1. 程式人生 > >Android測試滲透框架Drozer的安裝與使用

Android測試滲透框架Drozer的安裝與使用

一、簡介

Drozer原名Mecury,是一款針對Android系統的開源安全測試框架。
Drozer是一款由python開發的開源框架,使用者可以使用python語言自己編寫模組,同時有很多第三方優秀的安全測試模組可供使用。另一款知名的Androguard框架就是基於Drozer開發的。

二、安裝

官網提供了三個平臺的drozer版本:Debian/Ubuntu,RPM、Windows。
我的安裝環境:win7 64位、python 2.7、JDK1.6。

在Windows平臺安裝Drozer有好幾個坑:

  1. 關於jdk的版本:必須是jdk1.6;

  2. 關於jdk和drozer安裝目錄的路徑:不能包含空格,否則會提示出錯。具體解決方法如下:
    問題:
    Could not find java. Please ensure that it isinstalled and on your PATH.
    If this error persists, specify the path in the~/.drozer_config file:
    [executables]
    java = C:\path\to\java
    解決:
    [executables]
    java = C:\ProgramFiles\Java\jdk1.8.0_71\bin\java.exe
    javac = C:\ProgramFiles\Java\jdk1.8.0_71\bin\javac.exe
    java.exe和javac.exe的檔案路徑按以上格式寫好,儲存在1.drozer_config檔案中,用rename1.drozer_config .drozer_config將1.drozer_config檔名改為.drozer_config,將.drozer_config檔案儲存在”c:\users\你的使用者名稱”資料夾下。

  3. 關於drozer agent的版本:我裝的是Drozer windows的最新版本2.3.4,但實際上使用該版本的agent.apk在執行某些模組的時候會導致應用崩潰(如scanner.provider.finduris等)。參照網上的文章,使用2.3.3版本的agent.apk可以順利執行,具體原因可能需要閱讀原始碼才能知道了。

三、使用

  1. 建立連線
    與手機agent建立連線有幾種方法,這裡描述的是利用USB線的連線過程:
    (1)首先開啟手機端agent,開啟埠
    (2)在PC端執行 “adb forward tcp:31415 tcp:31415”命令進行埠轉發
    (3)在PC端執行“drozer.bat console connect”命令進入與agent互動模式

  2. 常用命令
    dz> list 列出所有模組
    dz> run app.package.list 執行app.package.list模組
    dz> run app.package.list -h 顯示app.package.list模組的使用方法和所有引數

  3. Drozer自帶預設模組:

序號 模組名稱 功能
1 app.activity.forintent Find activities that can handle the given intent
2 app.activity.info Gets information about exported activities
3 app.activity.start Start an Activity
4 app.broadcast.info Get information about broadcast receivers
5 app.broadcast.send Send broadcast using an intent
6 app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
7 app.package.attacksurface Get attack surface of package
8 app.package.backup Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP)
9 app.package.debuggable Find debuggable packages
10 app.package.info Get information about installed packages
11 app.package.launchintent Get launch intent of package
12 app.package.list List Packages
13 app.package.manifest Get AndroidManifest.xml of package
14 app.package.native Find Native libraries embedded in the application
15 app.package.shareduid Look for packages with shared UIDs
16 app.provider.columns List columns in content provider
17 app.provider.delete Delete from a content provider
18 app.provider.download Download a file from a content provider that supports files
19 app.provider.finduri Find referenced content URIs in a package
20 app.provider.info Get information about exported content providers
21 app.provider.insert Insert into a Content Provider
22 app.provider.query Query a content provider
23 app.provider.read Read from a content provider that supports files
24 app.provider.update Update a record in a content provider
25 app.service.info Get information about exported services
26 app.service.send Send a Message to a service, and display the reply
27 app.service.start Start Service
28 app.service.stop Stop Service
29 auxiliary.webcontentresolver Start a web service interface to content providers
30 exploit.jdwp.check Open @jdwp-control and see which apps connect
31 exploit.pilfer.general.apnprovider Reads APN content provider
32 exploit.pilfer.general.settingsprovider Reads Settings content provider
33 information.datetime Print Date/Time
34 information.deviceinfo Get verbose device information
35 information.permissions Get a list of all permissions used by packages on the device
36 scanner.activity.browsable Get all BROWSABLE activities that can be invoked from the web browser
37 scanner.misc.native Find native components included in packages
38 scanner.misc.readablefiles Find world-readable files in the given folder
39 scanner.misc.secretcodes Search for secret codes that can be used from the dialer
40 scanner.misc.sflagbinaries Find suid/sgid binaries in the given folder (default is /system)
41 scanner.misc.writablefiles Find world-writable files in the given folder
42 scanner.provider.finduris Search for content providers that can be queried from our context
43 scanner.provider.injection Test content providers for SQL injection vulnerabilities
44 scanner.provider.sqltables Find tables accessible through SQL injection vulnerabilities
45 scanner.provider.traversal Test content providers for basic directory traversal vulnerabilities
46 shell.exec Execute a single Linux command
47 shell.send Send an ASH shell to a remote listener
48 shell.start Enter into an interactive Linux shell
49 tools.file.download Download a File
50 tools.file.md5sum Get md5 Checksum of file
51 tools.file.size Get size of file
52 tools.file.upload Upload a File
53 tools.setup.busybox Install Busybox
54 tools.setup.minimalsu Prepare ‘minimal-su’ binary installation on the device