drozer 下載地址

1许昨、安裝

pc端安裝drozer

Android設(shè)備中安裝agent.apk

adb?install?agent.apk

2凡泣、開啟會話

adb forward tcp:31415tcp:31415

drozer console connect

在Android設(shè)備上開啟Drozer Agent

選擇embedded?server-enable

3、drozer 命令

dz> list

app.activity.forintent ? ? ? ? ? ? ? ? ? Find activities that can handle the given intent

app.activity.info ? ? ? ? ? ? ? ? ? ? ? ?Gets information about exported activities.

app.activity.start ? ? ? ? ? ? ? ? ? ? ? Start an Activity

app.broadcast.info ? ? ? ? ? ? ? ? ? ? ? Get information about broadcast receivers

app.broadcast.send ? ? ? ? ? ? ? ? ? ? ? Send broadcast using an intent

app.broadcast.sniff ? ? ? ? ? ? ? ? ? ? ?Register a broadcast receiver that can sniff particular intents

app.package.attacksurface ? ? ? ? ? ? ? ?Get attack surface of package

app.package.backup ? ? ? ? ? ? ? ? ? ? ? Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP)

app.package.debuggable ? ? ? ? ? ? ? ? ? Find debuggable packages

app.package.info ? ? ? ? ? ? ? ? ? ? ? ? Get information about installed packages

app.package.launchintent ? ? ? ? ? ? ? ? Get launch intent of package

app.package.list ? ? ? ? ? ? ? ? ? ? ? ? List Packages

app.package.manifest ? ? ? ? ? ? ? ? ? ? Get AndroidManifest.xml of package

app.package.native ? ? ? ? ? ? ? ? ? ? ? Find Native libraries embedded in the application.

app.package.shareduid ? ? ? ? ? ? ? ? ? ?Look for packages with shared UIDs

app.provider.columns ? ? ? ? ? ? ? ? ? ? List columns in content provider

app.provider.delete ? ? ? ? ? ? ? ? ? ? ?Delete from a content provider

app.provider.download ? ? ? ? ? ? ? ? ? ?Download a file from a content provider that supports files

app.provider.finduri ? ? ? ? ? ? ? ? ? ? Find referenced content URIs in a package

app.provider.info ? ? ? ? ? ? ? ? ? ? ? ?Get information about exported content providers

app.provider.insert ? ? ? ? ? ? ? ? ? ? ?Insert into a Content Provider

app.provider.query ? ? ? ? ? ? ? ? ? ? ? Query a content provider

app.provider.read ? ? ? ? ? ? ? ? ? ? ? ?Read from a content provider that supports files

app.provider.update ? ? ? ? ? ? ? ? ? ? ?Update a record in a content provider

app.service.info ? ? ? ? ? ? ? ? ? ? ? ? Get information about exported services

app.service.send ? ? ? ? ? ? ? ? ? ? ? ? Send a Message to a service, and display the reply

app.service.start ? ? ? ? ? ? ? ? ? ? ? ?Start Service

app.service.stop ? ? ? ? ? ? ? ? ? ? ? ? Stop Service

auxiliary.webcontentresolver ? ? ? ? ? ? Start a web service interface to content providers.

exploit.jdwp.check ? ? ? ? ? ? ? ? ? ? ? Open @jdwp-control and see which apps connect

exploit.pilfer.general.apnprovider ? ? ? Reads APN content provider

exploit.pilfer.general.settingsprovider ?Reads Settings content provider

information.datetime ? ? ? ? ? ? ? ? ? ? Print Date/Time

information.deviceinfo ? ? ? ? ? ? ? ? ? Get verbose device information

information.permissions ? ? ? ? ? ? ? ? ?Get a list of all permissions used by packages on the device

scanner.activity.browsable ? ? ? ? ? ? ? Get all BROWSABLE activities that can be invoked from the web browser

scanner.misc.native ? ? ? ? ? ? ? ? ? ? ?Find native components included in packages

scanner.misc.readablefiles ? ? ? ? ? ? ? Find world-readable files in the given folder

scanner.misc.secretcodes ? ? ? ? ? ? ? ? Search for secret codes that can be used from the dialer

scanner.misc.sflagbinaries ? ? ? ? ? ? ? Find suid/sgid binaries in the given folder (default is /system).

scanner.misc.writablefiles ? ? ? ? ? ? ? Find world-writable files in the given folder

scanner.provider.finduris ? ? ? ? ? ? ? ?Search for content providers that can be queried from our context.

scanner.provider.injection ? ? ? ? ? ? ? Test content providers for SQL injection vulnerabilities.

scanner.provider.sqltables ? ? ? ? ? ? ? Find tables accessible through SQL injection vulnerabilities.

scanner.provider.traversal ? ? ? ? ? ? ? Test content providers for basic directory traversal vulnerabilities.

shell.exec ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Execute a single Linux command.

shell.send ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Send an ASH shell to a remote listener.

shell.start ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Enter into an interactive Linux shell.

tools.file.download ? ? ? ? ? ? ? ? ? ? ?Download a File

tools.file.md5sum ? ? ? ? ? ? ? ? ? ? ? ?Get md5 Checksum of file

tools.file.size ? ? ? ? ? ? ? ? ? ? ? ? ?Get size of file

tools.file.upload ? ? ? ? ? ? ? ? ? ? ? ?Upload a File

tools.setup.busybox ? ? ? ? ? ? ? ? ? ? ?Install Busybox.

tools.setup.minimalsu ? ? ? ? ? ? ? ? ? ?Prepare 'minimal-su' binary installation on the device.

應(yīng)用相關(guān) ?app.package.*

Activity相關(guān) app.activity.*

Content Provider 相關(guān) app.provider.*,scanner.provider

Service相關(guān) app.service.*

Broadcast Receiver 相關(guān) app.broadcast.*

其他模塊?

Android四大基本組件分別是Activity删铃，Service服務(wù),Content Provider內(nèi)容提供者，BroadcastReceiver廣播接收器

通過run app.package.info獲取該package的詳細信息，比如data路徑排拷、apk路徑、聲明的權(quán)限

app.package.attacksurface攻擊面分析锅尘，分析Activity/Broadcast Receiver/Content Provider/Service的權(quán)限监氢，即是否能被其他的的應(yīng)用程序調(diào)用

通過run app.activity.info -a 路徑包名 ?分析出可以調(diào)用的activity組件

通過run app.activity.start --component 路徑包名 路徑組件名 啟動它，在支付之類的界面可以照成界面劫持藤违。

通過run? app.broadcast.info -a 路徑包名? 查看暴露的廣播組件信息

通過run app.broadcast.send ?利用空actoin和空extras拒絕服務(wù)

通過run app.provider.info -a 包名 查看可操作ContentProvider信息

通過run scanner.provider.finduris -a 包名 獲取可以訪問的uri

?run scanner.provider.injection -a 包名 sql注入檢查

run?scanner.provider.traversal?-a 包名 目錄遍歷

通過run app.service.info -a 包名 查詢權(quán)限