def app_package_attacksurface(self): #获取攻击面信息 attack_activities = '' attack_receivers = '' attack_providers = '' attack_services = '' attack_debuggable = False attacks = 0 lines = self.drozer("run app.package.attacksurface " + self.apk) for line in lines: val = ass_base.get_val(line, 'activities exported', False) if val != '' and int(val) > 0: self.report.setItem('0_1', val + ' activities exported') val = ass_base.get_val(line, 'broadcast receivers exported', False) if val != '' and int(val) > 0: self.report.setItem('0_2', val + ' broadcast receivers exported') val = ass_base.get_val(line, 'content providers exported', False) if val != '' and int(val) > 0: self.report.setItem('0_4', val + ' content providers exported') val = ass_base.get_val(line, 'services exported', False) if val != '' and int(val) > 0: self.report.setItem('0_3', val + ' services exported') index = line.find('is debuggable') if index >= 0: self.report.setItem('0_0', 'android:debuggable=True')
def run(self): self.adb("kill-server") #获取apk package name self.report.progress("获取包名") apk = '' ret = self.get_package_info() lines = ret.splitlines() if len(lines)>0: apk = ass_base.get_val(lines[0], "package: name='") apk = ass_base.get_val(apk, "' version", False) print "apk:"+apk #nam = input('waiting...') if apk == '': print(self.i18n('无法获取包名')) return 2 #拿到android的root权限 self.adb('remount') self.adb('push '+ ass_config.pinggu_dir+'/tool/su /system/xbin') self.adb('shell chmod 6777 /system/xbin/su') name = raw_input() pid = self.getpid_by_appname(apk) #设置模拟器检测 maps_str = self.get_maps(pid) self.report.setItem('0_10', "app pid "+pid+ "; App package name "+apk+' ;maps '+ maps_str) maps_addrs = self.get_maps_addrs(maps_str) i = 0 j = 9902 self.adb('shell mkdir /data/data/maps') print 'mkdir '+ass_config.pinggu_dir+'/maps' self.do_cmd('mkdir '+ass_config.pinggu_dir+'/maps') #nam = input('waiting...') sstr = '' for addr in maps_addrs: if i>=5: break i+=1 j+=1 start_addr = '0x'+addr[0] #end_addr = '0x'+str(hex(start_addr)+180) end_addr = '0x'+addr[1] print start_addr print end_addr lines = self.drozer('run xv.operatemem -stt '+str(j)+' -sp '+pid+' --dump '+start_addr+' '+end_addr+' /data/data/maps/'+str(i)+'.txt') if('DUMP_FAIL' not in lines): #nam = input('waiting...') self.adb('pull /data/data/maps/'+str(i)+'.txt'+' '+ass_config.pinggu_dir+'/maps') sstr += self.readfileby16(ass_config.pinggu_dir+'/maps/'+str(i)+'.txt',200) self.adb('shell rm -r /data/data/maps') print sstr #nam = input('waiting...') self.report.setItem('1_19', sstr) self.report.setItem('2_11', sstr) #nam = input('waiting...') pass
def scanner_provider_finduris(self): all_uris = [] access_uris = [] uri_begin = False lines = self.drozer("run scanner.provider.finduris -a " + self.apk) for line in lines: val = ass_base.get_val(line, "to Query ") if val != '': try: all_uris.index(val, ) except ValueError: all_uris.append(val) continue if line.find("Accessible content URIs:") >= 0: uri_begin = True continue if uri_begin: self.addArr(access_uris, line.strip()) self.report.setItem('2-4', self.arrayToString(access_uris)) #self.report.addArrItem(access_uris, '应用在系统中相关资源存在暴露和被未授权访问风险。第三方未授权应用、工具或服务可以通过暴露的资源位置信息获取该应用资源信息。') return all_uris, access_uris
def app_activity_start(self, activity): #启动程序 lines = self.drozer("run app.activity.start --component " + self.apk + " " + activity) for line in lines: val = ass_base.get_val(line, "Unable") if val == '': return False return True
def app_provider_info(self): #获取供应信息 cp_arr = [] lines = self.drozer("run app.provider.info -a " + self.apk) for line in lines: val = ass_base.get_val(line, 'Content Provider:') self.addArr(cp_arr, val) return cp_arr
def app_package_info(self): #获取包信息 permission_begin = False permission_end = False #self.report.report.basic.packageName = self.apk print self.apk self.report.setBaseInfo(self.apk, 2) #设置包名 lines = self.drozer("run app.package.info -a " + self.apk) for line in lines: val = ass_base.get_val(line, 'Application Label:') print val if val != '': #self.report.report.basic.appName = val self.report.setBaseInfo(val, 0) #设置应用名 val = ass_base.get_val(line, 'Version:') print val if val != '': #self.report.report.basic.appVersion = val self.report.setBaseInfo(val, 1) #设置版本号 index = line.find('Uses Permissions:') if index >= 0: permission_begin = True continue index = line.find('Defines Permissions:') if index >= 0: permission_end = True if permission_begin and not permission_end: per = line.replace('-', '').strip() if per == '': break else: self.check_permission(per)
def run(self): self.adb("kill-server") #获取apk package name self.report.progress("获取包名") apk = '' ret = self.get_package_info() lines = ret.splitlines() if len(lines) > 0: apk = ass_base.get_val(lines[0], "package: name='") apk = ass_base.get_val(apk, "' version", False) if apk == '': print(self.i18n('无法获取包名')) return 2 self.report.progress("安装程序") self.apk = apk self.connect_adb() self.adb("forward tcp:6001 tcp:31415") self.uninstall(apk) import chardet print chardet.detect(self.apk_file) if not self.install(self.apk_file): print 'install failde' return 1 self.report.setBaseInfo( str(getsize(self.apk_file) / 1024.0 / 1024.0) + 'M', 3) #文件大小 #启动程序完成必要初始化 self.report.progress("启动程序") start_activity = self.get_launchable_activity() self.start_apk(apk, start_activity) #获取包信息 self.report.progress("获取包信息") self.app_package_info() #获取供应信息 self.report.progress("获取供应信息") self.app_provider_info() #检测攻击面 self.report.progress("检测攻击面") self.app_package_attacksurface() #获取activity信息 self.report.progress("获取activity信息") activities = self.app_activity_info() ##启动activity # self.report.progress("启动activity") # for act in activities: # if act.find("Activity") >=0: # self.app_activity_start(act) #扫描非法uri self.report.progress("扫描非法uri") all_uri, access_uri = self.scanner_provider_finduris() #检测数据漏洞 #self.report.progress("检测数据漏洞") #for uri in all_uri: #self.app_provider_query(uri) #self.app_provider_read(uri) #self.app_provider_download(uri) #扫描注入信息 self.report.progress("扫描注入信息") self.scanner_provider_injection() #扫描数据 self.report.progress("扫描数据") self.scanner_provider_traversal() #获取服务信息 #self.report.progress("获取服务信息") #self.app_service_info() #print(self.adb("uninstall "+self.apk)) #获取进程PID,是否启动成功 pid = self.get_pid(apk) if len(pid) != 0: #判断sqlite文件是否加密 self.report.progress("获取sqlite信息") self.app_sqlite_isEnc()