Mercury(Android APP 应用安全评估框架 )安装、启动及使用
Mercury 是一款优秀的开源Android APP应用安全评估框架,它最赞的功能是可以动态的与android设备中的应用进行IPC(组件通信)交互。
一、安装与启动
1. 安装
(1)windows安装
第一步:下载Mercury 2.2.2 (Windows Installer)
第二步:在Android设备中安装agent.apk
adb install agent.apk
(2)*inux安装(Debian/Mac)
apt-get install build-essential python-dev python-setuptools
#以下步骤mac也适合
easy_install --allow-hosts pypi.python.org protobuf==2.4.1
easy_install twisted==10.2.0 (为了支持Infrastructure模式)
wget https://labs.mwrinfosecurity.com/assets/415/mercury-2.2.2.tar.gz
tar zxvf mercury-2.2.2.tar.gz
easy_install mercury-2.0.0-py2.7.egg
2. 启动
有三种方式
(1)USB方式的
第一步:在PC上使用adb进行端口转发,转发到Mercury使用的端口31415adb forward tcp:31415 tcp:31415
第二步:在Android设备上开启Mercury Agent选择embedded server-enable
第二步:在PC上开启Mercury console
mercury.bat console connect
(2) WIFI方式的
第一步:在Android设备上开启Mercury Agent
选择embedded server,启用enable
第二步:在pc上将server的ip地址设置为Android设备的ip地址来开启Mercury console
mercury console connect --server <Android设备的ip:port>
(3) Infrastructure Mode这种模式涉及到三个通信方,mercury server、mercury agent(Android 设备中)与mercury console。
其中server与agent,server与console需要网络互通。这种模式的好处是你不需要知道android设备的ip,agent与console的ip段可以隔离的,并且可以支持一个server对应多个设备的操作。
第一步:在pc上开启Mercury console服务端
mercury server
第二步: 在Android设备上新建一个New Endpoint,修改配置Host为mercury server的ip(上一步PC机的ip),启用该Endpoint第三步:开启控制台
mercury console connect --server < serverip:port>
二、使用
通过Mercury console就可以进行操作了,和msf蛮像的,以下是常用的一些命令
1. 列出目前可用的模块
mercury> list (也可以使用ls)
app.activity.forintent Find activities that can handle the given intent
app.activity.info Gets information about exported activities.
app.activity.start Start an Activity
app.broadcast.info Get information about broadcast receivers
app.broadcast.send Send broadcast using an intent
2.查看指定模块的帮助信息
mercury> help app.activity.forintent
usage: run app.activity.forintent [-h] [--action ACTION] [--category CATEGORY]
[--component PACKAGE COMPONENT] [--data-uri DATA_URI]
[--extra TYPE KEY VALUE] [--flags FLAGS [FLAGS ...]]
[--mimetype MIMETYPE]
Find activities that can handle the formulated intent
Examples:
Find activities that can handle web addresses:
mercury> run app.activity.forintent
--action android.intent.action.VIEW
--data https://www.google.com
Package name: com.android.browser
Target activity: com.android.browser.BrowserActivity
Last Modified: 2012-11-06
Credit: MWR InfoSecurity (@mwrlabs)
License: MWR Code License
optional arguments:
-h, --help
--action ACTION specify the action to include in the Intent
--category CATEGORY specify the category to include in the Intent
--component PACKAGE COMPONENT
specify the component name to include in the Intent
--data-uri DATA_URI specify a Uri to attach as data in the Intent
--extra TYPE KEY VALUE
add an field to the Intent's extras bundle
--flags FLAGS [FLAGS ...]
specify one-or-more flags to include in the Intent
--mimetype MIMETYPE specify the MIME type to send in the Intent
(1)例如列出android设备中安装的app
mercury> run app.package.list
android
berserker.android.apps.sshdroid
cn.wps.moffice_eng
com.alipay.android.app
com.android.GPStestSvc
com.android.backupconfirm
mercury> run app.package.info -a com.android.browser
Package: com.android.browser
Process Name: com.android.browser
Version: 4.1.1-JLB17.0
Data Directory: /data/data/com.android.browser
APK Path: /system/app/Browser.apk
UID: 10004
GID: [3003, 1015, 1028]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.ACCESS_DOWNLOAD_MANAGER
- android.permission.ACCESS_FINE_LOCATION
- android.permission.ACCESS_NETWORK_STATE
- android.permission.ACCESS_WIFI_STATE
- android.permission.GET_ACCOUNTS
- android.permission.USE_CREDENTIALS
- android.permission.INTERNET
- android.permission.NFC
- android.permission.SEND_DOWNLOAD_COMPLETED_INTENTS
- android.permission.SET_WALLPAPER
- android.permission.WAKE_LOCK
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.WRITE_SETTINGS
- android.permission.READ_SYNC_SETTINGS
- android.permission.WRITE_SYNC_SETTINGS
- android.permission.MANAGE_ACCOUNTS
- android.permission.READ_PROFILE
- android.permission.READ_CONTACTS
- com.android.browser.permission.READ_HISTORY_BOOKMARKS
- com.android.browser.permission.WRITE_HISTORY_BOOKMARKS
- com.android.launcher.permission.INSTALL_SHORTCUT
- android.permission.READ_EXTERNAL_STORAGE
Defines Permissions:
- com.android.browser.permission.PRELOAD
Mercury最有用的的功能是协助调试IPC机制,操纵APP的IPC组件(包括Activity,Broadcast receivers,Content providers与Services)。Mercury的app.{activity|broadcast|provider|service}.xx模块可以提供这些功能.
a. 列出APP中的activity组件(以com.android.browser为例)
mercury> run app.activity.info -a com.android.browser
Package: com.android.browser
com.android.browser.BrowserActivity
com.android.browser.MiuiShortcutActivity
com.android.browser.BrowserPreferencesPage
com.android.browser.BookmarkSearch
com.android.browser.AddOrEditBookmarkActivity
com.android.browser.widget.BookmarkWidgetConfigure
b. 开启一个activity,例如运行浏览器打开谷歌页面
mercury> run app.activity.start --action android.intent.action.VIEW --data-uri https://google.com/
c. 查找可以读取的Content Providermercury> run scanner.provider.finduris -a com.sina.weibo
Scanning com.sina.weibo...
Able to Query content://mms
Unable to Query content://calendar/events
Unable to Query content://com.sina.weibo.blogProvider/query/home
Able to Query content://mms/
Unable to Query content://telephony/apgroups/
Able to Query content://sms
Unable to Query content://com.sina.weibo.blogProvider/insert/im
Unable to Query content://icc/adn
Unable to Query content://com.sina.weibo.blogProvider/delete/allim/
Unable to Query content://com.sina.weibo.blogProvider/query/im/
Unable to Query content://calendar/calendars
Unable to Query content://com.sina.weibo.blogProvider/
Able to Query content://com.android.contacts/contacts/
Unable to Query content://calendar/events/
Able to Query content://telephony/carriers/preferapn/
Able to Query content://telephony/carriers/
Able to Query content://com.android.contacts/contacts
Unable to Query content://com.android.launcher2.settings/favorites?notify=true/
mercury#> run app.provider.query content://settings/secure --selection "name='adb_enabled'"
| _id | name | value |
| 66 | adb_enabled | 1 |
(4)文件操作
列出指定文件路径里全局可写/可读的文件
mercury> run scanner.misc.writablefiles --privileged /data/data/com.sina.weibo
Discovered world-writable files in /data/data/com.sina.weibo:
/data/data/com.sina.weibo/shared_prefs/push_settings.xml
/data/data/com.sina.weibo/shared_prefs/speed_test.xml
mercury> run scanner.misc.readablefiles --privileged /data/data/com.sina.weibo
Discovered world-readable files in /data/data/com.sina.weibo:
/data/data/com.sina.weibo/lib/libutility.so
/data/data/com.sina.weibo/shared_prefs/push_settings.xml
/data/data/com.sina.weibo/shared_prefs/speed_test.xml
/data/data/com.sina.weibo/shared_prefs/com.sina.weibo_preferences.xml
/data/data/com.sina.weibo/app_outtmp/private.dex
mercury> run shell.start
u0_a80@android:/data/data/com.mwr.droidhg.agent $ su
u0_a80@android:/data/data/com.mwr.droidhg.agent # pwd
/data/data/com.mwr.droidhg.agent
(6)安装busybox
mercury> run tools.setup.busybox
(7) 通过web的方式查看content provider组件的相关内容mercury#> list auxiliary
auxiliary.webcontentresolver
Start a web service interface to content providers.
mercury#> help auxiliary.webcontentresolver
usage: run auxiliary.webcontentresolver [-h] [-p PORT]
Start a Web Service interface to Content Providers. This allows you to use web
application testing capabilities and tools to test content providers.
Examples:
mercury> run auxiliary.webcontentresolver --port 8080
WebContentResolver started on port 8080.
Ctrl+C to Stop
Last Modified: 2012-11-06
Credit: Nils (@mwrlabs)
License: MWR Code License
optional arguments:
-h, --help
-p PORT, --port PORT the port to start the WebContentResolver on
mercury#> run auxiliary.webcontentresolver
WebContentResolver started on port 8080.
Ctrl+C to Stop
1.0.0.127.in-addr.arpa - - [25/Jul/2013 00:09:19] "GET / HTTP/1.1" 200 -
1.0.0.127.in-addr.arpa - - [25/Jul/2013 00:09:30] "GET /favicon.ico HTTP/1.1" 200 -
参考:
https://labs.mwrinfosecurity.com/tools/2012/03/16/mercury/documentation/
来源:碳基体
评论