drozer 下载地址

1、安装

pc端安装drozer

Android设备中安装agent.apk

adb install agent.apk

2、开启会话

adb forward tcp:31415tcp:31415

drozer console connect

在Android设备上开启Drozer Agent

选择embedded server-enable

3、drozer 命令

dz> list

app.activity.forintent                   Find activities that can handle the given intent

app.activity.info                        Gets information about exported activities.

app.activity.start                       Start an Activity

app.broadcast.info                       Get information about broadcast receivers

app.broadcast.send                       Send broadcast using an intent

app.broadcast.sniff                      Register a broadcast receiver that can sniff particular intents

app.package.attacksurface                Get attack surface of package

app.package.backup                       Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP)

app.package.debuggable                   Find debuggable packages

app.package.info                         Get information about installed packages

app.package.launchintent                 Get launch intent of package

app.package.list                         List Packages

app.package.manifest                     Get AndroidManifest.xml of package

app.package.native                       Find Native libraries embedded in the application.

app.package.shareduid                    Look for packages with shared UIDs

app.provider.columns                     List columns in content provider

app.provider.delete                      Delete from a content provider

app.provider.download                    Download a file from a content provider that supports files

app.provider.finduri                     Find referenced content URIs in a package

app.provider.info                        Get information about exported content providers

app.provider.insert                      Insert into a Content Provider

app.provider.query                       Query a content provider

app.provider.read                        Read from a content provider that supports files

app.provider.update                      Update a record in a content provider

app.service.info                         Get information about exported services

app.service.send                         Send a Message to a service, and display the reply

app.service.start                        Start Service

app.service.stop                         Stop Service

auxiliary.webcontentresolver             Start a web service interface to content providers.

exploit.jdwp.check                       Open @jdwp-control and see which apps connect

exploit.pilfer.general.apnprovider       Reads APN content provider

exploit.pilfer.general.settingsprovider  Reads Settings content provider

information.datetime                     Print Date/Time

information.deviceinfo                   Get verbose device information

information.permissions                  Get a list of all permissions used by packages on the device

scanner.activity.browsable               Get all BROWSABLE activities that can be invoked from the web browser

scanner.misc.native                      Find native components included in packages

scanner.misc.readablefiles               Find world-readable files in the given folder

scanner.misc.secretcodes                 Search for secret codes that can be used from the dialer

scanner.misc.sflagbinaries               Find suid/sgid binaries in the given folder (default is /system).

scanner.misc.writablefiles               Find world-writable files in the given folder

scanner.provider.finduris                Search for content providers that can be queried from our context.

scanner.provider.injection               Test content providers for SQL injection vulnerabilities.

scanner.provider.sqltables               Find tables accessible through SQL injection vulnerabilities.

scanner.provider.traversal               Test content providers for basic directory traversal vulnerabilities.

shell.exec                               Execute a single Linux command.

shell.send                               Send an ASH shell to a remote listener.

shell.start                              Enter into an interactive Linux shell.

tools.file.download                      Download a File

tools.file.md5sum                        Get md5 Checksum of file

tools.file.size                          Get size of file

tools.file.upload                        Upload a File

tools.setup.busybox                      Install Busybox.

tools.setup.minimalsu                    Prepare 'minimal-su' binary installation on the device.

应用相关  app.package.*

Activity相关 app.activity.*

Content Provider 相关 app.provider.*,scanner.provider

Service相关 app.service.*

Broadcast Receiver 相关 app.broadcast.*

其他模块 

Android四大基本组件分别是Activity，Service服务,Content Provider内容提供者，BroadcastReceiver广播接收器

通过run app.package.info获取该package的详细信息，比如data路径、apk路径、声明的权限

app.package.attacksurface攻击面分析，分析Activity/Broadcast Receiver/Content Provider/Service的权限，即是否能被其他的的应用程序调用

通过run app.activity.info -a 路径包名  分析出可以调用的activity组件

通过run app.activity.start --component 路径包名 路径组件名 启动它，在支付之类的界面可以照成界面劫持。

通过run  app.broadcast.info -a 路径包名  查看暴露的广播组件信息

通过run app.broadcast.send  利用空actoin和空extras拒绝服务

通过run app.provider.info -a 包名 查看可操作ContentProvider信息

通过run scanner.provider.finduris -a 包名 获取可以访问的uri

 run scanner.provider.injection -a 包名 sql注入检查

run scanner.provider.traversal -a 包名 目录遍历

通过run app.service.info -a 包名 查询权限