1
00:00:02,670 --> 00:00:07,990
So the next time a vulnerability that grocer is really good at being able to detect our content provider

2
00:00:08,020 --> 00:00:09,590
based vulnerabilities.

3
00:00:09,850 --> 00:00:15,520
Content providers are essentially a way of being able to access data from an application from somewhere

4
00:00:15,520 --> 00:00:17,050
external to that application.

5
00:00:17,050 --> 00:00:23,110
So if like app no one wants to access data from app number two it would typically use a content provider

6
00:00:23,110 --> 00:00:24,970
to be able to access that data.

7
00:00:24,970 --> 00:00:28,300
Now some content providers are hidden behind permissions.

8
00:00:28,300 --> 00:00:30,980
Some of them are not hidden behind permissions.

9
00:00:31,120 --> 00:00:35,590
If they're not hidden by permissions they're accessible from anywhere which means that we could potentially

10
00:00:35,590 --> 00:00:37,570
do something with it to expose data.

11
00:00:37,570 --> 00:00:43,810
Now with that in mind we have to consider some of the some of the some of the information here regarding

12
00:00:43,810 --> 00:00:45,250
the content providers.

13
00:00:45,340 --> 00:00:49,250
In general being able to query a content provider isn't necessarily an issue.

14
00:00:49,270 --> 00:00:53,730
However if you're able to do a sequel injection to a content provider that can be a big issue.

15
00:00:53,740 --> 00:00:57,540
So we'll take a look at what that can typically look like inside of here.

16
00:00:57,550 --> 00:01:04,000
So if you want to expose content providers that exist on an application we can get through Roser and

17
00:01:04,000 --> 00:01:07,820
we can do that through the following comments here.

18
00:01:08,110 --> 00:01:20,830
So if I run Skinner provider done find your eyes like a hyphen and I give it the name of the application.

19
00:01:20,970 --> 00:01:24,700
What this will do is it will expose to me all of the user eyes that exist.

20
00:01:24,730 --> 00:01:29,920
You are either the content providers that we may be able to query so you can see that there's two of

21
00:01:29,920 --> 00:01:35,500
them here that we're actually able to query and I just want to give you a bit of an idea about what

22
00:01:35,500 --> 00:01:39,550
this looks like from sort of like a typical legitimate perspective.

23
00:01:39,550 --> 00:01:44,010
So if I create a shell into my device here I can do something like this.

24
00:01:44,020 --> 00:01:46,450
I could see content query.

25
00:01:46,450 --> 00:01:47,050
I think you do.

26
00:01:47,060 --> 00:01:48,730
Hi it you or I.

27
00:01:48,730 --> 00:01:53,830
And then you put it in like that that you are that you want to query.

28
00:01:53,830 --> 00:01:59,950
And what happens is this will essentially run through a specific type of query and you can typically

29
00:01:59,950 --> 00:02:07,750
provide them with with some arguments and those arguments can be interpreted and potentially exploited.

30
00:02:07,900 --> 00:02:12,510
So I think I might have to put two hyphens into it.

31
00:02:12,710 --> 00:02:14,560
You have to put two hyphens into the right.

32
00:02:15,400 --> 00:02:16,890
So there should be two hyphens here.

33
00:02:17,140 --> 00:02:21,340
So this is what the actual command would look like.

34
00:02:21,370 --> 00:02:22,820
So you see what I run this.

35
00:02:22,840 --> 00:02:25,820
It actually gives me data that it's inside of the database.

36
00:02:26,100 --> 00:02:31,540
And what I can do with this is I can provide a specific projection right a projection is the fields

37
00:02:31,570 --> 00:02:32,710
that I actually want to see.

38
00:02:32,710 --> 00:02:37,150
So for instance if I want to see just the title I could see a projection and title which will show me

39
00:02:37,210 --> 00:02:38,880
just the title.

40
00:02:38,950 --> 00:02:44,590
So if you take a look at the actual code here it can help you understand a little bit more when we use

41
00:02:44,590 --> 00:02:50,290
the query portion what it will do is it will utilize this query function inside of the provider and

42
00:02:50,290 --> 00:02:52,600
all content provider is going to look very similar.

43
00:02:52,600 --> 00:02:58,090
So what you'll see here is that when it actually runs the query it runs it through a query built there

44
00:02:58,180 --> 00:03:00,160
and it provides it with a projection.

45
00:03:00,160 --> 00:03:04,290
Now a query builder is generally relatively secure.

46
00:03:04,480 --> 00:03:08,220
However projections have to be set in a very specific way.

47
00:03:08,230 --> 00:03:13,390
What we should be doing with a projection is telling the query builder what columns are actually valid

48
00:03:13,390 --> 00:03:19,520
to be able to be input it if we don't do this then you can input theoretically anything into that projection.

49
00:03:19,600 --> 00:03:22,270
And it will actually get executed a sequel code.

50
00:03:22,270 --> 00:03:29,320
So to demonstrate this sort of idea let me show you what this looks like from like from my ADP show.

51
00:03:29,320 --> 00:03:33,750
So I have the projection for title instead I could replace this with something different.

52
00:03:33,790 --> 00:03:40,480
I could do something like Star from sequel light underscore master and then I can put like the comment

53
00:03:40,480 --> 00:03:42,420
to come up the rest of it.

54
00:03:42,490 --> 00:03:43,330
What this does is.

55
00:03:43,330 --> 00:03:48,540
So when we do the projection it injects the data between select and from.

56
00:03:48,640 --> 00:03:51,070
So what I'm doing is I select is already there.

57
00:03:51,100 --> 00:03:55,180
So then I just put Star from sequel light master and then I comment on the rest.

58
00:03:55,210 --> 00:04:01,390
So that just started with the query to select everything from the master table the master table holds

59
00:04:01,390 --> 00:04:04,090
all of the information about what exists inside of this database.

60
00:04:04,120 --> 00:04:07,540
So what you can see here is you can see all of the table information.

61
00:04:07,540 --> 00:04:09,920
This tells me a sequel injection is possible.

62
00:04:09,940 --> 00:04:14,410
So this allows me to be able to see that sort of information.

63
00:04:14,440 --> 00:04:19,240
Now of course we don't always want to be doing this manually because it takes a lot of time to test

64
00:04:19,240 --> 00:04:20,580
a lot of content providers.

65
00:04:20,590 --> 00:04:24,190
So luckily drones are actually has some built in ability to be able to do that.

66
00:04:24,190 --> 00:04:27,190
So the way that you can test this is you can do something like this.

67
00:04:27,190 --> 00:04:38,950
You can say I'm run scanner providers that are but think it's your stock provider injection and then

68
00:04:38,950 --> 00:04:39,640
hyphen a.

69
00:04:39,640 --> 00:04:42,970
And then we put in the name of the application again.

70
00:04:43,680 --> 00:04:48,190
And what this will do is it will attempt injections on each of the providers and it will tell you if

71
00:04:48,190 --> 00:04:53,860
you can inject the projection or if you can inject through the selection which you can't do in both

72
00:04:53,860 --> 00:04:54,460
of these cases.

73
00:04:54,490 --> 00:04:59,770
So when we talk about the selection the selection is actually the where clause so we can give it a where

74
00:04:59,770 --> 00:05:05,680
clause we can give it a projection as well and both of those seem to have injection enabled on them.

75
00:05:06,760 --> 00:05:13,420
So in general once we have this information we're able to run a query like I just did here to get all

76
00:05:13,420 --> 00:05:18,190
the information from sequel master and then utilizing that we can get other pieces of information if

77
00:05:18,190 --> 00:05:21,940
there's more data inside of this database that we shouldn't have access to we'll be able to get to that

78
00:05:21,970 --> 00:05:22,780
utilizing this.

79
00:05:22,780 --> 00:05:28,150
So that's sort of the general idea in gist of what we're going to be doing with this.

80
00:05:28,300 --> 00:05:34,180
And just to show like you can get the same sort of information inside of Groser and you can get that

81
00:05:34,180 --> 00:05:40,300
through running on scanner provider sequel tables.

82
00:05:40,320 --> 00:05:45,130
And what this will do is it will essentially just give you all of the tables that exist.

83
00:05:45,130 --> 00:05:48,400
If a if a content provider is vulnerable.

84
00:05:48,570 --> 00:05:53,470
So as you can see it tells me that these are the tables that are accessible through this sum through

85
00:05:53,470 --> 00:05:54,790
this injection.

86
00:05:54,790 --> 00:05:55,160
Right.

87
00:05:55,900 --> 00:06:00,130
So when I'm doing this like for instance if you want to see what an injection could look like I could

88
00:06:00,220 --> 00:06:01,870
replace this with star from.

89
00:06:02,470 --> 00:06:08,610
Like for instance Android metadata that could expose the data to us.

90
00:06:08,610 --> 00:06:14,190
I could do this from from notes which is the other table that exists and that's sort of stuff that we

91
00:06:14,190 --> 00:06:15,570
got from the content providers.

92
00:06:15,570 --> 00:06:21,480
That's not overly interesting but I mean you can get a lot of other things such as like this equal light

93
00:06:21,480 --> 00:06:22,080
version.

94
00:06:22,080 --> 00:06:25,350
I think you could do that just generally through something like

95
00:06:29,740 --> 00:06:32,380
this for instance.

96
00:06:32,380 --> 00:06:35,700
And that would be a good example of the sort of things that you could do with this sort of vulnerability.

97
00:06:35,710 --> 00:06:40,930
So this gives you a good idea of how um how content providers can be exploited and how to find those

98
00:06:40,930 --> 00:06:42,550
vulnerabilities through drugs or.