Much like enumerating activities and packages, drozer also provides some modules for listing all of the content providers and some information on them. The following recipe talks about how to do this using the app.provider.info
module.
Let's get started enumerating content providers.
dz> run app.provider.info
Let's take a look at the code for the app.provider.info
module.
The following code is available at https://github.com/mwrlabs/drozer/blob/766329cacde6dbf1ba05ca5dee36b882041f1b01/src/drozer/modules/app/provider.py.
def execute(self, arguments): if arguments.package == None: for package in self.packageManager().getPackages (common.PackageManager.GET_PROVIDERS | common.PackageManager.GET_URI_PERMISSION_PATTERNS): self.__get_providers(arguments, package) else: package = self.packageManager().getPackageInfo(arguments.package, common.PackageManager.GET_PROVIDERS | common.PackageManager.GET_URI_PERMISSION_PATTERNS) self.__get_providers(arguments, package) def get_completion_suggestions(self, action, text, **kwargs): if action.dest == "permission": return ["null"] + android.permissions def __get_providers(self, arguments, package): providers = self.match_filter(package.providers, 'authority', arguments.filter) if arguments.permission != None: r_providers = self.match_filter(providers, 'readPermission', arguments.permission) w_providers = self.match_filter(providers, 'writePermission', arguments.permission)
The first notable part of the code is where the script makes a call to the package manager. Here's what it looks like:
self.packageManager().getPackages(common.PackageManager.GET_PROVIDERS | common.PackageManager.GET_URI_PERMISSION_PATTERNS)
The script grabs a list of packages by making a call to the Android package manager and throws it some flags that make sure it gets the providers back with their grant URI permission patterns. Next we see that once the details about the content providers have been collected by the package manager, the script makes a call to a function called __get_provider()
, which extracts information about the read and write permissions of the provider, if any. Using some simple string matching via the match_filters()
call, the __get_provider()
function basically looks for some string value in the section that defines the content provider's permissions. This string value is marked by either readPermission
for the permissions required to read from the content provider or writePermission
, which, surprisingly enough, is required to write to the content provider. After this, it resets the provider object before printing it out to the console.
Much like the other .info
modules in drozer, you can add filter information in the following ways:
dz> run app.provider.info –a [package name]
Or:
dz> run app.provider.info –-package [package name]
dz> run app.provider.info –p [Permission label]
Or:
dz> run app.provider.info –-permission [permission label]
18.224.54.168