安装

https://blog.csdn.net/muier/article/details/49929863

https://www.jianshu.com/p/168cdd3daa1d

就是各种pip就可以

由于Drozer是py2版本,所以需要各种pip2的安装,在cp安装过程的时候要记得用pip2,由于mac上没有pip2所以先要去安装一下

brew install python@2

使用

本文使用sieve.apk进行演示

进入Drozer

  1. 手机上打开drozer agent开启调试

  2. adb转发端口

    adb forward tcp:31415 tcp:31415

  3. 打开终端输入

    drozer console connect

    出现这个就成功了

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
          ..                    ..:.
          ..o..                  .r..
           ..a..  . ....... .  ..nd
             ro..idsnemesisand..pr
             .otectorandroidsneme.
          .,sisandprotectorandroids+.
        ..nemesisandprotectorandroidsn:.
       .emesisandprotectorandroidsnemes..
     ..isandp,..,rotectorandro,..,idsnem.
     .isisandp..rotectorandroid..snemisis.
     ,andprotectorandroidsnemisisandprotec.
    .torandroidsnemesisandprotectorandroid.
    .snemisisandprotectorandroidsnemesisan:
    .dprotectorandroidsnemesisandprotector.

一些基本使用

  1. 前面是查看所有安装包,后面加上-f可以指定,这里是可以忽略大小写并且补全的
1
2
dz> run app.package.list -f sieve
com.mwr.example.sieve

  1. 查看包的信息

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    dz> run app.package.info -a com.mwr.example.sieve
    Package: com.mwr.example.sieve
      Application Label: Sieve
      Process Name: com.mwr.example.sieve
      Version: 1.0
      Data Directory: /data/user/0/com.mwr.example.sieve
      APK Path: /data/app/com.mwr.example.sieve-1/base.apk
      UID: 10096
      GID: [3003]
      Shared Libraries: null
      Shared User ID: null
      Uses Permissions:
      - android.permission.READ_EXTERNAL_STORAGE
      - android.permission.WRITE_EXTERNAL_STORAGE
      - android.permission.INTERNET
      Defines Permissions:
      - com.mwr.example.sieve.READ_KEYS
      - com.mwr.example.sieve.WRITE_KEYS

进行攻击

攻击面分析

1
2
3
4
5
6
7
dz> run app.package.attacksurface com.mwr.example.sieve
Attack Surface:
  3 activities exported
  0 broadcast receivers exported
  2 content providers exported
  2 services exported
    is debuggable

攻击面分析之Activity

查看可以被调用的Activity

1
2
3
4
5
6
7
8
dz> run app.activity.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
  com.mwr.example.sieve.FileSelectActivity
    Permission: null
  com.mwr.example.sieve.MainLoginActivity
    Permission: null
  com.mwr.example.sieve.PWList
    Permission: null

启动可以被调用的Activity

drozer还是很强的

https://www.jianshu.com/p/168cdd3daa1d

有时间补

1
run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList