Drozer Cheat Sheet

drozer is a security testing framework for Android.
drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Android Runtime, other apps' IPC endpoints and the underlying OS.
drozer provides tools to help you use, share and understand public Android exploits.
drozer is open source software, maintained by WithSecure, and can be downloaded from: https://labs.withsecure.com/tools/drozer/

Download python3 version from https://github.com/WithSecureLabs/drozer/releases
Download the Drozer agent apk file from https://github.com/WithSecureLabs/drozer-agent/releases/tag/3.0.0
Install Drozer via commandsudo pip3 install drozer-3.0.2-py3-none-any.whl
Install apk file in the emulator via command: adb install drozer-agent.apk
Initialize drozer server and get the port
Now forward traffick to this port and connect drozer console
Now here is some usefull drozer commands

# Starting Session
adb forward tcp:31415 tcp:31415
drozer console connect
drozer console connect --server <ip>

# List Modes
ls
ls activity

# Retrieving package information 
dz> run app.package.list -f sieve  
com.mwr.example.sieve
run app.package.list -f <app name>
run app.package.info -a <package name>

# Identifying the attack surface
run app.package.attacksurface <package name>

# Exploiting Activities
run app.activity.info -a <package name> -u
run app.activity.start --component <package name> <component name>
run app.activity.start --component <package name> <component name> --extra <type> <key> <value>

# Exploiting Content Provider
run app.provider.info -a <package name>
run scanner.provider.finduris -a <package name>
run app.provider.query <uri>
run app.provider.update <uri> --selection <conditions> <selection arg> <column> <data>
run scanner.provider.sqltables -a <package name>
run scanner.provider.injection -a <package name>
run scanner.provider.traversal -a <package name>

# Exploiting Broadcast Receivers
run app.broadcast.info -a <package name>
run app.broadcast.send --component <package name> <component name> --extra <type> <key> <value>
run app.broadcast.sniff --action <action>

# Exploiting Service
run app.service.info -a <package name>
run app.service.start --action <action> --component <package name> <component name>
run app.service.send <package name> <component name> --msg <what> <arg1> <arg2> --extra <type> <key> <value> --bundle-as-obj

PreviousInformation Gathering NextModifying Resource Files Leads to Privilege Escalation

Last updated 6 months ago

# Starting Session adb forward tcp:31415 tcp:31415 drozer console connect drozer console connect --server <ip> # List Modes ls ls activity # Retrieving package information dz> run app.package.list -f sieve com.mwr.example.sieve run app.package.list -f <app name> run app.package.info -a <package name> # Identifying the attack surface run app.package.attacksurface <package name> # Exploiting Activities run app.activity.info -a <package name> -u run app.activity.start --component <package name> <component name> run app.activity.start --component <package name> <component name> --extra <type> <key> <value> # Exploiting Content Provider run app.provider.info -a <package name> run scanner.provider.finduris -a <package name> run app.provider.query <uri> run app.provider.update <uri> --selection <conditions> <selection arg> <column> <data> run scanner.provider.sqltables -a <package name> run scanner.provider.injection -a <package name> run scanner.provider.traversal -a <package name> # Exploiting Broadcast Receivers run app.broadcast.info -a <package name> run app.broadcast.send --component <package name> <component name> --extra <type> <key> <value> run app.broadcast.sniff --action <action> # Exploiting Service run app.service.info -a <package name> run app.service.start --action <action> --component <package name> <component name> run app.service.send <package name> <component name> --msg <what> <arg1> <arg2> --extra <type> <key> <value> --bundle-as-obj