This demonstration shows how you can find and exploit SQL injection in Android applications using Mercury.
A free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android. Use dynamic analysis on Android applications and devices for quicker security assessments. Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices. The easy extensions interface allows users to write custom modules and exploits for Mercury Replace custom applications and scripts that perform single tasks with a framework that provides many tools.
Mercury allows you to:
- Interact with the 4 IPC endpoints - activities, broadcast receivers, content providers and services
- Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
- Find information on installed packages with optional search filters to allow for better control
- Built-in commands that can check application attack vectors on installed applications
- Tools to upload and download files between the Android device and computer without using ADB (this means it can be done over the internet as well!)
- Create new modules to exploit your latest finding on Android, and playing with those that others have found.
Download Mercury v1.0 and Mercury Quick Start Guide