Drozer 的简单使用
2018年12月26日 · 486 字 · 1 分钟 · Drozer Android
简介
drozer (formerly Mercury) is the leading security testing framework for Android.
drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.
drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).
drozer is open source software, maintained by MWR InfoSecurity, and can be downloaded from: mwr.to/drozer
安装
PC 端安装
首先首要先去 github 上下载 drozer-2.4.4-py2-none-any.whl
pip install drozer-2.4.4-py2-none-any.whl
Android 端安装
同样是在 github 上下载 drozer-agent-2.3.4.apk
另外为了方便测试,drozer 给我们提供了一个测试用的 apk - sieve.apk
adb install drozer-agent-2.3.4.apk
adb install sieve.apk
使用
启动服务
# 启动 PC 端 drozer
drozer server start
# 端口转发
adb forward tcp:31415 tcp:31415
# 然后打开 android 端 drozer,并开启服务
# 连接服务
drozer console connect
常用指令
# 查看所有指令
dz> list
# 列出设备中安装的包
dz> run app.package.list
# 搜索包的activity
run app.activity.info -f com.mwr.example.sieve
# 查看设备上某包的受攻击面
run app.package.attacksurface com.mwr.example.sieve
# 运行activity
run app.activity.start
# 查找可以访问 Content Provider 的 URI(数据泄漏)
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Keys/
# 进行SQL注入列出数据库中的所有数据表
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';–"
# 检查是否有SQL注入
run scanner.provider.injection -a com.mwr.example.sieve
# 检查是否存在遍历文件的漏洞
run scanner.provider.traversal -a com.mwr.example.sieve
其他
CodeEngn 开发了很多的 android app 供初学者能够更好的学习基于 android 的渗透测试。
没事可以刷一刷,有点刷 leetcode 的感觉 😂