Android测试渗透框架Drozer的安装与使用

一、简介

Drozer原名Mecury，是一款针对Android系统的开源安全测试框架。
Drozer是一款由python开发的开源框架，用户可以使用python语言自己编写模块，同时有很多第三方优秀的安全测试模块可供使用。另一款知名的Androguard框架就是基于Drozer开发的。

官网：https://labs.mwrinfosecurity.com/tools/drozer/
github：https://github.com/mwrlabs/drozer

二、安装

官网提供了三个平台的drozer版本：Debian/Ubuntu，RPM、Windows。
我的安装环境：win7 64位、python 2.7、JDK1.6。

在Windows平台安装Drozer有好几个坑：

1. 关于jdk的版本：必须是jdk1.6；

2. 关于jdk和drozer安装目录的路径：不能包含空格，否则会提示出错。具体解决方法如下：
   问题：
   Could not find java. Please ensure that it isinstalled and on your PATH.
   If this error persists, specify the path in the~/.drozer_config file:
   [executables]
   java = C:\path\to\java
   解决：
   [executables]
   java = C:\ProgramFiles\Java\jdk1.8.0_71\bin\java.exe
   javac = C:\ProgramFiles\Java\jdk1.8.0_71\bin\javac.exe
   java.exe和javac.exe的文件路径按以上格式写好，保存在1.drozer_config文件中，用rename1.drozer_config .drozer_config将1.drozer_config文件名改为.drozer_config，将.drozer_config文件保存在”c:\users\你的用户名”文件夹下。

3. 关于drozer agent的版本：我装的是Drozer windows的最新版本2.3.4，但实际上使用该版本的agent.apk在运行某些模块的时候会导致应用崩溃（如scanner.provider.finduris等）。参照网上的文章，使用2.3.3版本的agent.apk可以顺利运行，具体原因可能需要阅读源码才能知道了。

   agent.apk 2.3.3版本

三、使用

1. 建立连接
   与手机agent建立连接有几种方法，这里描述的是利用USB线的连接过程：
   （1）首先打开手机端agent，打开端口
   （2）在PC端运行 “adb forward tcp:31415 tcp:31415”命令进行端口转发
   （3）在PC端运行“drozer.bat console connect”命令进入与agent交互模式

2. 常用命令
   dz> list 列出所有模块
   dz> run app.package.list 运行app.package.list模块
   dz> run app.package.list -h 显示app.package.list模块的使用方法和所有参数

3. Drozer自带默认模块：

序号	模块名称	功能
1	app.activity.forintent	Find activities that can handle the given intent
2	app.activity.info	Gets information about exported activities
3	app.activity.start	Start an Activity
4	app.broadcast.info	Get information about broadcast receivers
5	app.broadcast.send	Send broadcast using an intent
6	app.broadcast.sniff	Register a broadcast receiver that can sniff particular intents
7	app.package.attacksurface	Get attack surface of package
8	app.package.backup	Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP)
9	app.package.debuggable	Find debuggable packages
10	app.package.info	Get information about installed packages
11	app.package.launchintent	Get launch intent of package
12	app.package.list	List Packages
13	app.package.manifest	Get AndroidManifest.xml of package
14	app.package.native	Find Native libraries embedded in the application
15	app.package.shareduid	Look for packages with shared UIDs
16	app.provider.columns	List columns in content provider
17	app.provider.delete	Delete from a content provider
18	app.provider.download	Download a file from a content provider that supports files
19	app.provider.finduri	Find referenced content URIs in a package
20	app.provider.info	Get information about exported content providers
21	app.provider.insert	Insert into a Content Provider
22	app.provider.query	Query a content provider
23	app.provider.read	Read from a content provider that supports files
24	app.provider.update	Update a record in a content provider
25	app.service.info	Get information about exported services
26	app.service.send	Send a Message to a service, and display the reply
27	app.service.start	Start Service
28	app.service.stop	Stop Service
29	auxiliary.webcontentresolver	Start a web service interface to content providers
30	exploit.jdwp.check	Open @jdwp-control and see which apps connect
31	exploit.pilfer.general.apnprovider	Reads APN content provider
32	exploit.pilfer.general.settingsprovider	Reads Settings content provider
33	information.datetime	Print Date/Time
34	information.deviceinfo	Get verbose device information
35	information.permissions	Get a list of all permissions used by packages on the device
36	scanner.activity.browsable	Get all BROWSABLE activities that can be invoked from the web browser
37	scanner.misc.native	Find native components included in packages
38	scanner.misc.readablefiles	Find world-readable files in the given folder
39	scanner.misc.secretcodes	Search for secret codes that can be used from the dialer
40	scanner.misc.sflagbinaries	Find suid/sgid binaries in the given folder (default is /system)
41	scanner.misc.writablefiles	Find world-writable files in the given folder
42	scanner.provider.finduris	Search for content providers that can be queried from our context
43	scanner.provider.injection	Test content providers for SQL injection vulnerabilities
44	scanner.provider.sqltables	Find tables accessible through SQL injection vulnerabilities
45	scanner.provider.traversal	Test content providers for basic directory traversal vulnerabilities
46	shell.exec	Execute a single Linux command
47	shell.send	Send an ASH shell to a remote listener
48	shell.start	Enter into an interactive Linux shell
49	tools.file.download	Download a File
50	tools.file.md5sum	Get md5 Checksum of file
51	tools.file.size	Get size of file
52	tools.file.upload	Upload a File
53	tools.setup.busybox	Install Busybox
54	tools.setup.minimalsu	Prepare ‘minimal-su’ binary installation on the device