def app_package_attacksurface(self): #获取攻击面信息
attack_activities = ''
attack_receivers = ''
attack_providers = ''
attack_services = ''
attack_debuggable = False
attacks = 0
lines = self.drozer("run app.package.attacksurface " + self.apk)
for line in lines:
val = ass_base.get_val(line, 'activities exported', False)
if val != '' and int(val) > 0:
self.report.setItem('0_1', val + ' activities exported')
val = ass_base.get_val(line, 'broadcast receivers exported', False)
if val != '' and int(val) > 0:
self.report.setItem('0_2',
val + ' broadcast receivers exported')
val = ass_base.get_val(line, 'content providers exported', False)
if val != '' and int(val) > 0:
self.report.setItem('0_4', val + ' content providers exported')
val = ass_base.get_val(line, 'services exported', False)
if val != '' and int(val) > 0:
self.report.setItem('0_3', val + ' services exported')
index = line.find('is debuggable')
if index >= 0:
self.report.setItem('0_0', 'android:debuggable=True')
def run(self):
self.adb("kill-server")
#获取apk package name
self.report.progress("获取包名")
apk = ''
ret = self.get_package_info()
lines = ret.splitlines()
if len(lines)>0:
apk = ass_base.get_val(lines[0], "package: name='")
apk = ass_base.get_val(apk, "' version", False)
print "apk:"+apk
#nam = input('waiting...')
if apk == '':
print(self.i18n('无法获取包名'))
return 2
#拿到android的root权限
self.adb('remount')
self.adb('push '+ ass_config.pinggu_dir+'/tool/su /system/xbin')
self.adb('shell chmod 6777 /system/xbin/su')
name = raw_input()
pid = self.getpid_by_appname(apk)
#设置模拟器检测
maps_str = self.get_maps(pid)
self.report.setItem('0_10', "app pid "+pid+ "; App package name "+apk+' ;maps '+ maps_str)
maps_addrs = self.get_maps_addrs(maps_str)
i = 0
j = 9902
self.adb('shell mkdir /data/data/maps')
print 'mkdir '+ass_config.pinggu_dir+'/maps'
self.do_cmd('mkdir '+ass_config.pinggu_dir+'/maps')
#nam = input('waiting...')
sstr = ''
for addr in maps_addrs:
if i>=5:
break
i+=1
j+=1
start_addr = '0x'+addr[0]
#end_addr = '0x'+str(hex(start_addr)+180)
end_addr = '0x'+addr[1]
print start_addr
print end_addr
lines = self.drozer('run xv.operatemem -stt '+str(j)+' -sp '+pid+' --dump '+start_addr+' '+end_addr+' /data/data/maps/'+str(i)+'.txt')
if('DUMP_FAIL' not in lines):
#nam = input('waiting...')
self.adb('pull /data/data/maps/'+str(i)+'.txt'+' '+ass_config.pinggu_dir+'/maps')
sstr += self.readfileby16(ass_config.pinggu_dir+'/maps/'+str(i)+'.txt',200)
self.adb('shell rm -r /data/data/maps')
print sstr
#nam = input('waiting...')
self.report.setItem('1_19', sstr)
self.report.setItem('2_11', sstr)
#nam = input('waiting...')
pass
def scanner_provider_finduris(self):
all_uris = []
access_uris = []
uri_begin = False
lines = self.drozer("run scanner.provider.finduris -a " + self.apk)
for line in lines:
val = ass_base.get_val(line, "to Query ")
if val != '':
try:
all_uris.index(val, )
except ValueError:
all_uris.append(val)
continue
if line.find("Accessible content URIs:") >= 0:
uri_begin = True
continue
if uri_begin:
self.addArr(access_uris, line.strip())
self.report.setItem('2-4', self.arrayToString(access_uris))
#self.report.addArrItem(access_uris, '应用在系统中相关资源存在暴露和被未授权访问风险。第三方未授权应用、工具或服务可以通过暴露的资源位置信息获取该应用资源信息。')
return all_uris, access_uris
def app_activity_start(self, activity): #启动程序
lines = self.drozer("run app.activity.start --component " + self.apk +
" " + activity)
for line in lines:
val = ass_base.get_val(line, "Unable")
if val == '':
return False
return True
def app_provider_info(self): #获取供应信息
cp_arr = []
lines = self.drozer("run app.provider.info -a " + self.apk)
for line in lines:
val = ass_base.get_val(line, 'Content Provider:')
self.addArr(cp_arr, val)
return cp_arr
def app_package_info(self): #获取包信息
permission_begin = False
permission_end = False
#self.report.report.basic.packageName = self.apk
print self.apk
self.report.setBaseInfo(self.apk, 2) #设置包名
lines = self.drozer("run app.package.info -a " + self.apk)
for line in lines:
val = ass_base.get_val(line, 'Application Label:')
print val
if val != '':
#self.report.report.basic.appName = val
self.report.setBaseInfo(val, 0) #设置应用名
val = ass_base.get_val(line, 'Version:')
print val
if val != '':
#self.report.report.basic.appVersion = val
self.report.setBaseInfo(val, 1) #设置版本号
index = line.find('Uses Permissions:')
if index >= 0:
permission_begin = True
continue
index = line.find('Defines Permissions:')
if index >= 0:
permission_end = True
if permission_begin and not permission_end:
per = line.replace('-', '').strip()
if per == '':
break
else:
self.check_permission(per)
def run(self):
self.adb("kill-server")
#获取apk package name
self.report.progress("获取包名")
apk = ''
ret = self.get_package_info()
lines = ret.splitlines()
if len(lines) > 0:
apk = ass_base.get_val(lines[0], "package: name='")
apk = ass_base.get_val(apk, "' version", False)
if apk == '':
print(self.i18n('无法获取包名'))
return 2
self.report.progress("安装程序")
self.apk = apk
self.connect_adb()
self.adb("forward tcp:6001 tcp:31415")
self.uninstall(apk)
import chardet
print chardet.detect(self.apk_file)
if not self.install(self.apk_file):
print 'install failde'
return 1
self.report.setBaseInfo(
str(getsize(self.apk_file) / 1024.0 / 1024.0) + 'M', 3) #文件大小
#启动程序完成必要初始化
self.report.progress("启动程序")
start_activity = self.get_launchable_activity()
self.start_apk(apk, start_activity)
#获取包信息
self.report.progress("获取包信息")
self.app_package_info()
#获取供应信息
self.report.progress("获取供应信息")
self.app_provider_info()
#检测攻击面
self.report.progress("检测攻击面")
self.app_package_attacksurface()
#获取activity信息
self.report.progress("获取activity信息")
activities = self.app_activity_info()
##启动activity
# self.report.progress("启动activity")
# for act in activities:
# if act.find("Activity") >=0:
# self.app_activity_start(act)
#扫描非法uri
self.report.progress("扫描非法uri")
all_uri, access_uri = self.scanner_provider_finduris()
#检测数据漏洞
#self.report.progress("检测数据漏洞")
#for uri in all_uri:
#self.app_provider_query(uri)
#self.app_provider_read(uri)
#self.app_provider_download(uri)
#扫描注入信息
self.report.progress("扫描注入信息")
self.scanner_provider_injection()
#扫描数据
self.report.progress("扫描数据")
self.scanner_provider_traversal()
#获取服务信息
#self.report.progress("获取服务信息")
#self.app_service_info()
#print(self.adb("uninstall "+self.apk))
#获取进程PID,是否启动成功
pid = self.get_pid(apk)
if len(pid) != 0:
#判断sqlite文件是否加密
self.report.progress("获取sqlite信息")
self.app_sqlite_isEnc()