search
githubEdit

Exploiting Content Providers

hashtag
Exploiting Content Providers

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag

hashtag
Intro

Data is supplied from one application to others on request by a component known as a content provider. These requests are managed through the ContentResolver class methods. Content providers can store their data in various locations, such as a database, files, or over a network.

In the Manifest.xml file, the declaration of the content provider is required. For instance:

<provider android:name=".DBContentProvider" android:exported="true" android:multiprocess="true" android:authorities="com.mwr.example.sieve.DBContentProvider">
    <path-permission android:readPermission="com.mwr.example.sieve.READ_KEYS" android:writePermission="com.mwr.example.sieve.WRITE_KEYS" android:path="/Keys"/>
</provider>

To access content://com.mwr.example.sieve.DBContentProvider/Keys, the READ_KEYS permission is necessary. It's interesting to note that the path /Keys/ is accessible in the following section, which is not protected due to a mistake by the developer, who secured /Keys but declared /Keys/.

Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal).

hashtag
Get info from exposed content providers

It's possible to piece together how to reach the DBContentProvider by starting URIs with “content://”. This approach is based on insights gained from using Drozer, where key information was located in the /Keys directory.

Drozer can guess and try several URIs:

You should also check the ContentProvider code to search for queries:

Also, if you can't find full queries you could check which names are declared by the ContentProvider on the onCreate method:

The query will be like: content://name.of.package.class/declared_name

hashtag
Database-backed Content Providers

Probably most of the Content Providers are used as interface for a database. Therefore, if you can access it you could be able to extract, update, insert and delete information. Check if you can access sensitive information or try to change it to bypass authorisation mechanisms.

When checking the code of the Content Provider look also for functions named like: query, insert, update and delete:

Because you will be able to call them

hashtag
Query content

hashtag
Insert content

Quering the database you will learn the name of the columns, then, you could be able to insert data in the DB:

Note that in insert and update you can use --string to indicate string, --double to indicate a double, --float, --integer, --long, --short, --boolean

hashtag
Update content

Knowing the name of the columns you could also modify the entries:

hashtag
Delete content

hashtag
SQL Injection

It is simple to test for SQL injection (SQLite) by manipulating the projection and selection fields that are passed to the content provider. When quering the Content Provider there are 2 interesting arguments to search for information: --selection and --projection:

You can try to abuse this parameters to test for SQL injections:

Automatic SQLInjection discovery by Drozer

hashtag
File System-backed Content Providers

Content providers could be also used to access files:

hashtag
Read file

You can read files from the Content Provider

hashtag
Path Traversal

If you can access files, you can try to abuse a Path Traversal (in this case this isn't necessary but you can try to use "../" and similar tricks).

Automatic Path Traversal discovery by Drozer

hashtag
References

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag
PreviousDrozer TutorialNextExploiting a debuggeable application

Last updated