Mercury(Android APP 应用安全评估) Mercury 是一款优秀的开源Android APP应用安全评估框架,它最赞的功能是可以动态的与android设备中的应用进行IPC(组件通信)交互。
一、安装与启动1. 安装(1)windows安装第一步:下载Mercury 2.2.2 (Windows Installer)第二步:在Android设备中安装agent.apkadb install agent.apk(2)*inux安装(Debian/Mac)apt-get install build-essential python-dev python-setuptools#以下步骤mac也适合easy_install --allow-hosts protobuf==2.4.1easy_install twisted==10.2.0 (为了支持Infrastructure模式)wget /assets/415/mercury-2.2.2.tar.gztar zxvf mercury-2.2.2.tar.gzeasy_install mercury-2.0.0-py2.7.egg2. 启动有三种方式(1)USB方式的第一步:在PC上使用adb进行端口转发,转发到Mercury使用的端口31415adb forward tcp:31415 tcp:31415第二步:在Android设备上开启Mercury Agent选择embedded server-enable第二步:在PC上开启Mercury console mercury.bat console connect(2) WIFI方式的第一步:在Android设备上开启Mercury Agent选择embedded server,启用enable第二步:在pc上将server的ip地址设置为Android设备的ip地址来开启Mercury conso lemercury console connect --server <Android设备的ip:port>(3) Infrastructure Mode这种模式涉及到三个通信方,mercury server、mercury agent(Android 设备中)与merc ury console。
其中server与agent,server与console需要网络互通。
这种模式的好处是你不需要知道android设备的ip,agent与console的ip段可以隔离的,并且可以支持一个server对应多个设备的操作。
第一步:在pc上开启Mercury console服务端mercury server第二步:在Android设备上新建一个New Endpoint,修改配置Host为mercury server的ip(上一步PC机的ip),启用该Endpoint第三步:开启控制台mercury console connect --server < serverip:port>二、使用通过Mercury console就可以进行操作了,和msf蛮像的,以下是常用的一些命令1. 列出目前可用的模块mercury> list (也可以使用ls)app.activity.forintent Find activities that can handle the given intent Gets information about exported activities.app.activity.start Start an Activity Get information about broadcast receiversapp.broadcast.send Send broadcast using an intent2.查看指定模块的帮助信息mercury> help app.activity.forintentusage: run app.activity.forintent [-h] [--action ACTION] [--category CATEGORY] [--component PACKAGE COMPONENT] [--data-uri DATA_URI][--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]][--mimetype MIMETYPE]Find activities that can handle the formulated intentExamples:Find activities that can handle web addresses:mercury> run app.activity.forintent--action android.intent.action.VIEW--data Package name: com.android.browserTarget activity: com.android.browser.BrowserActivityLast Modified: 2012-11-06Credit: MWR InfoSecurity (@mwrlabs)License: MWR Code Licenseoptional arguments:-h, --help--action ACTION specify the action to include in the Intent--category CATEGORY specify the category to include in the Intent --component PACKAGE COMPONENTspecify the component name to include in the Intent--data-uri DATA_URI specify a Uri to attach as data in the Intent --extra TYPE KEY VALUEadd an field to the Intent's extras bundle--flags FLAGS [FLAGS ...]specify one-or-more flags to include in the Intent--mimetype MIMETYPE specify the MIME type to send in the Intent3. 运行指定模块(1)例如列出android设备中安装的appmercury> run app.package.listandroidberserker.android.apps.sshdroidcn.wps.moffice_engcom.alipay.android.appcom.android.GPStestSvccom.android.backupconfirm(2)例如查看指定app的基本信息(以com.android.browser为例)mercury> run -a com.android.browserPackage: com.android.browserProcess Name: com.android.browserVersion: 4.1.1-JLB17.0Data Directory: /data/data/com.android.browserAPK Path: /system/app/Browser.apkUID: 10004GID: [3003, 1015, 1028]Shared Libraries: nullShared User ID: nullUses Permissions:- android.permission.ACCESS_COARSE_LOCATION- android.permission.ACCESS_DOWNLOAD_MANAGER- android.permission.ACCESS_FINE_LOCATION- android.permission.ACCESS_NETWORK_STATE- android.permission.ACCESS_WIFI_STATE- android.permission.GET_ACCOUNTS- E_CREDENTIALS- android.permission.INTERNET- android.permission.NFC- android.permission.SEND_DOWNLOAD_COMPLETED_INTENTS- android.permission.SET_WALLPAPER- android.permission.WAKE_LOCK- android.permission.WRITE_EXTERNAL_STORAGE- android.permission.WRITE_SETTINGS- android.permission.READ_SYNC_SETTINGS- android.permission.WRITE_SYNC_SETTINGS- android.permission.MANAGE_ACCOUNTS- android.permission.READ_PROFILE- android.permission.READ_CONTACTS- com.android.browser.permission.READ_HISTORY_BOOKMARKS- com.android.browser.permission.WRITE_HISTORY_BOOKMARKS- uncher.permission.INSTALL_SHORTCUT- android.permission.READ_EXTERNAL_STORAGEDefines Permissions:- com.android.browser.permission.PRELOAD(3)与组件交互Mercury最有用的的功能是协助调试IPC机制,操纵APP的IPC组件(包括Activity,Broa dcast receivers,Content providers与Services)。
Mercury的app.{activity|broadca st|provider|service}.xx模块可以提供这些功能.a. 列出APP中的activity组件(以com.android.browser为例)mercury> run -a com.android.browserPackage: com.android.browsercom.android.browser.BrowserActivitycom.android.browser.MiuiShortcutActivitycom.android.browser.BrowserPreferencesPagecom.android.browser.BookmarkSearchcom.android.browser.AddOrEditBookmarkActivitycom.android.browser.widget.BookmarkWidgetConfigureb. 开启一个activity,例如运行浏览器打开谷歌页面mercury> run app.activity.start --action android.intent.action.VIEW --data-uri /c. 查找可以读取的Content Providermercury> run scanner.provider.finduris -a com.sina.weiboScanning com.sina.weibo...Able to Query content://mmsUnable to Query content://calendar/eventsUnable to Query content://com.sina.weibo.blogProvider/query/homeAble to Query content://mms/Unable to Query content://telephony/apgroups/Able to Query content://smsUnable to Query content://com.sina.weibo.blogProvider/insert/imUnable to Query content://icc/adnUnable to Query content://com.sina.weibo.blogProvider/delete/allim/Unable to Query content://com.sina.weibo.blogProvider/query/im/Unable to Query content://calendar/calendarsUnable to Query content://com.sina.weibo.blogProvider/Able to Query content://com.android.contacts/contacts/Unable to Query content://calendar/events/Able to Query content://telephony/carriers/preferapn/Able to Query content://telephony/carriers/Able to Query content://com.android.contacts/contactsUnable to Query content://uncher2.settings/favorites?notify=true/d. 读取指定Content Provider内容mercury#> run app.provider.query content://settings/secure --selection "name='a db_enabled'"| _id | name | value || 66 | adb_enabled | 1 |e. 待实现的功能使用Message或Android Interface Description Language 与service组件交互,可参考https:///mwrlabs/mercury/wiki(4)文件操作列出指定文件路径里全局可写/可读的文件mercury> run scanner.misc.writablefiles --privileged /data/data/com.sina.weibo Discovered world-writable files in /data/data/com.sina.weibo:/data/data/com.sina.weibo/shared_prefs/push_settings.xml/data/data/com.sina.weibo/shared_prefs/speed_test.xmlmercury> run scanner.misc.readablefiles --privileged /data/data/com.sina.weibo Discovered world-readable files in /data/data/com.sina.weibo:/data/data/com.sina.weibo/lib/libutility.so/data/data/com.sina.weibo/shared_prefs/push_settings.xml/data/data/com.sina.weibo/shared_prefs/speed_test.xml/data/data/com.sina.weibo/shared_prefs/com.sina.weibo_preferences.xml/data/data/com.sina.weibo/app_outtmp/private.dex(5)shell操作mercury> run shell.startu0_a80@android:/data/data/com.mwr.droidhg.agent $ suu0_a80@android:/data/data/com.mwr.droidhg.agent # pwd/data/data/com.mwr.droidhg.agent(6)安装busyboxmercury> run tools.setup.busybox(7) 通过web的方式查看content provider组件的相关内容mercury#> list auxiliaryauxiliary.webcontentresolverStart a web service interface to content providers.mercury#> help auxiliary.webcontentresolverusage: run auxiliary.webcontentresolver [-h] [-p PORT]Start a Web Service interface to Content Providers. This allows you to use web application testing capabilities and tools to test content providers.Examples:mercury> run auxiliary.webcontentresolver --port 8080WebContentResolver started on port 8080.Ctrl+C to StopLast Modified: 2012-11-06Credit: Nils (@mwrlabs)License: MWR Code Licenseoptional arguments:-h, --help-p PORT, --port PORT the port to start the WebContentResolver onmercury#> run auxiliary.webcontentresolverWebContentResolver started on port 8080.Ctrl+C to Stop1.0.0.127.in-addr.arpa - - [25/Jul/2013 00:09:19] "GET / HTTP/1.1" 200 -1.0.0.127.in-addr.arpa - - [25/Jul/2013 00:09:30] "GET /favicon.ico HTTP/1.1" 2 00 -在console所在系统浏览器中访问。