浏览器市场一向强调安全性。但是安全往往与功能强大是矛盾的。Dangerous Browser 功能强大,但也是最不安全的。Dangerous Browser 可以运行PHP脚本,可以创建标准的 PHP5 内置对象;它可以在后门运行强化后的Javascript,这样的Javascript 可以创建 FileSystemObject 和 OpenTextFile,CreateTextFile 访问本地文件,甚至它可以调用任何 Windows API,去创建标准的 Windows 窗口,完成只有客户端程序才能完成的功能。(下载:本浏览器源码)
一、界面
二、主要脚本代码
1 PHP 代码 主要功能:创建一个 VCL 的 TForm,在该 Form 中添加一个按钮,为 Form 添加OnClick响应代码,响应效果是使 Caption 的文字为 "Clicking a VCL TForm",为按钮的OnClick响应代码的效果也是改变内容为"Clicking a VCL TButton" 。
var $name = " php file class " ;
function setName( $n ){
$this -> name = $n ;
}
function sayHello(){
print " my name is $this ->name<BR> " ;
}
}
function OnFormClick( $sender ) {
$sender -> Caption = " Clicking a VCL TForm " ;
}
function OnButtonClick( $sender ) {
$sender -> Caption = " Clicking a VCL TButton " ;
}
$ds = new dsRE();
// call VCL
$ds -> UsingClass( " TForm " );
$form = new TForm( null );
$ds -> RegistMethod( " OnFormClick " , $form , " OnClick " );
$ds -> UsingClass( " TButton " );
$button = new TButton( $form );
$ds -> RegistMethod( " OnButtonClick " , $button , " OnClick " );
$button -> Left = 20 ;
$button -> Top = 30 ;
$button -> Width = 200 ;
$button -> Parent = $form ;
$button -> Caption = " Button1 " ;
$form -> Show();
$form -> Caption = " I am a VCL TForm " ;
$ds -> Share( $form , " Form1 " );
$ds -> Share( $button , " Button1 " );
2 后门 Javascript 代码 主要功能:调用 Windows API 创建一个标准的 Window,在该 Window 的回调中响应 WM_CREATE 事件调用 MessageBox显示这个窗口的 Window Name。
function GetWindowText(hWnd)
{
param=new dobject("ApiParams");
dvm.Write2Cpp("DEBUG",hWnd);
param.AppendHandlePointer(hWnd);
param.AllocAsciiStringBuffer(260);
param.AppendUnsignedLong(260);
os_api.CallOSAPI(null,"GetWindowTextA",param);
ret=param.ReadAsciiString(4);
param.Destroy();
return ret;
}
function MessageBox(hWnd,lpText,lpCaption,uType)
{
param=new dobject("ApiParams");
param.AppendHandlePointer(hWnd);
param.AppendAsciiString(lpText);
param.AppendAsciiString(lpCaption);
param.AppendUnsignedLong(uType);
return os_api.CallOSAPI(null,"MessageBoxA",param);
param.Destroy();
}
function MyWndProc(hWnd, message, wParam, lParam)
{
WM_CREATE=0x0001;
if(message==WM_CREATE)
{
MB_OK=0x00000000;
t=GetWindowText(hWnd);
MessageBox(hWnd,t,"Javasript message box!",MB_OK);
}
return 0;
}
function RegisterClassEx(lpwcx)
{
return os_api.CallOSAPI(null,"RegisterClassExA",lpwcx);
}
function MyRegisterClassEx()
{
callback_param=new dobject("ApiParams");
callback_param.AppendHandlePointer(0);
callback_param.AppendUnsignedLong(0);
callback_param.AppendUnsignedLong(0);
callback_param.AppendUnsignedLong(0);
js_callback=new dobject("JavaScriptCallback","MyWndProc");
stdcall_callback=os_api.ApplyCallbackFunction(js_callback,callback_param);
param=new dobject("ApiParams");
/*
typedef struct {
UINT cbSize;
UINT style;
WNDPROC lpfnWndProc;
int cbClsExtra;
int cbWndExtra;
HINSTANCE hInstance;
HICON hIcon;
HCURSOR hCursor;
HBRUSH hbrBackground;
LPCTSTR lpszMenuName;
LPCTSTR lpszClassName;
HICON hIconSm;
} WNDCLASSEX, *PWNDCLASSEX;
*/
param.AppendUnsignedInt(48);//sizeof(WNDCLASSEX)==48;
param.AppendUnsignedInt(3);//CS_HREDRAW | CS_VREDRAW;
param.AppendHandlePointer(stdcall_callback);
param.AppendSignedInt(0);
param.AppendSignedInt(0);
param.AppendHandlePointer(dvm.GetAppHInstance());
param.AppendHandlePointer(0);
param.AppendHandlePointer(0x00010011);
param.AppendUnsignedLong(0x00000006);//(COLOR_WINDOW+1);
param.AppendAsciiString("menu");
param.AppendAsciiString("JavaScriptCallApiWindowClass");
param.AppendHandlePointer(0);
lpwcx=new dobject("ApiParams");
lpwcx.AppendStructurePointer(param);
RegisterClassEx(lpwcx);
param.Destroy();
lpwcx.Destroy();
}
function CreateWindow(lpClassName,lpWindowName,dwStyle,x,y,nWidth,nHeight,hWndParent,hMenu,hInstance,lpParam)
{
/*
HWND
WINAPI
CreateWindowExA(
DWORD dwExStyle,
LPCSTR lpClassName,
LPCSTR lpWindowName,
DWORD dwStyle,
int X,
int Y,
int nWidth,
int nHeight,
HWND hWndParent,
HMENU hMenu,
HINSTANCE hInstance,
LPVOID lpParam);
*/
param=new dobject("ApiParams");
param.AppendSignedLong(0);
param.AppendAsciiString(lpClassName);
param.AppendAsciiString(lpWindowName);
param.AppendSignedLong(dwStyle);
param.AppendSignedLong(x);
param.AppendSignedLong(y);
param.AppendSignedLong(nWidth);
param.AppendSignedLong(nHeight);
param.AppendHandlePointer(hWndParent);
param.AppendHandlePointer(hMenu);
param.AppendHandlePointer(hInstance);
param.AppendHandlePointer(lpParam);
return os_api.CallOSAPI(null,"CreateWindowExA",param);
}
// function MyCreateWindow(){
MyRegisterClassEx();
hWnd = CreateWindow( " JavaScriptCallApiWindowClass " ,
" Javascript call api window " ,
0x00cf0000 , // WS_OVERLAPPEDWINDOW
250 ,
200 ,
250 ,
180 ,
null , null ,
dvm.GetAppHInstance(),
null );
param = new dobject( " ApiParams " );
param.AppendHandlePointer(hWnd);
param.AppendUnsignedLong( 0x00000001 ); // SW_SHOWNORMAL
os_api.CallOSAPI( null , " ShowWindow " ,param);
param.Destroy();
// }
三、不安全性何在
1 PHP 5.0 脚本和Javascrip运行基于 msscript.ocx 的后门,都有操作本地文件的权限能力,也有创建任意COM对象权限能力,还能访问网络。
2 可以调用任意 Windows API,可以做客户端能做的任何事情。
【后记】
可以把 Dangerous Browser 视作支持脚本和内嵌IE内核的客户端,运行服务器发送过来的 PHP, Javascript,而且这些脚本可以调用任何 Windows API 以及相仿的DLL,使客户端软件更“软”。例如BT客户端,网游客户端,邮件客户端等等,都可以借助这种构想完成随时更新的复杂业务,更为迅速地实现可能存在的赢利模式。
【诚聘翻译】翻译本文及浏览器内显示的文本为e文,联系