$200+ Bug Bounty Payouts: Exploiting Content Providers with SQL Injection
In this blog, we will see how we can find SQL injection by exploiting a content provider in an Android app using Drozer
After successfully installing the dozer we will initiate the further steps for exploitations
First, let us understand content providers from android components.
Content providers are responsible for providing an Android app data, managing the access to it. It allows other applications to safely access and modify that data based on user requirements. The Android system lets the content provider save application data in various formats. For instance, photographs, audio, videos, and personal contact information can be stored in SQLite databases, files, or even on a network. Content providers have particular permissions. Therefore, in order to share the data, they can allow and restrict the rights of other applications to distribute the data.
Below are operations, we can perform from a content providers
Create: Data creation operation in a content provider.
Read: To attain information from a content source.
Update: To make changes to existing data.
Delete: To eliminate existing data from storage
Let us see the exploitation part step by step
Step-1
find out the package name of the target app for hunting
adb shell pm list packages OR frida-ps -UaiStep-2
Start drozer and drozer agent
run adb forward tcp:31415 tcp:31415
run drozer console connect
Step-3
Let's get some basic information about the app by forming an attack surface. As we can see, there are 3 content providers available.
run app.package.attacksurface <app-package-name>
Step-4
We can able to see all 3 content providers in detail.
run app.provider.info -a <app-package-name>
Step-5
Now we will list all the URIs that contain accessible content by scanning.
run scanner.provider.finduris -a <app-package-name>
Before jumping on step-6 let's have a quick look at some SQL concepts for our better understanding to exploit further
Projection: it enables us to choose the columns of the table we are querying to.
Selection: it enables us to use a condition to choose the rows of the table we are querying to.
With this query, we want to get the fields name, size and format (columns — projection) of all those entries (rows — selection) which size is bigger than 20.
Step-6
We have all the accessible URIs from step-5, now we will check for SQL injection and we are able to see some database errors.
Step-7
Let's confirm further by checking the SQLite database version.
Step-8
Let's continue with our exploitation part by finding more vulnerable content URIs via scanning for SQLi and we focus on the selection and projection of URIs.
Step-9
Let's identify the table names from where we can obtain data from the database.
run scanner.provider.sqltables -a <app-package-name>
Step-10
We can identify the table name from step-9 and its addresses. Now we will dump the data from this table name.
Step-11
Now we will perform some tasks like insertion and deletion of data from the database. lets first insert some data
run app.provider.update content://uri-path --string <column-name> --string "enter your data"
Step-12
Now we will delete the inserted data from the database
run app.provider.delete content://uri-path --selection <column-name> --selection-args <row-name>
Finally, we have successfully exploited and I want you to hunt this in your bug bounty programs to earn $200+ for reporting this.
Some reference reports
Mitigations
- Use ContentProvider Permissions & URI Permissions
- Restrict Access to Content Providers
- Use Parameterized Queries (
?Placeholder)
Thank you for reading !! Keep hunting !!
Do clap if u like this and follow, subscribe for new upcoming blogs via mail on Medium
connect with me over LinkedIn
