions --permission android.permission.INSTALL_PACKAGES
Allows the app to install new or updated Android packages. Malicious apps may use this to add new apps with arbitrarily powerful
permissions.
18 - signature|system
Last Modified: 2014-06-17
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
--permission PERMISSION
filter by specific permission
--protectionlevel PROTECTIONLEVEL
filter by protection level
dz> help scanner.activity.browsable
usage: run scanner.activity.browsable [-h] [-a PACKAGE] [-f FILTER]
Get all BROWSABLE activities that can be invoked from the web browser through the use of a custom data handler. This can indicate the
presence of an entry point into application code from a web browser.
Examples:
dz> run scanner.activity.browsable
Package: com.android.contacts
Invocable URIs:
tel://
Classes:
.activities.PeopleActivity
com.android.contacts.NonPhoneActivity
Package: com.android.calendar
Invocable URIs:
http://www.google.com/calendar/event (PATTERN_PREFIX)
Classes:
GoogleCalendarUriIntentFilter
Package: com.android.browser
Invocable URIs:
http://
Classes:
BrowserActivity
Package: com.android.music
Invocable URIs:
http://
content://
Classes:
AudioPreview
Package: com.android.mms
Invocable URIs:
sms://
mms://
Classes:
.ui.ComposeMessageActivity
Last Modified: 2014-10-31
Credit: Tyrone (@mwrlabs)
License: BSD (3-clause)
optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify a package to search
-f FILTER, --filter FILTER
filter term
dz> help scanner.misc.native
usage: run scanner.misc.native [-h] [-a PACKAGE] [-f FILTER] [-v]
Lists packages which use native code.
NOTE: This only checks for libraries that are bundled inside the package APK. System packages often do not contain the libraries they use
inside their APK and so this module will miss them.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify a package to search
-f FILTER, --filter FILTER
filter term
-v, --verbose be verbose
dz> help scanner.misc.readablefiles
usage: run scanner.misc.readablefiles [-h] [-p] target
Find world-readable files in the given folder
Examples:
dz> run scanner.misc.readablefiles /data -p
Discovered world-readable files in /data:
/data/system/packages-stopped.xml
/data/system/packages.list
/data/system/packages.xml
/data/system/uiderrors.txt
...<snipped>...
Last Modified: 2013-04-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
target the target directory to search
optional arguments:
-h, --help
-p, --privileged request root to perform the task in a privileged context
dz> help scanner.misc.secretcodes
usage: run scanner.misc.secretcodes [-h] [-v]
Finds Secret Codes from all installed packages.
Last Modified: 2012-11-06
Credit: Mike (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-v, --verbose be verbose
dz> help scanner.misc.sflagbinaries
usage: run scanner.misc.sflagbinaries [-h] [-t TARGET] [-p]
Find suid/sgid binaries in the given folder (default is /system). Uses the method from
http://hexesec.wordpress.com/2009/10/14/exploiting-suid-binaries/.
Examples:
dz> run scanner.misc.sflagbinaries
Discovered suid/sgid files in /system:
/system/xbin/procmem
/system/xbin/librank
/system/xbin/tcpdump
/system/xbin/procrank
/system/bin/su
/system/bin/run-as
/system/bin/ping
/system/bin/netcfg
Last Modified: 2013-04-18
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-t TARGET, --target TARGET
the target directory to search
-p, --privileged request root to perform the task in a privileged context
dz> help scanner.misc.writablefiles
usage: run scanner.misc.writablefiles [-h] [-p] target
Find world-writable files in the given folder
Examples:
dz> run scanner.misc.writablefiles /data --privileged
Discovered world-writable files in /data:
/data/anr/slow00.txt
/data/anr/slow01.txt
...<snipped>...
Last Modified: 2013-04-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
target the target directory to search
optional arguments:
-h, --help
-p, --privileged request root to perform the task in a privileged context
dz> help scanner.provider.finduris
usage: run scanner.provider.finduris [-h] [-a PACKAGE]
Search for content providers that can be queried from our context.
Examples:
run scanner.provider.finduris
Last Modified: 2012-11-06
Credit: Luander (luander.r@samsung.com)
License: BSD (3 clause)
optional arguments:
-h, --help
-a PACKAGE, --package PACKAGE
specify a package to search
dz> help scanner.provider.injection
usage: run scanner.provider.injection [-h] [-a <package or uri>]
Search for content providers with SQL Injection vulnerabilities.
Last Modified: 2012-11-06
Credit: Rob (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-a <package or uri>, --package <package or uri>, --uri <package or uri>
specify a package, or content uri to search
dz> help scanner.provider.sqltables
usage: run scanner.provider.sqltables [-h] [-a <package or uri>]
Enumerate SQL tables accessible through SQL (projection) Injection vulnerabilities.
Last Modified: 2013-01-23
Credit: Rijnard
License: BSD (3 clause)
optional arguments:
-h, --help
-a <package or uri>, --package <package or uri>, --uri <package or uri>
specify a package, or content uri to search
dz> help scanner.provider.traversal
usage: run scanner.provider.traversal [-h] [-a <package or uri>]
Finds content providers with basic directory traversal vulnerabilities.
Last Modified: 2012-11-06
Credit: Nils (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
-a <package or uri>, --package <package or uri>, --uri <package or uri>
specify a package, or content uri to search