maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md

124 lines
5.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Shizuku Privileged API
{{#include ../../banners/hacktricks-training.md}}
Shizuku ni huduma ya chanzo wazi ambayo **inasababisha mchakato wa Java wenye mamlaka kwa kutumia `app_process`** na inatoa **API za mfumo wa Android kupitia Binder**. Kwa sababu mchakato unazinduliwa kwa uwezo sawa wa **`shell` UID ambao ADB inatumia**, programu yoyote (au terminal) inayounganisha kwenye interface ya AIDL iliyosafirishwa inaweza kufanya vitendo vingi ambavyo kawaida vinahitaji **`WRITE_SECURE_SETTINGS`, `INSTALL_PACKAGES`, I/O ya faili ndani ya `/data`,** nk. **bila ku-root kifaa**.
Matumizi ya kawaida:
* Ukaguzi wa usalama kutoka kwa simu isiyo na root
* Kuondoa bloatware / kuboresha programu za mfumo
* Kukusanya kumbukumbu, funguo za Wi-Fi, taarifa za mchakato na socket kwa ajili ya timu ya buluu/DFIR
* Kuandaa usanidi wa kifaa kutoka kwa programu za kawaida au skripti za shell
---
## 1. Kuanzisha huduma yenye mamlaka
`moe.shizuku.privileged.api` inaweza kuanzishwa kwa njia tatu tofauti huduma ya Binder inayotokana inafanya kazi sawa katika zote.
### 1.1 ADB isiyo na waya (Android 11+)
1. Washa **Chaguzi za Mwandishi ➜ Ufuatiliaji usio na waya** na uunganishe kifaa.
2. Ndani ya programu ya Shizuku chagua **“Anza kupitia ufuatiliaji usio na waya”** na nakili msimbo wa kuunganisha.
3. Huduma inakaa hai hadi kuanzishwa tena kwa kifaa (sessions za ufuatiliaji usio na waya zinaondolewa wakati wa kuanzisha).
### 1.2 USB / ADB ya ndani moja-laini
```bash
adb push start.sh \
/storage/emulated/0/Android/data/moe.shizuku.privileged.api/
# spawn the privileged process
adb shell sh /storage/emulated/0/Android/data/moe.shizuku.privileged.api/start.sh
```
Ile ile script inaweza kutekelezwa kupitia **network ADB** connection (`adb connect <IP>:5555`).
### 1.3 Vifaa vilivyo na root
Ikiwa kifaa tayari kimepata root, endesha:
```bash
su -c sh /data/adb/shizuku/start.sh
```
### 1.4 Kuangalia kama inafanya kazi
```bash
adb shell dumpsys activity service moe.shizuku.privileged.api | head
```
Mwanzo wenye mafanikio unarudisha `Running services (1)` pamoja na PID ya mchakato wa kibali.
---
## 2. Kuweka kutoka kwa programu
Programu za upande wa tatu zinahitaji tu yafuatayo ndani ya `AndroidManifest.xml`:
```xml
<uses-permission android:name="moe.shizuku.manager.permission.API"/>
```
Wakati wa utendaji wanapata binder:
```java
IBinder binder = ShizukuProvider.getBinder();
IPackageManager pm = IPackageManager.Stub.asInterface(binder);
```
Kuanzia sasa, programu inaweza kuita njia yoyote ambayo mtumiaji wa **`shell`** anaweza kuita kwa mfano :
```java
pm.installPackage(new Uri("file:///sdcard/app.apk"), null, 0, null);
Settings.Global.putInt(resolver, Settings.Global.ADB_ENABLED, 1);
```
Orodha iliyochaguliwa ya zaidi ya **170 Shizuku-enabled apps** inashikiliwa kwenye [awesome-shizuku](https://github.com/timschneeb/awesome-shizuku).
---
## 3. Rish elevated shell ndani ya Termux
Screen ya mipangilio ya Shizuku inaonyesha **“Use Shizuku in terminal apps”**. Kuwawezesha inashusha *rish* (`/data/local/tmp/rish`).
```bash
pkg install wget
wget https://rikka.app/rish/latest -O rish && chmod +x rish
# start elevated shell (inherits the binder connection)
./rish
whoami # ➜ shell
id # uid=2000(shell) gid=2000(shell) groups=... context=u:r:shell:s0
```
### 3.1 Amri muhimu kutoka kwa rish shell
* Orodhesha michakato inayoendesha ya kifurushi fulani:
```bash
ps -A | grep com.facebook.katana
```
* Tambua soketi zinazot listening na ziunganishe na vifurushi (mfano **CVE-2019-6447 ES File Explorer**):
```bash
netstat -tuln
for pid in $(lsof -nP -iTCP -sTCP:LISTEN -t); do
printf "%s -> %s\n" "$pid" "$(cat /proc/$pid/cmdline)";
done
```
* Dump kila log ya programu:
```bash
logcat -d | grep -iE "(error|exception)"
```
* Soma akcredentials za Wi-Fi zilizohifadhiwa (Android 11 +):
```bash
cat /data/misc/wifi/WifiConfigStore.xml | grep -i "<ConfigKey>"
```
* Bulk debloat (mfano):
```bash
pm uninstall --user 0 com.miui.weather2
```
---
## 4. Maoni ya usalama / ugunduzi
1. Shizuku inahitaji **ADB debugging** ruhusa, kwa hivyo _Chaguo za Mwandishi → USB/Wireless debugging_ lazima iwe **imewezeshwa**.
Mashirika yanaweza kuzuia hii kupitia MDM au kupitia `settings put global development_settings_enabled 0`.
2. Huduma inajisajili chini ya jina `moe.shizuku.privileged.api`.
Amri rahisi `adb shell service list | grep shizuku` (au sheria ya Usalama wa Endpoint) inagundua uwepo wake.
3. Uwezo umewekwa mipaka kwa kile ambacho mtumiaji `shell` anaweza tayari kufanya si **root**.
APIs nyeti zinazohitaji mtumiaji `system` au `root` bado hazipatikani.
4. Sesheni hazidumu **baada ya kuanzisha upya** isipokuwa kifaa kimekuwa rooted na Shizuku imewekwa kama daemon ya kuanzisha.
---
## 5. Kupunguza
* Zima USB/Wireless debugging kwenye vifaa vya uzalishaji.
* Fuata huduma za Binder zinazofichua `moe.shizuku.privileged.api`.
* Tumia sera za SELinux (Android enterprise) kuzuia interface ya AIDL kutoka kwa programu zisizodhibitiwa.
---
## Marejeo
- [Blog Shizuku: Kufungua Uwezo wa Juu wa Android Bila Root](https://www.mobile-hacker.com/2025/07/14/shizuku-unlocking-advanced-android-capabilities-without-root/)
- [Hati Rasmi za Shizuku](https://shizuku.rikka.app/)
- [awesome-shizuku orodha ya programu zinazoungwa mkono](https://github.com/timschneeb/awesome-shizuku)
- [rish shell (privileged reverse-adb shell)](https://github.com/RikkaApps/Shizuku/blob/master/RISH.md)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink