碳基体

奋斗在产品安全第一线的安全妹子

Mercury(Android APP 应用安全评估框架 )安装、启动及使用


Mercury 是一款优秀的开源Android APP应用安全评估框架,它最赞的功能是可以动态的与android设备中的应用进行IPC(组件通信)交互。

一、安装与启动

1. 安装 

(1)windows安装

第一步:下载Mercury 2.2.2 (Windows Installer) 


第二步:在Android设备中安装agent.apk

adb install agent.apk

(2)*inux安装(Debian/Mac)

apt-get install build-essential python-dev python-setuptools

以下步骤mac也适合

easy_install --allow-hosts pypi.python.org protobuf==2.4.1

easy_install twisted==10.2.0 (为了支持Infrastructure模式)

wget http://labs.mwrinfosecurity.com/assets/415/mercury-2.2.2.tar.gz

tar zxvf mercury-2.2.2.tar.gz

easy_install mercury-2.0.0-py2.7.egg


2. 启动

有三种方式

(1)USB方式的

第一步:在PC上使用adb进行端口转发,转发到Mercury使用的端口31415

adb forward tcp:31415 tcp:31415

第二步:在Android设备上开启Mercury Agent

选择embedded server-enable

 

第二步:在PC上开启Mercury console

mercury.bat console connect

 

(2) WIFI方式的

第一步:在Android设备上开启Mercury Agent

选择embedded server,启用enable


第二步:在pc上将server的ip地址设置为Android设备的ip地址来开启Mercury console

mercury console connect --server <Android设备的ip:port>

(3) Infrastructure Mode

这种模式涉及到三个通信方,mercury server、mercury agent(Android 设备中)与mercury console。

其中server与agent,server与console需要网络互通。这种模式的好处是你不需要知道android设备的ip,agent与console的ip段可以隔离的,并且可以支持一个server对应多个设备的操作。


第一步:在pc上开启Mercury console服务端

mercury server

  第二步: 在Android设备上新建一个New Endpoint,修改配置Host为mercury server的ip(上一步PC机的ip),启用该Endpoint


第三步:开启控制台

mercury console connect --server < serverip:port>

 

二、使用

通过Mercury console就可以进行操作了,和msf蛮像的,以下是常用的一些命令


1. 列出目前可用的模块

mercury> list (也可以使用ls)
app.activity.forintent      Find activities that can handle the given intent

app.activity.info           Gets information about exported activities.

app.activity.start          Start an Activity

app.broadcast.info          Get information about broadcast receivers

app.broadcast.send          Send broadcast using an intent

2.查看指定模块的帮助信息

mercury> help app.activity.forintent
usage: run app.activity.forintent [-h] [--action ACTION] [--category CATEGORY]
               [--component PACKAGE COMPONENT] [--data-uri DATA_URI]
               [--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
               [--mimetype MIMETYPE]

Find activities that can handle the formulated intent

Examples:
Find activities that can handle web addresses:

    mercury> run app.activity.forintent
                --action android.intent.action.VIEW
                --data http://www.google.com

    Package name: com.android.browser
    Target activity: com.android.browser.BrowserActivity

Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: MWR Code License

optional arguments:
  -h, --help
  --action ACTION       specify the action to include in the Intent
  --category CATEGORY   specify the category to include in the Intent
  --component PACKAGE COMPONENT
                        specify the component name to include in the Intent
  --data-uri DATA_URI   specify a Uri to attach as data in the Intent
  --extra TYPE KEY VALUE
                        add an field to the Intent's extras bundle
  --flags FLAGS [FLAGS ...]
                        specify one-or-more flags to include in the Intent
  --mimetype MIMETYPE   specify the MIME type to send in the Intent



3. 运行指定模块

(1)例如列出android设备中安装的app

mercury> run app.package.list
android
berserker.android.apps.sshdroid
cn.wps.moffice_eng
com.alipay.android.app
com.android.GPStestSvc
com.android.backupconfirm

(2)例如查看指定app的基本信息(以com.android.browser为例)

mercury> run app.package.info -a com.android.browser
Package: com.android.browser
  Process Name: com.android.browser
  Version: 4.1.1-JLB17.0
  Data Directory: /data/data/com.android.browser
  APK Path: /system/app/Browser.apk
  UID: 10004
  GID: [3003, 1015, 1028]
  Shared Libraries: null
  Shared User ID: null
  Uses Permissions:
  - android.permission.ACCESS_COARSE_LOCATION
  - android.permission.ACCESS_DOWNLOAD_MANAGER
  - android.permission.ACCESS_FINE_LOCATION
  - android.permission.ACCESS_NETWORK_STATE
  - android.permission.ACCESS_WIFI_STATE
  - android.permission.GET_ACCOUNTS
  - android.permission.USE_CREDENTIALS
  - android.permission.INTERNET
  - android.permission.NFC
  - android.permission.SEND_DOWNLOAD_COMPLETED_INTENTS
  - android.permission.SET_WALLPAPER
  - android.permission.WAKE_LOCK
  - android.permission.WRITE_EXTERNAL_STORAGE
  - android.permission.WRITE_SETTINGS
  - android.permission.READ_SYNC_SETTINGS
  - android.permission.WRITE_SYNC_SETTINGS
  - android.permission.MANAGE_ACCOUNTS
  - android.permission.READ_PROFILE
  - android.permission.READ_CONTACTS
  - com.android.browser.permission.READ_HISTORY_BOOKMARKS
  - com.android.browser.permission.WRITE_HISTORY_BOOKMARKS
  - com.android.launcher.permission.INSTALL_SHORTCUT
  - android.permission.READ_EXTERNAL_STORAGE
  Defines Permissions:
  - com.android.browser.permission.PRELOAD

(3)与组件交互

Mercury最有用的的功能是协助调试IPC机制,操纵APP的IPC组件(包括Activity,Broadcast receivers,Content providers与Services)。Mercury的app.{activity|broadcast|provider|service}.xx模块可以提供这些功能.


a. 列出APP中的activity组件(以com.android.browser为例)

mercury> run app.activity.info -a com.android.browser
Package: com.android.browser
  com.android.browser.BrowserActivity
  com.android.browser.MiuiShortcutActivity
  com.android.browser.BrowserPreferencesPage
  com.android.browser.BookmarkSearch
  com.android.browser.AddOrEditBookmarkActivity
  com.android.browser.widget.BookmarkWidgetConfigure


b. 开启一个activity,例如运行浏览器打开谷歌页面

mercury> run app.activity.start --action android.intent.action.VIEW --data-uri http://google.com/

c. 查找可以读取的Content Provider

mercury> run scanner.provider.finduris -a com.sina.weibo
Scanning com.sina.weibo...
Able to Query    content://mms
Unable to Query  content://calendar/events
Unable to Query  content://com.sina.weibo.blogProvider/query/home
Able to Query    content://mms/
Unable to Query  content://telephony/apgroups/
Able to Query    content://sms
Unable to Query  content://com.sina.weibo.blogProvider/insert/im
Unable to Query  content://icc/adn
Unable to Query  content://com.sina.weibo.blogProvider/delete/allim/
Unable to Query  content://com.sina.weibo.blogProvider/query/im/
Unable to Query  content://calendar/calendars
Unable to Query  content://com.sina.weibo.blogProvider/
Able to Query    content://com.android.contacts/contacts/
Unable to Query  content://calendar/events/
Able to Query    content://telephony/carriers/preferapn/
Able to Query    content://telephony/carriers/
Able to Query    content://com.android.contacts/contacts
Unable to Query  content://com.android.launcher2.settings/favorites?notify=true/

d. 读取指定Content Provider内容

mercury#> run  app.provider.query content://settings/secure --selection "name='adb_enabled'"
| _id | name        | value |
| 66  | adb_enabled | 1     |

e. 待实现的功能使用Message或Android Interface Description Language 与service组件交互,可参考https://github.com/mwrlabs/mercury/wiki
(4)文件操作

列出指定文件路径里全局可写/可读的文件

mercury> run scanner.misc.writablefiles --privileged /data/data/com.sina.weibo
Discovered world-writable files in /data/data/com.sina.weibo:
  /data/data/com.sina.weibo/shared_prefs/push_settings.xml
  /data/data/com.sina.weibo/shared_prefs/speed_test.xml
mercury> run scanner.misc.readablefiles --privileged /data/data/com.sina.weibo
Discovered world-readable files in /data/data/com.sina.weibo:
  /data/data/com.sina.weibo/lib/libutility.so
  /data/data/com.sina.weibo/shared_prefs/push_settings.xml
  /data/data/com.sina.weibo/shared_prefs/speed_test.xml
  /data/data/com.sina.weibo/shared_prefs/com.sina.weibo_preferences.xml
  /data/data/com.sina.weibo/app_outtmp/private.dex

(5)shell操作

mercury> run shell.start
u0_a80@android:/data/data/com.mwr.droidhg.agent $ su
u0_a80@android:/data/data/com.mwr.droidhg.agent # pwd
/data/data/com.mwr.droidhg.agent

(6)安装busybox

mercury> run tools.setup.busybox

(7) 通过web的方式查看content provider组件的相关内容  

mercury#> list auxiliary
auxiliary.webcontentresolver
                            Start a web service interface to content providers. 

mercury#> help auxiliary.webcontentresolver
usage: run auxiliary.webcontentresolver [-h] [-p PORT]

Start a Web Service interface to Content Providers. This allows you to use web
application testing capabilities and tools to test content providers.

Examples:
mercury> run auxiliary.webcontentresolver --port 8080

    WebContentResolver started on port 8080.
    Ctrl+C to Stop

Last Modified: 2012-11-06
Credit: Nils (@mwrlabs)
License: MWR Code License

optional arguments:
  -h, --help
  -p PORT, --port PORT  the port to start the WebContentResolver on
mercury#> run auxiliary.webcontentresolver
WebContentResolver started on port 8080.
Ctrl+C to Stop
1.0.0.127.in-addr.arpa - - [25/Jul/2013 00:09:19] "GET / HTTP/1.1" 200 -
1.0.0.127.in-addr.arpa - - [25/Jul/2013 00:09:30] "GET /favicon.ico HTTP/1.1" 200 -

 在console所在系统浏览器中访问



参考:

http://labs.mwrinfosecurity.com/tools/2012/03/16/mercury/documentation/

来源:碳基体

评论