目录
前言
最近在研究drozer的使用,发现网上的资料也挺少的,就自己过了一遍所有模块,可以当使用手册来看。
APP模块
| 模块名 | 作用 |
|---|---|
| app.activity.forintent | 通过intent查找它的activity |
| app.activity.info | 获取activities信息 |
| app.activity.start | 开启 Activity |
| app.broadcast.info | 获取broadcast receivers信息 |
| app.broadcast.send | 发送广播 |
| app.broadcast.sniff | 嗅探广播中intent的数据 |
| app.package.attacksurface | 确定安装包的可攻击面 |
| app.package.backup | 列出可备份的包 |
| app.package.debuggable | 列出可debug的包 |
| app.package.info | 获取已安装包的信息 |
| app.package.launchintent | 获取程序启动的activity信息 |
| app.package.list | 手机已安装的程序包 |
| app.package.manifest | 获取程序manifest文件信息 |
| app.package.native | 列出Native libraries 信息 |
| app.package.shareduid | 查找拥有共同uid的包和他们所有的权限 |
| app.provider.columns | 展示content provider URI的各列 |
| app.provider.delete | 删除content provider URI的内容 |
| app.provider.download | 使用openInputStream读取指定uri的内容,并下载在电脑中 |
| app.provider.info | 获取 content providers信息 |
| app.provider.insert | 插入数据到content provider |
| app.provider.query | 查询content provider 内容 |
| app.provider.read | 使用openInputStream读取指定uri的内容 |
| app.provider.update | 更新content provider的内容 |
| app.service.info | 获取services的信息 |
| app.service.send | 使用 Message攻击暴露的service,其service实现了handleMessage |
| app.service.start | 开启服务 |
| app.service.stop | 停止服务 |
app.package.list
usage: run app.package.list [-h] [-d DEFINES_PERMISSION] [-f FILTER] [-g GID][-p PERMISSION] [-u UID] [-n]
列出所有手机安装的包
Examples:
查找带有browser的包:
dz> run app.package.list -f browser
com.android.browser
最后修改日期: 2012-11-06
作者: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| -d DEFINES_PERMISSION, –defines-permission | 通过自定义permission 查询 , |
| -f FILTER, –filter FILTER | 通过关键词查询 |
| -g GID, –gid GID | 通过GID查询 |
| -p PERMISSION, –permission PERMISSION | uses-permission过滤查询, |
| -u UID, –uid UID | 通过UID查询 |
| -n, –no_app_name | 不输出应用名 |
app.activity.start
usage: run app.activity.start [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–component PACKAGE COMPONENT] [–data-uri DATA_URI][–extra TYPE KEY VALUE] [–flags FLAGS [FLAGS …]] [–mimetype MIMETYPE]
通过特制的Intent启动activity。
Examples:
显式 intent开启浏览器:
dz> run app.activity.start
--component com.android.browser
com.android.browser.BrowserActivity
--flags ACTIVITY_NEW_TASK
如果不设置flags,默认值为ACTIVITY_NEW_TASK . 取消默认值的方法如下:
dz> run app.activity.start
--component com.android.browser com.android.browser.BrowserActivity
--flags 0x0
隐式 intent开启浏览器 :
dz> run app.activity.start
--action android.intent.action.VIEW
--data-uri http://www.google.com
--flags ACTIVITY_NEW_TASK
更多关于intents的帮助使用命令’help intents’.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| –action ACTION | 指定action |
| –category CATEGORY [CATEGORY …] | 指定category |
| –data-uri DATA_URI | 指定uri |
| –extra TYPE KEY VALUE | 指定附加的数据 |
| –flags FLAGS [FLAGS …] | 指定一个或者多个flags |
| –mimetype MIMETYPE | 指定文件类型 |
| –component PACKAGE COMPONENT | 指定componnent |
对于显式Intent,Android不需要去做解析,因为目标组件已经很明确,Android需要解析的是那些隐式Intent,通过解析,将Intent映射给可以处理此Intent的Activity、IntentReceiver或Service。
Intent解析机制主要是通过查找已注册在AndroidManifest.xml中的所有IntentFilter及其中定义的Intent,最终找到匹配的Intent。在这个解析过程中,Android是通过Intent的action、type、category这三个属性来进行判断的,判断方法如下:
- 如果Intent指明定了action,则目标组件的IntentFilter的action列表中就必须包含有这个action,否则不能匹配;
- 如果Intent没有提供type,系统将从data中得到数据类型。和action一样,目标组件的数据类型列表中必须包含Intent的数据类型,否则不能匹配。
- 如果Intent中的数据不是content:
类型的URI,而且Intent也没有明确指定它的type,将根据Intent中数据的scheme (比如 http: 或者mailto:)
进行匹配。同上,Intent 的scheme必须出现在目标组件的scheme列表中。 - 如果Intent指定了一个或多个category,这些类别必须全部出现在组建的类别列表中。比如Intent中包含了两个类别:LAUNCHER_CATEGORY
和 ALTERNATIVE_CATEGORY,解析得到的目标组件必须至少包含这两个类别。 - 如果 component这个属性有指定的话,将直接使用它指定的组件,而不再执行上述查找过程。
app.activity.info
usage: run app.activity.info [-h] [-a PACKAGE] [-f FILTER] [-i] [-u] [-v]
Gets information about exported activities.
Examples:
List activities exported by the Browser:
dz> run app.activity.info --package com.android.browser
Package: com.android.browser
com.android.browser.BrowserActivity
com.android.browser.ShortcutActivity
com.android.browser.BrowserPreferencesPage
com.android.browser.BookmarkSearch
com.android.browser.AddBookmarkPage
com.android.browser.widget.BookmarkWidgetConfigure
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| -a PACKAGE, –package PACKAGE | 指定包名 |
| -f FILTER, –filter FILTER | 指定activity的名称 |
| -i, –show-intent-filters | 显示activity的intent-filters |
| -u, –unexported | 包括exported:false的activity |
| -v, –verbose | 显示详细信息 |
app.package.info
usage: run app.package.info [-h] [-a PACKAGE] [-d DEFINES_PERMISSION] [-f FILTER] [-g GID] [-p PERMISSION] [-u UID] [-i]
List all installed packages on the device with optional filters. Specify optional keywords to search for in the package information, or granted permissions.
Examples:
Finding all packages with the keyword “browser” in their name:
dz> run app.package.info -f browser
Package: com.android.browser
Process name: com.android.browser
Version: 4.1.1
Data Directory: /data/data/com.android.browser
APK path: /system/app/Browser.apk
UID: 10014
GID: [3003, 1015, 1028]
Shared libraries: null
Permissions:
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.ACCESS_DOWNLOAD_MANAGER
- android.permission.ACCESS_FINE_LOCATION
...
Finding all packages with the “INSTALL_PACKAGES” permission:
dz> run app.package.info -p INSTALL_PACKAGES
Package: com.android.packageinstaller
Process Name: com.android.packageinstaller
Version: 4.1.1-403059
Data Directory: /data/data/com.android.packageinstaller
APK Path: /system/app/PackageInstaller.apk
UID: 10003
GID: [1028]
Shared Libraries: null
Shared User ID: null
Permissions:
- android.permission.INSTALL_PACKAGES
- android.permission.DELETE_PACKAGES
- android.permission.CLEAR_APP_CACHE
- android.permission.READ_PHONE_STATE
- android.permission.CLEAR_APP_USER_DATA
- android.permission.READ_EXTERNAL_STORAGE
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| -a PACKAGE, –package PACKAGE | 指定包名 |
| -d DEFINES_PERMISSION, –defines-permission DEFINES_PERMISSION | 通过自定义的权限过滤 |
| -f FILTER, –filter FILTER | 通过关键词查询 |
| -g GID, –gid GID | 指定GID |
| -p PERMISSION, –permission PERMISSION | 通过权限过滤 |
| -u UID, –uid UID | 指定UID |
| -i, –show-intent-filters | 显示intent-filters |
app.broadcast.info
usage: run app.broadcast.info [-h] [-a PACKAGE] [-f FILTER] [-p PERMISSION] [-i] [-u] [-v]
获取broadcast receivers信息
Examples:
Get receivers exported by the platform:
dz> run app.broadcast.info -a android
Package: android
com.android.server.BootReceiver
Permission: null
com.android.server.updates.CertPinInstallReceiver
Permission: null
com.android.server.updates.IntentFirewallInstallReceiver
Permission: null
com.android.server.updates.SmsShortCodesInstallReceiver
Permission: null
com.android.server.updates.CarrierProvisioningUrlsInstallReceiver
Permission: null
com.android.server.updates.TZInfoInstallReceiver
Permission: null
com.android.server.updates.SELinuxPolicyInstallReceiver
Permission: null
com.android.server.MasterClearReceiver
Permission: android.permission.MASTER_CLEAR
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs), Luander (luander.r@samsung.com)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| -a PACKAGE, –package PACKAGE | 指定包名 |
| -f FILTER, –filter FILTER | 通过关键词查询 |
| -p PERMISSION, –permission PERMISSION | 通过权限过滤 |
| -i, –show-intent-filters | 显示intent-filters |
| -u, –unexported | 包括exported:false的receivers |
| -v, –verbose | 显示详细信息 |
app.service.info
usage: run app.service.info [-h] [-a PACKAGE] [-f ] [-i] [-p ] [-u] [-v]
获取services信息.
Examples:
List services exported by the Browser:
dz> run app.service.info --package com.android.browser
Package: com.android.browser
No exported services.
List exported services with no permissions required to interact with it:
dz> run app.service.info -p null
Package: com.android.email
com.android.email.service.EmailBroadcastProcessorService
Permission: null
com.android.email.Controller$ControllerService
Permission: null
com.android.email.service.PopImapAuthenticatorService
Permission: null
com.android.email.service.PopImapSyncAdapterService
Permission: null
com.android.email.service.EasAuthenticatorService
Permission: null
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| -a PACKAGE, –package PACKAGE | 指定包名 |
| -f FILTER, –filter FILTER | 通过关键词查询 |
| -p PERMISSION, –permission PERMISSION | 通过权限过滤 |
| -i, –show-intent-filters | 显示intent-filters |
| -u, –unexported | 包括exported:false的service |
| -v, –verbose | 显示详细信息 |
app.provider.info
usage: run app.provider.info [-h] [-a PACKAGE] [-f FILTER] [-p PERMISSION] [-u] [-v]
获取 content providers信息
Examples:
Find content provider with the keyword “settings” in them:
dz> run app.provider.info -f settings
Package name: com.google.android.gsf
Authority: com.google.settings
Required Permission - Read: null
Required Permission - Write: com.google.android.providers.settings.permission.WRITE_GSETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false
Package name: com.android.providers.settings
Authority: settings
Required Permission - Read: null
Required Permission - Write: android.permission.WRITE_SETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false
Finding content providers that do not require permissions to read/write:
dz> run app.provider.info -p null
Package name: com.google.android.gsf
Authority: com.google.settings
Required Permission - Read: null
Required Permission - Write: com.google.android.providers.settings.permission.WRITE_GSETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false
...
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| -a PACKAGE, –package PACKAGE | 指定包名 |
| -f FILTER, –filter FILTER | 通过关键词查询 |
| -p PERMISSION, –permission PERMISSION | 通过权限过滤 |
| -u, –unexported | 包括exported:false的provider |
| -v, –verbose | 显示详细信息 |
app.activity.forintent
usage: run app.activity.forintent [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–component PACKAGE COMPONENT] [–data-uri DATA_URI] [–extra TYPE KEY VALUE] [–flags FLAGS [FLAGS …]] [–mimetype MIMETYPE]
通过intent查找它的activity
Examples:
Find activities that can handle web addresses:
dz> run app.activity.forintent
--action android.intent.action.VIEW
--data http://www.google.com
Package name: com.android.browser
Target activity: com.android.browser.BrowserActivity
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| –action ACTION | 指定action |
| –category CATEGORY [CATEGORY …] | 指定category |
| –data-uri DATA_URI | 指定uri |
| –extra TYPE KEY VALUE | 指定附加的数据 |
| –flags FLAGS [FLAGS …] | 指定一个或者多个flags |
| –mimetype MIMETYPE | 指定文件类型 |
| –component PACKAGE COMPONENT | 指定componnent |
app.broadcast.send
usage: run app.broadcast.send [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–component PACKAGE COMPONENT] [–data-uri DATA_URI] [–extra TYPE KEY VALUE] [–flags FLAGS [FLAGS …]] [–mimetype MIMETYPE]
Examples:
Attempt to send the BOOT_COMPLETED broadcast message:
dz> run app.broadcast.send
--action android.intent.action.BOOT_COMPLETED
java.lang.SecurityException: Permission Denial: not allowed to send broadcast android.intent.action.BOOT_COMPLETED
from pid=955, uid=10044
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| –action ACTION | 指定action |
| –category CATEGORY [CATEGORY …] | 指定category |
| –data-uri DATA_URI | 指定uri |
| –extra TYPE KEY VALUE | 指定附加的数据 |
| –flags FLAGS [FLAGS …] | 指定一个或者多个flags |
| –mimetype MIMETYPE | 指定文件类型 |
| –component PACKAGE COMPONENT | 指定componnent |
app.broadcast.sniff
usage: run app.broadcast.sniff [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–data-authority HOST PORT] [–data-path PATH TYPE] [–data-scheme DATA_SCHEME [DATA_SCHEME …]] [–data-type DATA_TYPE [DATA_TYPE …]]
Register a broadcast receiver that can sniff particular intents
获取电量信息
Examples:
dz> run app.broadcast.sniff –action android.intent.action.BATTERY_CHANGED
[*] Broadcast receiver registered to sniff matching intents
[*] Output is updated once a second. Press Control+C to exit.
Action: android.intent.action.BATTERY_CHANGED
Raw: Intent { act=android.intent.action.BATTERY_CHANGED flg=0x60000010 (has extras) }
Extra: technology=Li-ion (java.lang.String)
Extra: icon-small=17303411 (java.lang.Integer)
Extra: health=2 (java.lang.Integer)
Extra: online=4 (java.lang.Integer)
Extra: status=2 (java.lang.Integer)
Extra: plugged=2 (java.lang.Integer)
Extra: present=true (java.lang.Boolean)
Extra: level=80 (java.lang.Integer)
Extra: scale=100 (java.lang.Integer)
Extra: temperature=280 (java.lang.Integer)
Extra: current_avg=460 (java.lang.Integer)
Extra: voltage=4151 (java.lang.Integer)
Extra: charge_type=1 (java.lang.Integer)
Extra: invalid_charger=0 (java.lang.Integer)
Last Modified: 2014-06-27
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| –action ACTION | 指定action |
| –category CATEGORY [CATEGORY …] | 指定category |
| –data-authority HOST PORT | 指定data中的host:port |
| –data-path PATH TYPE | 指定data中的path |
| –data-scheme DATA_SCHEME [DATA_SCHEME …] | 指定data中的scheme |
| –data-type DATA_TYPE [DATA_TYPE …] | 指定data中的数据类型 |
scheme, host, port, path, pathPrefix, pathPattern 是用来匹配 Intent 中的 Data Uri 的。具体规则如下:
scheme://host:port/path or pathPrefix or pathPattern
详细可以参考下面链接:
http://blog.csdn.net/androidzhaoxiaogang/article/details/6856201
app.package.attacksurface
usage: run app.package.attacksurface [-h] package
确定安装包的可攻击面
Examples:
Finding the attack surface of the built-in browser
dz> run app.package.attacksurface com.android.browser
6 activities exported
4 broadcast receivers exported
1 content providers exported
0 services exported
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package to inspect
optional arguments:
-h, –help
app.package.backup
usage: run app.package.backup [-h] [-f FILTER] [-k]
列出可备份的包
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| -f FILTER, –filter FILTER | 指定包名 |
| -k, –api-keys | 只展示有api keys的包 |
app.package.debuggable
usage: run app.package.debuggable [-h] [-f FILTER] [-v]
列出可debug的包
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| -f FILTER, –filter FILTER | 指定包名 |
| -v, –verbose | 附加不可debug的包信息 |
app.package.launchintent
usage: run app.package.launchintent [-h] [-r] package
获取程序启动的activity信息
Examples:
Finding the launch intent of the Android browser package:
dz> run app.package.launchintent com.android.browser
Intent:
Action: android.intent.action.MAIN
Component: {com.android.browser/com.android.browser.BrowserActivity}
Data: null
Categories:
android.intent.category.LAUNCHER
Flags: [ACTIVITY_NEW_TASK]
Mime Type: null
Extras: null
Last Modified: 2013-03-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package to inspect
optional arguments:
| 参数名 | 作用 |
|---|---|
| -r, –raw | 相当于intent.toString() |
app.package.manifest
usage: run app.package.manifest [-h] package
获取程序manifest文件信息,和apktool反编译出来的对比,drozer的还能查看versionCode、versionName、minSdkVersion、targerSdkversion。
Examples:
Getting the manifest for drozer
dz> run app.package.manifest com.mwr.dz
<manifest versionCode="2" versionName="1.1" package="com.mwr.dz">
<uses-sdk minSdkVersion="8" targetSdkVersion="4">
</uses-sdk>
<uses-permission name="android.permission.INTERNET">
</uses-permission>
...
</manifest>
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package
optional arguments:
-h, –help
app.package.native
usage: run app.package.native [-h] package
列出Native libraries 信息
Last Modified: 2013-03-23
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package
optional arguments:
-h, –help
app.package.shareduid
usage: run app.package.shareduid [-h] [-u UID]
查找拥有共同uid的包和他们所有的权限。
Examples:
Finding packages that share the UID 10011
dz> run app.package.shareduid -u 10011
UID: 10011 (com.motorola.blur.uid.provider_authenticator:10011)
Package Name: com.motorola.blur.provider.photobucket
Package Name: com.motorola.blur.provider.picasa
Package Name: com.motorola.blur.provider.yahoo
Package Name: com.motorola.blur.provider.twitter
Package Name: com.motorola.blur.provider.fixedemail
Package Name: com.motorola.blur.provider.motorola.app
Package Name: com.motorola.blur.provider.orkut
Package Name: com.motorola.blur.provider.email
Package Name: com.motorola.blur.provider.facebook
Package Name: com.motorola.blur.provider.lastfm
Package Name: com.motorola.blur.provider.linkedin
Package Name: com.motorola.blur.provider.youtube
Package Name: com.motorola.blur.provider.skyrock
Package Name: com.motorola.blur.provider.activesync
Package Name: com.motorola.blur.provider.flickr
Accumulated permissions: com.motorola.blur.setupprovider.Permissions.ACCESS_ACCOUNTS; ...
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| -u UID, –uid UID | 指定uid |
app.provider.columns
usage: run app.provider.columns [-h] uri
展示content provider URI的各列名
Examples:
List the columns of content://settings/secure
dz> run app.provider.columns content://settings/secure
| _id | name | value |
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to query
optional arguments:
-h, –help
app.provider.delete
usage: run app.provider.delete [-h] [–selection conditions] [–selection-args [arg [arg …]]] uri
删除content provider URI的内容
Examples:
Delete from content://settings/secure, with name condition:
dz> run app.provider.delete content://settings/secure
--selection "name=?"
--selection-args my_setting
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to query
optional arguments:
| 参数名 | 作用 |
|---|---|
| –selection conditions | 指定列名 |
| –selection-args [arg [arg …]] | 指定值 |
app.provider.download
usage: run app.provider.download [-h] uri destination
使用openInputStream读取指定uri的内容,并下载在电脑中
使用前提:provider实现了openFile
如果在window下,目的地址’/’为drozer安装目录所在的磁盘,比如drozer安装在D盘
目的地址为/data.db ,文件就在D:\data.db
Examples:
Download, using directory traversal on a content provider:
dz> run app.provider.download content://vulnerable.provider/../../../system/etc/hosts /tmp/hostsfile
Written 25 bytes
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider URI to read a file through
destination path to save the downloaded file to
optional arguments:
-h, –help
app.provider.insert
usage: **run app.provider.insert [-h] [–boolean column data] [–double column data]
[–float column data] [–integer column data]
[–long column data] [–short column data]
[–string column data] uri**
插入数据到content provider.
Examples:
Insert into a vulnerable content provider:
dz> run app.provider.insert content://com.vulnerable.im/messages
--string date 1331763850325
--string type 0
--integer _id 7
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to insert into
optional arguments:
–boolean 【column】 【data】
–double 【column】【 data】
–float 【column】【 data】
–integer 【column】【 data】
–long 【column】【 data】
–short 【column】【 data】
–string 【column】【 data】
app.provider.finduri
usage: run app.provider.finduri [-h] package
查找Content URIs
This module uses a number of strategies to identify a content URI, including inspecting the authorities, path
permissions and searching for strings inside the package.
Examples:
Find content provider URIs in the Browser:
dz> run app.provider.finduri com.android.browser
Scanning com.android.browser...
content://com.android.browser.home/res/raw/
content://browser/search_suggest_query
content://browser/
content://com.android.browser.snapshots/
content://com.android.browser/bookmarks/search_suggest_query
content://com.android.browser/
content://com.google.settings/partner
content://com.android.browser.snapshots
content://com.google.android.partnersetup.rlzappprovider/
content://com.android.browser.home/
content://browser/bookmarks/search_suggest_query
Last Modified: 2012-13-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the package to search for content provider uris
optional arguments:
-h, –help
app.provider.query
usage: run app.provider.query [-h] [–projection [columns [columns …]]] [–selection conditions] [–selection-args [arg [arg …]]] [–order by_column] [–vertical] uri
查询content provider 内容
Examples:
Querying the settings content provider:
dz> run app.provider.query content://settings/secure
| _id | name | value |
| 5 | assisted_gps_enabled | 1 |
| 9 | wifi_networks_available_notification_on | 1 |
| 10 | sys_storage_full_threshold_bytes | 2097152 |
| ... | ... | ... |
Querying, with a WHERE clause in the SELECT statement:
dz> run app.provider.query content://settings/secure
--selection "_id=?"
--selection-args 10
| _id | name | value |
| 10 | sys_storage_full_threshold_bytes | 2097152 |
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to query
optional arguments:
| 参数名 | 作用 |
|---|---|
| –projection [columns [columns …]] | 选择查询哪些列,如:–projection _id,name |
| –selection conditions | 指定列名 |
| –selection-args [arg [arg …]] | 指定列名的值 |
| –order by_column | 通过哪一列排序 |
| –vertical | 垂直显示 |
app.provider.read
usage: run app.provider.read [-h] uri
使用openInputStream读取指定uri的内容
使用前提:provider实现了openFile
Examples:
Attempt directory traversal on a content provider:
dz> run app.provider.read content://settings/secure/../../../system/etc/hosts
java.io.FileNotFoundException: No files supported by provider at content://settings/secure/../../../system/etc/hosts
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider URI to read a file through
optional arguments:
-h, –help
app.provider.update
usage: run app.provider.update [-h] [–selection conditions] [–selection-args [arg [arg …]]] [–boolean column data] [–double column data] [–float column data] [–integer column data] [–long column data] [–short column data] [–string column data] uri
更新content provider的内容
Examples:
Updating, the assisted_gps_enabled setting:
dz> run app.provider.update content://settings/secure
--selection "name=?"
--selection-args assisted_gps_enabled
--integer value 0
Done.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to update in
optional arguments:
| 参数名 | 作用 |
|---|---|
| –selection conditions | 指定列名 |
| –selection-args [arg [arg …]] | 指定列名的值 |
| –boolean column data | 列名+值 |
| –double column data | 列名+值 |
| –float column data | 列名+值 |
| –integer column data | 列名+值 |
| –long column data | 列名+值 |
| –short column data | 列名+值 |
| –string column data | 列名+值 |
app.service.start
usage: run app.service.start [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–component PACKAGE COMPONENT] [–data-uri DATA_URI] [–extra TYPE KEY VALUE] [–flags FLAGS [FLAGS …]] [–mimetype MIMETYPE]
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| –action ACTION | 指定action |
| –category CATEGORY [CATEGORY …] | 指定category |
| –data-uri DATA_URI | 指定uri |
| –extra TYPE KEY VALUE | 指定附加的数据 |
| –flags FLAGS [FLAGS …] | 指定一个或者多个flags |
| –mimetype MIMETYPE | 指定文件类型 |
| –component PACKAGE COMPONENT | 指定componnent |
app.service.stop
usage: run app.service.stop [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–component PACKAGE COMPONENT] [–data-uri DATA_URI] [–extra TYPE KEY VALUE] [–flags FLAGS [FLAGS …]] [–mimetype MIMETYPE]
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 参数名 | 作用 |
|---|---|
| –action ACTION | 指定action |
| –category CATEGORY [CATEGORY …] | 指定category |
| –data-uri DATA_URI | 指定uri |
| –extra TYPE KEY VALUE | 指定附加的数据 |
| –flags FLAGS [FLAGS …] | 指定一个或者多个flags |
| –mimetype MIMETYPE | 指定文件类型 |
| –component PACKAGE COMPONENT | 指定componnent |
app.service.send
usage: run app.service.send [-h] [–msg what arg1 arg2] [–extra type key value] [–no-response] [–timeout TIMEOUT] [–bundle-as-obj] package component
使用 Message攻击暴露的service,其service实现了handleMessage。
NB: by default, this module will wait 20 seconds for a reply.
Examples:
Deliver a Message to a dummy application, that simply returns the message:
dz> run app.service.send com.example.srv com.example.srv.Service --msg 1 2 3 --extra float value 0.1324 --extra
string test value
Got a reply from com.example.srv/com.example.srv.Service:
what: 1
arg1: 2
arg2: 3
Data:
value (float) : 0.1324
test (string) : value
Last Modified: 2013-05-20
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the package containing the target service
component the fully-qualified service name to bind to
optional arguments:
| 参数名 | 作用 |
|---|---|
| –msg what arg1 arg2 | 指定message obtain获取的值,what、arg1、arg2 |
| –extra type key value | 指定bundle的数据 |
| –no-response | 丢弃回复 |
| –timeout TIMEOUT | 设置等待回复的超时时间 |
| –bundle-as-obj | 设置obj的值 |
8949
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
