Android測試滲透框架Drozer的安裝與使用
一、簡介
Drozer原名Mecury,是一款針對Android系統的開源安全測試框架。
Drozer是一款由python開發的開源框架,使用者可以使用python語言自己編寫模組,同時有很多第三方優秀的安全測試模組可供使用。另一款知名的Androguard框架就是基於Drozer開發的。
二、安裝
官網提供了三個平臺的drozer版本:Debian/Ubuntu,RPM、Windows。
我的安裝環境:win7 64位、python 2.7、JDK1.6。
在Windows平臺安裝Drozer有好幾個坑:
關於jdk的版本:必須是jdk1.6;
關於jdk和drozer安裝目錄的路徑:不能包含空格,否則會提示出錯。具體解決方法如下:
問題:
Could not find java. Please ensure that it isinstalled and on your PATH.
If this error persists, specify the path in the~/.drozer_config file:
[executables]
java = C:\path\to\java
解決:
[executables]
java = C:\ProgramFiles\Java\jdk1.8.0_71\bin\java.exe
javac = C:\ProgramFiles\Java\jdk1.8.0_71\bin\javac.exe
java.exe和javac.exe的檔案路徑按以上格式寫好,儲存在1.drozer_config檔案中,用rename1.drozer_config .drozer_config將1.drozer_config檔名改為.drozer_config,將.drozer_config檔案儲存在”c:\users\你的使用者名稱”資料夾下。關於drozer agent的版本:我裝的是Drozer windows的最新版本2.3.4,但實際上使用該版本的agent.apk在執行某些模組的時候會導致應用崩潰(如scanner.provider.finduris等)。參照網上的文章,使用2.3.3版本的agent.apk可以順利執行,具體原因可能需要閱讀原始碼才能知道了。
三、使用
建立連線
與手機agent建立連線有幾種方法,這裡描述的是利用USB線的連線過程:
(1)首先開啟手機端agent,開啟埠
(2)在PC端執行 “adb forward tcp:31415 tcp:31415”命令進行埠轉發
(3)在PC端執行“drozer.bat console connect”命令進入與agent互動模式常用命令
dz> list 列出所有模組
dz> run app.package.list 執行app.package.list模組
dz> run app.package.list -h 顯示app.package.list模組的使用方法和所有引數Drozer自帶預設模組:
序號 | 模組名稱 | 功能 |
---|---|---|
1 | app.activity.forintent | Find activities that can handle the given intent |
2 | app.activity.info | Gets information about exported activities |
3 | app.activity.start | Start an Activity |
4 | app.broadcast.info | Get information about broadcast receivers |
5 | app.broadcast.send | Send broadcast using an intent |
6 | app.broadcast.sniff | Register a broadcast receiver that can sniff particular intents |
7 | app.package.attacksurface | Get attack surface of package |
8 | app.package.backup | Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP) |
9 | app.package.debuggable | Find debuggable packages |
10 | app.package.info | Get information about installed packages |
11 | app.package.launchintent | Get launch intent of package |
12 | app.package.list | List Packages |
13 | app.package.manifest | Get AndroidManifest.xml of package |
14 | app.package.native | Find Native libraries embedded in the application |
15 | app.package.shareduid | Look for packages with shared UIDs |
16 | app.provider.columns | List columns in content provider |
17 | app.provider.delete | Delete from a content provider |
18 | app.provider.download | Download a file from a content provider that supports files |
19 | app.provider.finduri | Find referenced content URIs in a package |
20 | app.provider.info | Get information about exported content providers |
21 | app.provider.insert | Insert into a Content Provider |
22 | app.provider.query | Query a content provider |
23 | app.provider.read | Read from a content provider that supports files |
24 | app.provider.update | Update a record in a content provider |
25 | app.service.info | Get information about exported services |
26 | app.service.send | Send a Message to a service, and display the reply |
27 | app.service.start | Start Service |
28 | app.service.stop | Stop Service |
29 | auxiliary.webcontentresolver | Start a web service interface to content providers |
30 | exploit.jdwp.check | Open @jdwp-control and see which apps connect |
31 | exploit.pilfer.general.apnprovider | Reads APN content provider |
32 | exploit.pilfer.general.settingsprovider | Reads Settings content provider |
33 | information.datetime | Print Date/Time |
34 | information.deviceinfo | Get verbose device information |
35 | information.permissions | Get a list of all permissions used by packages on the device |
36 | scanner.activity.browsable | Get all BROWSABLE activities that can be invoked from the web browser |
37 | scanner.misc.native | Find native components included in packages |
38 | scanner.misc.readablefiles | Find world-readable files in the given folder |
39 | scanner.misc.secretcodes | Search for secret codes that can be used from the dialer |
40 | scanner.misc.sflagbinaries | Find suid/sgid binaries in the given folder (default is /system) |
41 | scanner.misc.writablefiles | Find world-writable files in the given folder |
42 | scanner.provider.finduris | Search for content providers that can be queried from our context |
43 | scanner.provider.injection | Test content providers for SQL injection vulnerabilities |
44 | scanner.provider.sqltables | Find tables accessible through SQL injection vulnerabilities |
45 | scanner.provider.traversal | Test content providers for basic directory traversal vulnerabilities |
46 | shell.exec | Execute a single Linux command |
47 | shell.send | Send an ASH shell to a remote listener |
48 | shell.start | Enter into an interactive Linux shell |
49 | tools.file.download | Download a File |
50 | tools.file.md5sum | Get md5 Checksum of file |
51 | tools.file.size | Get size of file |
52 | tools.file.upload | Upload a File |
53 | tools.setup.busybox | Install Busybox |
54 | tools.setup.minimalsu | Prepare ‘minimal-su’ binary installation on the device |