A new tool to find and exploit SQL Injection vulnerabilities in Android Content Providers
CPMap is an Android module that contains functionality to identify and exploit SQL Injection vulnerabilities in Android Content Providers. It was developed to address the need for more comprehensive detection and extraction (i.e. dumping) logic than existing tools provided.
The library has been tested on Android 6.0. to Android 11.
- Supports several injection vectors:
- Content URI id (read/update)
- Content URI segment (read/update)
- Projection (read)
- Sort order (read, cannot be used for dumping)
- Where clause (read/update)
- Content Values key (update)
- Query parameter key (read/update)
- Query parameter value (read/update)
- Supports several payloads:
- Heuristic (error-based)
- Boolean blind
- Supports multiple detection methods:
- Can be used to audit in a targeted, or zero-knowledge discovery mode
- Targeted mode will validate and use the provided injection vectors/report object
- Discovery mode will perform various actions to determine valid Content Provider URI’s to exploit
- Dump data from vulnerable Content Providers using arbitrary SQL queries
- Access module log and the underlying query log via listener interfaces
- If vulnerable Content Providers are found, the module produces a report which can be stored as a JSON string for ease of storage and collaboration
Modes of Operation
The module can run in a targeted audit mode, where the user provides exact details for each of the target apps exposed and accessible Content Provider URIs. In this mode no discovery logic or brute-force logic is executed, the module will simply run through each test for the provided URI’s. This is usually a quicker scan than that of the discovery mode and may be useful in a CI pipeline as an additional QA process during development and deployment of apps.
The discovery audit mode is fully automated, with some customisable options to control the scan. A high-level overview of the discovery audit process is as follows:
- Examine package metadata (i.e. other application components defined in the manifest), and attempt to extract strings from the target packages APK (DEX files)
- Gathered metadata and strings are checked for full Content URI’s, and used to generate a wordlist
- The module attempts to generate Content URIs using the wordlist, which are in turn validated by attempting to query or update the generated URI
CPMap supports a wide range of injection vectors for read and/or write queries, which means it is more likely to find vulnerabilities within more obscure vectors such as the keys of ContentValues objects or content URI segments. Most existing tools concentrate on fewer injection vectors.
CPMap includes support for more advanced payloads such as path traversal and UNION queries. Path traversal vulnerabilities can be exploited directly to copy data from a vulnerable apps internal storage, or whatever they have access to within the device filesystem. UNION queries can extract a great deal of information in very few queries. Fully automated boolean blind extraction logic can dump data when only boolean payloads are available and may involve many thousands of queries.
CPMap uses both heuristic and boolean detection logic by default, which means it is more likely to identify potential vulnerabilities even if the app developer has taken steps to prevent heuristic detection.
The module has been used with success as it has been developed, and has identified several issues in Samsung/Android applications, including:
Download and documentation
CPMap can be downloaded from our Github repo here.