list 显示模块名和作用
list 部分名称 可以搜索
显示帮助和示例: -h –help
APP模块
模块名 作用
app.activity.forintent 通过intent查找它的activity
app.activity.info 获取activities信息
app.activity.start 开启 Activity
app.broadcast.info 获取broadcast receivers信息
app.broadcast.send 发送广播
app.broadcast.sniff 嗅探广播中intent的数据
app.package.attacksurface 确定安装包的可攻击面
app.package.backup 列出可备份的包
app.package.debuggable 列出可debug的包
app.package.info 获取已安装包的信息
app.package.launchintent 获取程序启动的activity信息
app.package.list 手机已安装的程序包
app.package.manifest 获取程序manifest文件信息
app.package.native 列出Native libraries 信息
app.package.shareduid 查找拥有共同uid的包和他们所有的权限
app.provider.columns 展示content provider URI的各列
app.provider.delete 删除content provider URI的内容
app.provider.download 使用openInputStream读取指定uri的内容,并下载在电脑中
app.provider.info 获取 content providers信息
app.provider.insert 插入数据到content provider
app.provider.query 查询content provider 内容
app.provider.read 使用openInputStream读取指定uri的内容
app.provider.update 更新content provider的内容
app.service.info 获取services的信息
app.service.send 使用 Message攻击暴露的service,其service实现了handleMessage
app.service.start 开启服务
app.service.stop 停止服务
app.package.list
usage: run app.package.list [-h] [-d DEFINES_PERMISSION] [-f FILTER] [-g GID][-p PERMISSION] [-u UID] [-n]
列出所有手机安装的包
Examples:
查找带有browser的包:
dz> run app.package.list -f browser
com.android.browser
1
2
3
最后修改日期: 2012-11-06
作者: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
-d DEFINES_PERMISSION, –defines-permission 通过自定义permission 查询 ,
-f FILTER, –filter FILTER 通过关键词查询
-g GID, –gid GID 通过GID查询
-p PERMISSION, –permission PERMISSION uses-permission过滤查询,
-u UID, –uid UID 通过UID查询
-n, –no_app_name 不输出应用名
app.activity.start
usage: run app.activity.start [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–component PACKAGE COMPONENT] [–data-uri DATA_URI][–extra TYPE KEY VALUE] [–flags FLAGS [FLAGS …]] [–mimetype MIMETYPE]
通过特制的Intent启动activity。
Examples:
显式 intent开启浏览器:
dz> run app.activity.start
–component com.android.browser
com.android.browser.BrowserActivity
–flags ACTIVITY_NEW_TASK
1
2
3
4
如果不设置flags,默认值为ACTIVITY_NEW_TASK . 取消默认值的方法如下:
dz> run app.activity.start
–component com.android.browser com.android.browser.BrowserActivity
–flags 0x0
1
2
3
隐式 intent开启浏览器 :
dz> run app.activity.start
–action android.intent.action.VIEW
–data-uri http://www.google.com
–flags ACTIVITY_NEW_TASK
1
2
3
4
更多关于intents的帮助使用命令’help intents’.
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
–action ACTION 指定action
–category CATEGORY [CATEGORY …] 指定category
–data-uri DATA_URI 指定uri
–extra TYPE KEY VALUE 指定附加的数据
–flags FLAGS [FLAGS …] 指定一个或者多个flags
–mimetype MIMETYPE 指定文件类型
–component PACKAGE COMPONENT 指定componnent
对于显式Intent,Android不需要去做解析,因为目标组件已经很明确,Android需要解析的是那些隐式Intent,通过解析,将Intent映射给可以处理此Intent的Activity、IntentReceiver或Service。
Intent解析机制主要是通过查找已注册在AndroidManifest.xml中的所有IntentFilter及其中定义的Intent,最终找到匹配的Intent。在这个解析过程中,Android是通过Intent的action、type、category这三个属性来进行判断的,判断方法如下:
如果Intent指明定了action,则目标组件的IntentFilter的action列表中就必须包含有这个action,否则不能匹配;
如果Intent没有提供type,系统将从data中得到数据类型。和action一样,目标组件的数据类型列表中必须包含Intent的数据类型,否则不能匹配。
如果Intent中的数据不是content:
类型的URI,而且Intent也没有明确指定它的type,将根据Intent中数据的scheme (比如 http: 或者mailto:)
进行匹配。同上,Intent 的scheme必须出现在目标组件的scheme列表中。
如果Intent指定了一个或多个category,这些类别必须全部出现在组建的类别列表中。比如Intent中包含了两个类别:LAUNCHER_CATEGORY
和 ALTERNATIVE_CATEGORY,解析得到的目标组件必须至少包含这两个类别。
如果 component这个属性有指定的话,将直接使用它指定的组件,而不再执行上述查找过程。
app.activity.info
usage: run app.activity.info [-h] [-a PACKAGE] [-f FILTER] [-i] [-u] [-v]
Gets information about exported activities.
Examples:
List activities exported by the Browser:
dz> run app.activity.info –package com.android.browser
Package: com.android.browser
com.android.browser.BrowserActivity
com.android.browser.ShortcutActivity
com.android.browser.BrowserPreferencesPage
com.android.browser.BookmarkSearch
com.android.browser.AddBookmarkPage
com.android.browser.widget.BookmarkWidgetConfigure
1
2
3
4
5
6
7
8
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
-a PACKAGE, –package PACKAGE 指定包名
-f FILTER, –filter FILTER 指定activity的名称
-i, –show-intent-filters 显示activity的intent-filters
-u, –unexported 包括exported:false的activity
-v, –verbose 显示详细信息
app.package.info
usage: run app.package.info [-h] [-a PACKAGE] [-d DEFINES_PERMISSION] [-f FILTER] [-g GID] [-p PERMISSION] [-u UID] [-i]
List all installed packages on the device with optional filters. Specify optional keywords to search for in the package information, or granted permissions.
Examples:
Finding all packages with the keyword “browser” in their name:
dz> run app.package.info -f browser
Package: com.android.browser
Process name: com.android.browser
Version: 4.1.1
Data Directory: /data/data/com.android.browser
APK path: /system/app/Browser.apk
UID: 10014
GID: [3003, 1015, 1028]
Shared libraries: null
Permissions:
– android.permission.ACCESS_COARSE_LOCATION
– android.permission.ACCESS_DOWNLOAD_MANAGER
– android.permission.ACCESS_FINE_LOCATION
…
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Finding all packages with the “INSTALL_PACKAGES” permission:
dz> run app.package.info -p INSTALL_PACKAGES
Package: com.android.packageinstaller
Process Name: com.android.packageinstaller
Version: 4.1.1-403059
Data Directory: /data/data/com.android.packageinstaller
APK Path: /system/app/PackageInstaller.apk
UID: 10003
GID: [1028]
Shared Libraries: null
Shared User ID: null
Permissions:
– android.permission.INSTALL_PACKAGES
– android.permission.DELETE_PACKAGES
– android.permission.CLEAR_APP_CACHE
– android.permission.READ_PHONE_STATE
– android.permission.CLEAR_APP_USER_DATA
– android.permission.READ_EXTERNAL_STORAGE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
-a PACKAGE, –package PACKAGE 指定包名
-d DEFINES_PERMISSION, –defines-permission DEFINES_PERMISSION 通过自定义的权限过滤
-f FILTER, –filter FILTER 通过关键词查询
-g GID, –gid GID 指定GID
-p PERMISSION, –permission PERMISSION 通过权限过滤
-u UID, –uid UID 指定UID
-i, –show-intent-filters 显示intent-filters
app.broadcast.info
usage: run app.broadcast.info [-h] [-a PACKAGE] [-f FILTER] [-p PERMISSION] [-i] [-u] [-v]
获取broadcast receivers信息
Examples:
Get receivers exported by the platform:
dz> run app.broadcast.info -a android
Package: android
com.android.server.BootReceiver
Permission: null
com.android.server.updates.CertPinInstallReceiver
Permission: null
com.android.server.updates.IntentFirewallInstallReceiver
Permission: null
com.android.server.updates.SmsShortCodesInstallReceiver
Permission: null
com.android.server.updates.CarrierProvisioningUrlsInstallReceiver
Permission: null
com.android.server.updates.TZInfoInstallReceiver
Permission: null
com.android.server.updates.SELinuxPolicyInstallReceiver
Permission: null
com.android.server.MasterClearReceiver
Permission: android.permission.MASTER_CLEAR
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs), Luander (luander.r@samsung.com)
License: BSD (3 clause)
optional arguments:
参数名 作用
-a PACKAGE, –package PACKAGE 指定包名
-f FILTER, –filter FILTER 通过关键词查询
-p PERMISSION, –permission PERMISSION 通过权限过滤
-i, –show-intent-filters 显示intent-filters
-u, –unexported 包括exported:false的receivers
-v, –verbose 显示详细信息
app.service.info
usage: run app.service.info [-h] [-a PACKAGE] [-f ] [-i] [-p ] [-u] [-v]
获取services信息.
Examples:
List services exported by the Browser:
dz> run app.service.info –package com.android.browser
Package: com.android.browser
No exported services.
1
2
3
List exported services with no permissions required to interact with it:
dz> run app.service.info -p null
Package: com.android.email
com.android.email.service.EmailBroadcastProcessorService
Permission: null
com.android.email.Controller$ControllerService
Permission: null
com.android.email.service.PopImapAuthenticatorService
Permission: null
com.android.email.service.PopImapSyncAdapterService
Permission: null
com.android.email.service.EasAuthenticatorService
Permission: null
1
2
3
4
5
6
7
8
9
10
11
12
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
-a PACKAGE, –package PACKAGE 指定包名
-f FILTER, –filter FILTER 通过关键词查询
-p PERMISSION, –permission PERMISSION 通过权限过滤
-i, –show-intent-filters 显示intent-filters
-u, –unexported 包括exported:false的service
-v, –verbose 显示详细信息
app.provider.info
usage: run app.provider.info [-h] [-a PACKAGE] [-f FILTER] [-p PERMISSION] [-u] [-v]
获取 content providers信息
Examples:
Find content provider with the keyword “settings” in them:
dz> run app.provider.info -f settings
Package name: com.google.android.gsf
Authority: com.google.settings
Required Permission – Read: null
Required Permission – Write: com.google.android.providers.settings.permission.WRITE_GSETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false
Package name: com.android.providers.settings
Authority: settings
Required Permission – Read: null
Required Permission – Write: android.permission.WRITE_SETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Finding content providers that do not require permissions to read/write:
dz> run app.provider.info -p null
Package name: com.google.android.gsf
Authority: com.google.settings
Required Permission – Read: null
Required Permission – Write: com.google.android.providers.settings.permission.WRITE_GSETTINGS
Grant Uri Permissions: false
Multiprocess allowed: false
…
1
2
3
4
5
6
7
8
9
10
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
-a PACKAGE, –package PACKAGE 指定包名
-f FILTER, –filter FILTER 通过关键词查询
-p PERMISSION, –permission PERMISSION 通过权限过滤
-u, –unexported 包括exported:false的provider
-v, –verbose 显示详细信息
app.activity.forintent
usage: run app.activity.forintent [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–component PACKAGE COMPONENT] [–data-uri DATA_URI] [–extra TYPE KEY VALUE] [–flags FLAGS [FLAGS …]] [–mimetype MIMETYPE]
通过intent查找它的activity
Examples:
Find activities that can handle web addresses:
dz> run app.activity.forintent
–action android.intent.action.VIEW
–data http://www.google.com
Package name: com.android.browser
Target activity: com.android.browser.BrowserActivity
1
2
3
4
5
6
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
–action ACTION 指定action
–category CATEGORY [CATEGORY …] 指定category
–data-uri DATA_URI 指定uri
–extra TYPE KEY VALUE 指定附加的数据
–flags FLAGS [FLAGS …] 指定一个或者多个flags
–mimetype MIMETYPE 指定文件类型
–component PACKAGE COMPONENT 指定componnent
app.broadcast.send
usage: run app.broadcast.send [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–component PACKAGE COMPONENT] [–data-uri DATA_URI] [–extra TYPE KEY VALUE] [–flags FLAGS [FLAGS …]] [–mimetype MIMETYPE]
Examples:
Attempt to send the BOOT_COMPLETED broadcast message:
dz> run app.broadcast.send
–action android.intent.action.BOOT_COMPLETED
java.lang.SecurityException: Permission Denial: not allowed to send broadcast android.intent.action.BOOT_COMPLETED
1
2
3
from pid=955, uid=10044
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
–action ACTION 指定action
–category CATEGORY [CATEGORY …] 指定category
–data-uri DATA_URI 指定uri
–extra TYPE KEY VALUE 指定附加的数据
–flags FLAGS [FLAGS …] 指定一个或者多个flags
–mimetype MIMETYPE 指定文件类型
–component PACKAGE COMPONENT 指定componnent
app.broadcast.sniff
usage: run app.broadcast.sniff [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–data-authority HOST PORT] [–data-path PATH TYPE] [–data-scheme DATA_SCHEME [DATA_SCHEME …]] [–data-type DATA_TYPE [DATA_TYPE …]]
Register a broadcast receiver that can sniff particular intents
获取电量信息
Examples:
dz> run app.broadcast.sniff –action android.intent.action.BATTERY_CHANGED
[*] Broadcast receiver registered to sniff matching intents
[*] Output is updated once a second. Press Control+C to exit.
Action: android.intent.action.BATTERY_CHANGED
Raw: Intent { act=android.intent.action.BATTERY_CHANGED flg=0x60000010 (has extras) }
Extra: technology=Li-ion (java.lang.String)
Extra: icon-small=17303411 (java.lang.Integer)
Extra: health=2 (java.lang.Integer)
Extra: online=4 (java.lang.Integer)
Extra: status=2 (java.lang.Integer)
Extra: plugged=2 (java.lang.Integer)
Extra: present=true (java.lang.Boolean)
Extra: level=80 (java.lang.Integer)
Extra: scale=100 (java.lang.Integer)
Extra: temperature=280 (java.lang.Integer)
Extra: current_avg=460 (java.lang.Integer)
Extra: voltage=4151 (java.lang.Integer)
Extra: charge_type=1 (java.lang.Integer)
Extra: invalid_charger=0 (java.lang.Integer)
Last Modified: 2014-06-27
Credit: Tyrone (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
–action ACTION 指定action
–category CATEGORY [CATEGORY …] 指定category
–data-authority HOST PORT 指定data中的host:port
–data-path PATH TYPE 指定data中的path
–data-scheme DATA_SCHEME [DATA_SCHEME …] 指定data中的scheme
–data-type DATA_TYPE [DATA_TYPE …] 指定data中的数据类型
scheme, host, port, path, pathPrefix, pathPattern 是用来匹配 Intent 中的 Data Uri 的。具体规则如下:
scheme://host:port/path or pathPrefix or pathPattern
详细可以参考下面链接:
app.package.attacksurface
usage: run app.package.attacksurface [-h] package
确定安装包的可攻击面
Examples:
Finding the attack surface of the built-in browser
dz> run app.package.attacksurface com.android.browser
6 activities exported
4 broadcast receivers exported
1 content providers exported
0 services exported
1
2
3
4
5
6
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package to inspect
optional arguments:
-h, –help
app.package.backup
usage: run app.package.backup [-h] [-f FILTER] [-k]
列出可备份的包
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
-f FILTER, –filter FILTER 指定包名
-k, –api-keys 只展示有api keys的包
app.package.debuggable
usage: run app.package.debuggable [-h] [-f FILTER] [-v]
列出可debug的包
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
-f FILTER, –filter FILTER 指定包名
-v, –verbose 附加不可debug的包信息
app.package.launchintent
usage: run app.package.launchintent [-h] [-r] package
获取程序启动的activity信息
Examples:
Finding the launch intent of the Android browser package:
dz> run app.package.launchintent com.android.browser
Intent:
Action: android.intent.action.MAIN
Component: {com.android.browser/com.android.browser.BrowserActivity}
Data: null
Categories:
android.intent.category.LAUNCHER
Flags: [ACTIVITY_NEW_TASK]
Mime Type: null
Extras: null
1
2
3
4
5
6
7
8
9
10
11
Last Modified: 2013-03-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package to inspect
optional arguments:
参数名 作用
-r, –raw 相当于intent.toString()
app.package.manifest
usage: run app.package.manifest [-h] package
获取程序manifest文件信息,和apktool反编译出来的对比,drozer的还能查看versionCode、versionName、minSdkVersion、targerSdkversion。
Examples:
Getting the manifest for drozer
dz> run app.package.manifest com.mwr.dz
<manifest versionCode=”2″ versionName=”1.1″ package=”com.mwr.dz”>
<uses-sdk minSdkVersion=”8″ targetSdkVersion=”4″>
</uses-sdk>
<uses-permission name=”android.permission.INTERNET”>
</uses-permission>
…
</manifest>
1
2
3
4
5
6
7
8
9
10
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package
optional arguments:
-h, –help
app.package.native
usage: run app.package.native [-h] package
列出Native libraries 信息
Last Modified: 2013-03-23
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the identifier of the package
optional arguments:
-h, –help
app.package.shareduid
usage: run app.package.shareduid [-h] [-u UID]
查找拥有共同uid的包和他们所有的权限。
Examples:
Finding packages that share the UID 10011
dz> run app.package.shareduid -u 10011
UID: 10011 (com.motorola.blur.uid.provider_authenticator:10011)
Package Name: com.motorola.blur.provider.photobucket
Package Name: com.motorola.blur.provider.picasa
Package Name: com.motorola.blur.provider.yahoo
Package Name: com.motorola.blur.provider.twitter
Package Name: com.motorola.blur.provider.fixedemail
Package Name: com.motorola.blur.provider.motorola.app
Package Name: com.motorola.blur.provider.orkut
Package Name: com.motorola.blur.provider.email
Package Name: com.motorola.blur.provider.facebook
Package Name: com.motorola.blur.provider.lastfm
Package Name: com.motorola.blur.provider.linkedin
Package Name: com.motorola.blur.provider.youtube
Package Name: com.motorola.blur.provider.skyrock
Package Name: com.motorola.blur.provider.activesync
Package Name: com.motorola.blur.provider.flickr
Accumulated permissions: com.motorola.blur.setupprovider.Permissions.ACCESS_ACCOUNTS; …
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
-u UID, –uid UID 指定uid
app.provider.columns
usage: run app.provider.columns [-h] uri
展示content provider URI的各列名
Examples:
List the columns of content://settings/secure
dz> run app.provider.columns content://settings/secure
| _id | name | value |
1
2
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to query
optional arguments:
-h, –help
app.provider.delete
usage: run app.provider.delete [-h] [–selection conditions] [–selection-args [arg [arg …]]] uri
删除content provider URI的内容
Examples:
Delete from content://settings/secure, with name condition:
dz> run app.provider.delete content://settings/secure
–selection “name=?”
–selection-args my_setting
1
2
3
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to query
optional arguments:
参数名 作用
–selection conditions 指定列名
–selection-args
[arg [arg …]
] 指定值
app.provider.download
usage: run app.provider.download [-h] uri destination
使用openInputStream读取指定uri的内容,并下载在电脑中
使用前提:provider实现了openFile
如果在window下,目的地址’/’为drozer安装目录所在的磁盘,比如drozer安装在D盘
目的地址为/data.db ,文件就在D:\data.db
Examples:
Download, using directory traversal on a content provider:
dz> run app.provider.download content://vulnerable.provider/../../../system/etc/hosts /tmp/hostsfile
Written 25 bytes
1
2
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider URI to read a file through
destination path to save the downloaded file to
optional arguments:
-h, –help
app.provider.insert
usage: **run app.provider.insert [-h] [–boolean column data] [–double column data]
[–float column data] [–integer column data]
[–long column data] [–short column data]
[–string column data] uri**
插入数据到content provider.
Examples:
Insert into a vulnerable content provider:
dz> run app.provider.insert content://com.vulnerable.im/messages
–string date 1331763850325
–string type 0
–integer _id 7
1
2
3
4
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to insert into
optional arguments:
–boolean 【column】 【data】
–double 【column】【 data】
–float 【column】【 data】
–integer 【column】【 data】
–long 【column】【 data】
–short 【column】【 data】
–string 【column】【 data】
app.provider.finduri
usage: run app.provider.finduri [-h] package
查找Content URIs
This module uses a number of strategies to identify a content URI, including inspecting the authorities, path
permissions and searching for strings inside the package.
Examples:
Find content provider URIs in the Browser:
dz> run app.provider.finduri com.android.browser
Scanning com.android.browser…
content://com.android.browser.home/res/raw/
content://browser/search_suggest_query
content://browser/
content://com.android.browser.snapshots/
content://com.android.browser/bookmarks/search_suggest_query
content://com.android.browser/
content://com.google.settings/partner
content://com.android.browser.snapshots
content://com.google.android.partnersetup.rlzappprovider/
content://com.android.browser.home/
content://browser/bookmarks/search_suggest_query
1
2
3
4
5
6
7
8
9
10
11
12
13
Last Modified: 2012-13-18
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the package to search for content provider uris
optional arguments:
-h, –help
app.provider.query
usage: run app.provider.query [-h] [–projection [columns [columns …]]] [–selection conditions] [–selection-args [arg [arg …]]] [–order by_column] [–vertical] uri
查询content provider 内容
Examples:
Querying the settings content provider:
dz> run app.provider.query content://settings/secure
| _id | name | value |
| 5 | assisted_gps_enabled | 1 |
| 9 | wifi_networks_available_notification_on | 1 |
| 10 | sys_storage_full_threshold_bytes | 2097152 |
| … | … | … |
1
2
3
4
5
6
7
Querying, with a WHERE clause in the SELECT statement:
dz> run app.provider.query content://settings/secure
–selection “_id=?”
–selection-args 10
| _id | name | value |
| 10 | sys_storage_full_threshold_bytes | 2097152 |
1
2
3
4
5
6
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to query
optional arguments:
参数名 作用
–projection
[columns [columns …]
] 选择查询哪些列,如:–projection _id,name
–selection conditions 指定列名
–selection-args
[arg [arg …]
] 指定列名的值
–order by_column 通过哪一列排序
–vertical 垂直显示
app.provider.read
usage: run app.provider.read [-h] uri
使用openInputStream读取指定uri的内容
使用前提:provider实现了openFile
Examples:
Attempt directory traversal on a content provider:
dz> run app.provider.read content://settings/secure/../../../system/etc/hosts
java.io.FileNotFoundException: No files supported by provider at content://settings/secure/../../../system/etc/hosts
1
2
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider URI to read a file through
optional arguments:
-h, –help
app.provider.update
usage: run app.provider.update [-h] [–selection conditions] [–selection-args [arg [arg …]]] [–boolean column data] [–double column data] [–float column data] [–integer column data] [–long column data] [–short column data] [–string column data] uri
更新content provider的内容
Examples:
Updating, the assisted_gps_enabled setting:
dz> run app.provider.update content://settings/secure
–selection “name=?”
–selection-args assisted_gps_enabled
–integer value 0
Done.
1
2
3
4
5
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
uri the content provider uri to update in
optional arguments:
参数名 作用
–selection conditions 指定列名
–selection-args
[arg [arg …]
] 指定列名的值
–boolean column data 列名+值
–double column data 列名+值
–float column data 列名+值
–integer column data 列名+值
–long column data 列名+值
–short column data 列名+值
–string column data 列名+值
app.service.start
usage: run app.service.start [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–component PACKAGE COMPONENT] [–data-uri DATA_URI] [–extra TYPE KEY VALUE] [–flags FLAGS [FLAGS …]] [–mimetype MIMETYPE]
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
–action ACTION 指定action
–category CATEGORY [CATEGORY …] 指定category
–data-uri DATA_URI 指定uri
–extra TYPE KEY VALUE 指定附加的数据
–flags FLAGS [FLAGS …] 指定一个或者多个flags
–mimetype MIMETYPE 指定文件类型
–component PACKAGE COMPONENT 指定componnent
app.service.stop
usage: run app.service.stop [-h] [–action ACTION] [–category CATEGORY [CATEGORY …]] [–component PACKAGE COMPONENT] [–data-uri DATA_URI] [–extra TYPE KEY VALUE] [–flags FLAGS [FLAGS …]] [–mimetype MIMETYPE]
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
optional arguments:
参数名 作用
–action ACTION 指定action
–category CATEGORY [CATEGORY …] 指定category
–data-uri DATA_URI 指定uri
–extra TYPE KEY VALUE 指定附加的数据
–flags FLAGS [FLAGS …] 指定一个或者多个flags
–mimetype MIMETYPE 指定文件类型
–component PACKAGE COMPONENT 指定componnent
app.service.send
usage: run app.service.send [-h] [–msg what arg1 arg2] [–extra type key value] [–no-response] [–timeout TIMEOUT] [–bundle-as-obj] package component
使用 Message攻击暴露的service,其service实现了handleMessage。
NB: by default, this module will wait 20 seconds for a reply.
Examples:
Deliver a Message to a dummy application, that simply returns the message:
dz> run app.service.send com.example.srv com.example.srv.Service –msg 1 2 3 –extra float value 0.1324 –extra
1
string test value
Got a reply from com.example.srv/com.example.srv.Service:
what: 1
arg1: 2
arg2: 3
Data:
value (float) : 0.1324
test (string) : value
Last Modified: 2013-05-20
Credit: MWR InfoSecurity (@mwrlabs)
License: BSD (3 clause)
positional arguments:
package the package containing the target service
component the fully-qualified service name to bind to
optional arguments:
参数名 作用
–msg what arg1 arg2 指定message obtain获取的值,what、arg1、arg2
–extra type key value 指定bundle的数据
–no-response 丢弃回复
–timeout TIMEOUT 设置等待回复的超时时间
–bundle-as-obj 设置obj的值
———————
作者:_Gintoki
来源:CSDN
原文:https://blog.csdn.net/cch139745/article/details/53519900
版权声明:本文为博主原创文章,转载请附上博文链接!