Exploitation of Content Providers:
Content providers facilitate an application’s access and management of data either in its own SQLite database or in files.
There are two types of commonly used content providers:
1. Database-backed
2. File-backed.
Content providers act as standardized bridges between data from one process and code from another, enabling specific applications to utilize the interface of your content provider to access the database or file-backed provider operating within your own application.
- This module app.provider.info enumerates information about content providers in an application.
cmd: “run app.provider.info -a com.mwr.example.sieve”
We can observe that the content provider is being “exported”. This means nothing but shows that “it can be accessed by other applications”.
- The ability to read and write unveils an interesting avenue. The module app.provider.finduri identifies all content providers that can be queried in an application.
cmd: “run app.provider.finduri com.mwr.example.sieve”
- The scanner.provider.finduris module is used to check queriable content providers and there is another module that filters out the URI that may/ may not be queried.
cmd: “run scanner.provider.finduris -a com.mwr.example.sieve”
- This module app.provider.columns exhibits the columns existing in the content provider.
cmd: “run app.provider.columns content://com.mwr.example.sieve.DBContentProvider/Keys/”
This module app.provider.read can execute various actions on file-backed content providers and also helps to perform directory traversal, read files, and perform other similar functions on supported providers.
cmd: “run app.provider.read content://com.mwr.example.sieve.DBContentProvider/Keys/”
The module app.provider.query helps us for understanding the data that an app stores and shares with other components or apps on the device.
Cmd:
“run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Keys/”
One of the above commands disclosed the Password and Pin registered by the user.