drozer 下载地址
1、安装
pc端安装drozer
Android设备中安装agent.apk
adb install agent.apk
2、开启会话
adb forward tcp:31415tcp:31415
drozer console connect
在Android设备上开启Drozer Agent
选择embedded server-enable
3、drozer 命令
dz> list
app.activity.forintent Find activities that can handle the given intent
app.activity.info Gets information about exported activities.
app.activity.start Start an Activity
app.broadcast.info Get information about broadcast receivers
app.broadcast.send Send broadcast using an intent
app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
app.package.attacksurface Get attack surface of package
app.package.backup Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP)
app.package.debuggable Find debuggable packages
app.package.info Get information about installed packages
app.package.launchintent Get launch intent of package
app.package.list List Packages
app.package.manifest Get AndroidManifest.xml of package
app.package.native Find Native libraries embedded in the application.
app.package.shareduid Look for packages with shared UIDs
app.provider.columns List columns in content provider
app.provider.delete Delete from a content provider
app.provider.download Download a file from a content provider that supports files
app.provider.finduri Find referenced content URIs in a package
app.provider.info Get information about exported content providers
app.provider.insert Insert into a Content Provider
app.provider.query Query a content provider
app.provider.read Read from a content provider that supports files
app.provider.update Update a record in a content provider
app.service.info Get information about exported services
app.service.send Send a Message to a service, and display the reply
app.service.start Start Service
app.service.stop Stop Service
auxiliary.webcontentresolver Start a web service interface to content providers.
exploit.jdwp.check Open @jdwp-control and see which apps connect
exploit.pilfer.general.apnprovider Reads APN content provider
exploit.pilfer.general.settingsprovider Reads Settings content provider
information.datetime Print Date/Time
information.deviceinfo Get verbose device information
information.permissions Get a list of all permissions used by packages on the device
scanner.activity.browsable Get all BROWSABLE activities that can be invoked from the web browser
scanner.misc.native Find native components included in packages
scanner.misc.readablefiles Find world-readable files in the given folder
scanner.misc.secretcodes Search for secret codes that can be used from the dialer
scanner.misc.sflagbinaries Find suid/sgid binaries in the given folder (default is /system).
scanner.misc.writablefiles Find world-writable files in the given folder
scanner.provider.finduris Search for content providers that can be queried from our context.
scanner.provider.injection Test content providers for SQL injection vulnerabilities.
scanner.provider.sqltables Find tables accessible through SQL injection vulnerabilities.
scanner.provider.traversal Test content providers for basic directory traversal vulnerabilities.
shell.exec Execute a single Linux command.
shell.send Send an ASH shell to a remote listener.
shell.start Enter into an interactive Linux shell.
tools.file.download Download a File
tools.file.md5sum Get md5 Checksum of file
tools.file.size Get size of file
tools.file.upload Upload a File
tools.setup.busybox Install Busybox.
tools.setup.minimalsu Prepare 'minimal-su' binary installation on the device.
应用相关 app.package.*
Activity相关 app.activity.*
Content Provider 相关 app.provider.*,scanner.provider
Service相关 app.service.*
Broadcast Receiver 相关 app.broadcast.*
其他模块
Android四大基本组件分别是Activity,Service服务,Content Provider内容提供者,BroadcastReceiver广播接收器
通过run app.package.info获取该package的详细信息,比如data路径、apk路径、声明的权限
app.package.attacksurface攻击面分析,分析Activity/Broadcast Receiver/Content Provider/Service的权限,即是否能被其他的的应用程序调用
通过run app.activity.info -a 路径包名 分析出可以调用的activity组件
通过run app.activity.start --component 路径包名 路径组件名 启动它,在支付之类的界面可以照成界面劫持。
通过run app.broadcast.info -a 路径包名 查看暴露的广播组件信息
通过run app.broadcast.send 利用空actoin和空extras拒绝服务
通过run app.provider.info -a 包名 查看可操作ContentProvider信息
通过run scanner.provider.finduris -a 包名 获取可以访问的uri
run scanner.provider.injection -a 包名 sql注入检查
run scanner.provider.traversal -a 包名 目录遍历
通过run app.service.info -a 包名 查询权限