本文聚焦于历史上安全性极低的浏览器——Dangerous Browser。深入探讨其在JavaScript和Delphi交互过程中遇到的安全挑战,包括回调函数和脚本注入的风险。通过分析VC调用JavaScript的难题,揭示了程序对象如何被引入到脚本环境中,从而可能导致的安全隐患。
史上最不安全的浏览器——Dangerous Browser收藏
os_api
=
new
shared_dobject(
"
OSAPI
"
);
function
GetWindowText(hWnd)
{
param=new dobject("ApiParams");
dvm.Write2Cpp("DEBUG",hWnd);
param.AppendHandlePointer(hWnd);
param.AllocAsciiStringBuffer(260);
param.AppendUnsignedLong(260);
os_api.CallOSAPI(null,"GetWindowTextA",param);
ret=param.ReadAsciiString(4);
param.Destroy();
return ret;
}
function
MessageBox(hWnd,lpText,lpCaption,uType)
{
param=new dobject("ApiParams");
param.AppendHandlePointer(hWnd);
param.AppendAsciiString(lpText);
param.AppendAsciiString(lpCaption);
param.AppendUnsignedLong(uType);
return os_api.CallOSAPI(null,"MessageBoxA",param);
param.Destroy();
}
function
MyWndProc(hWnd, message, wParam, lParam)
{
WM_CREATE=0x0001;
if(message==WM_CREATE)
{
MB_OK=0x00000000;
t=GetWindowText(hWnd);
MessageBox(hWnd,t,"Javasript message box!",MB_OK);
}
return 0;
}
function
RegisterClassEx(lpwcx)
{
return os_api.CallOSAPI(null,"RegisterClassExA",lpwcx);
}
function
MyRegisterClassEx()
{
callback_param=new dobject("ApiParams");
callback_param.AppendHandlePointer(0);
callback_param.AppendUnsignedLong(0);
callback_param.AppendUnsignedLong(0);
callback_param.AppendUnsignedLong(0);
js_callback=new dobject("JavaScriptCallback","MyWndProc");
stdcall_callback=os_api.ApplyCallbackFunction(js_callback,callback_param);
param=new dobject("ApiParams");
/*
typedef struct {
UINT cbSize;
UINT style;
WNDPROC lpfnWndProc;
int cbClsExtra;
int cbWndExtra;
HINSTANCE hInstance;
HICON hIcon;
HCURSOR hCursor;
HBRUSH hbrBackground;
LPCTSTR lpszMenuName;
LPCTSTR lpszClassName;
HICON hIconSm;
} WNDCLASSEX, *PWNDCLASSEX;
*/
param.AppendUnsignedInt(48);//sizeof(WNDCLASSEX)==48;
param.AppendUnsignedInt(3);//CS_HREDRAW | CS_VREDRAW;
param.AppendHandlePointer(stdcall_callback);
param.AppendSignedInt(0);
param.AppendSignedInt(0);
param.AppendHandlePointer(dvm.GetAppHInstance());
param.AppendHandlePointer(0);
param.AppendHandlePointer(0x00010011);
param.AppendUnsignedLong(0x00000006);//(COLOR_WINDOW+1);
param.AppendAsciiString("menu");
param.AppendAsciiString("JavaScriptCallApiWindowClass");
param.AppendHandlePointer(0);
lpwcx=new dobject("ApiParams");
lpwcx.AppendStructurePointer(param);
RegisterClassEx(lpwcx);
param.Destroy();
lpwcx.Destroy();
}
function
CreateWindow(lpClassName,lpWindowName,dwStyle,x,y,nWidth,nHeight,hWndParent,hMenu,hInstance,lpParam)
{
/*
HWND
WINAPI
CreateWindowExA(
DWORD dwExStyle,
LPCSTR lpClassName,
LPCSTR lpWindowName,
DWORD dwStyle,
int X,
int Y,
int nWidth,
int nHeight,
HWND hWndParent,
HMENU hMenu,
HINSTANCE hInstance,
LPVOID lpParam);
*/
param=new dobject("ApiParams");
param.AppendSignedLong(0);
param.AppendAsciiString(lpClassName);
param.AppendAsciiString(lpWindowName);
param.AppendSignedLong(dwStyle);
param.AppendSignedLong(x);
param.AppendSignedLong(y);
param.AppendSignedLong(nWidth);
param.AppendSignedLong(nHeight);
param.AppendHandlePointer(hWndParent);
param.AppendHandlePointer(hMenu);
param.AppendHandlePointer(hInstance);
param.AppendHandlePointer(lpParam);
return os_api.CallOSAPI(null,"CreateWindowExA",param);
}
//
function MyCreateWindow(){
MyRegisterClassEx();
hWnd
=
CreateWindow(
"
JavaScriptCallApiWindowClass
"
,
"
Javascript call api window
"
,
0x00cf0000
,
//
WS_OVERLAPPEDWINDOW
250
,
200
,
250
,
180
,
null
,
null
,
dvm.GetAppHInstance(),
null
);
param
=
new
dobject(
"
ApiParams
"
);
param.AppendHandlePointer(hWnd);
param.AppendUnsignedLong(
0x00000001
);
//
SW_SHOWNORMAL
os_api.CallOSAPI(
null
,
"
ShowWindow
"
,param);
param.Destroy();
//
}
| 旧一篇: VC调用 JavaScript 难题:如何使当前程序的对象进入脚本
<script>function StorePage(){d=document;t=d.selection?(d.selection.type!='None'?d.selection.createRange().text:''):(d.getSelection?d.getSelection():'');void(keyit=window.open('http://www.365key.com/storeit.aspx?t='+escape(d.title)+'&u='+escape(d.location.href)+'&c='+escape(t),'keyit','scrollbars=no,width=475,height=575,left=75,top=20,status=no,resizable=yes'));keyit.focus();}</script>浏览器市场一向强调安全性。但是安全往往与功能强大是矛盾的。Dangerous Browser 功能强大,但也是最不安全的。Dangerous Browser 可以运行PHP脚本,可以创建标准的 PHP5 内置对象;它可以在后门运行强化后的Javascript,这样的Javascript 可以创建 FileSystemObject 和 OpenTextFile,CreateTextFile 访问本地文件,甚至它可以调用任何 Windows API,去创建标准的 Windows 窗口,完成只有客户端程序才能完成的功能。(下载:本浏览器源码)
一、界面
二、主要脚本代码
1 PHP 代码 主要功能:创建一个 VCL 的 TForm,在该 Form 中添加一个按钮,为 Form 添加OnClick响应代码,响应效果是使 Caption 的文字为 "Clicking a VCL TForm",为按钮的OnClick响应代码的效果也是改变内容为"Clicking a VCL TButton" 。
class
first_class{
var $name = " php file class " ;
function setName( $n ){
$this -> name = $n ;
}
function sayHello(){
print " my name is $this ->name<BR> " ;
}
}
function OnFormClick( $sender ) {
$sender -> Caption = " Clicking a VCL TForm " ;
}
function OnButtonClick( $sender ) {
$sender -> Caption = " Clicking a VCL TButton " ;
}
$ds = new dsRE();
// call VCL
$ds -> UsingClass( " TForm " );
$form = new TForm( null );
$ds -> RegistMethod( " OnFormClick " , $form , " OnClick " );
$ds -> UsingClass( " TButton " );
$button = new TButton( $form );
$ds -> RegistMethod( " OnButtonClick " , $button , " OnClick " );
$button -> Left = 20 ;
$button -> Top = 30 ;
$button -> Width = 200 ;
$button -> Parent = $form ;
$button -> Caption = " Button1 " ;
$form -> Show();
$form -> Caption = " I am a VCL TForm " ;
$ds -> Share( $form , " Form1 " );
$ds -> Share( $button , " Button1 " );
var $name = " php file class " ;
function setName( $n ){
$this -> name = $n ;
}
function sayHello(){
print " my name is $this ->name<BR> " ;
}
}
function OnFormClick( $sender ) {
$sender -> Caption = " Clicking a VCL TForm " ;
}
function OnButtonClick( $sender ) {
$sender -> Caption = " Clicking a VCL TButton " ;
}
$ds = new dsRE();
// call VCL
$ds -> UsingClass( " TForm " );
$form = new TForm( null );
$ds -> RegistMethod( " OnFormClick " , $form , " OnClick " );
$ds -> UsingClass( " TButton " );
$button = new TButton( $form );
$ds -> RegistMethod( " OnButtonClick " , $button , " OnClick " );
$button -> Left = 20 ;
$button -> Top = 30 ;
$button -> Width = 200 ;
$button -> Parent = $form ;
$button -> Caption = " Button1 " ;
$form -> Show();
$form -> Caption = " I am a VCL TForm " ;
$ds -> Share( $form , " Form1 " );
$ds -> Share( $button , " Button1 " );
2 后门 Javascript 代码 主要功能:调用 Windows API 创建一个标准的 Window,在该 Window 的回调中响应 WM_CREATE 事件调用 MessageBox显示这个窗口的 Window Name。
os_api
=
new
shared_dobject(
"
OSAPI
"
);
function
GetWindowText(hWnd)
{
param=new dobject("ApiParams"); dvm.Write2Cpp("DEBUG",hWnd); param.AppendHandlePointer(hWnd); param.AllocAsciiStringBuffer(260); param.AppendUnsignedLong(260); os_api.CallOSAPI(null,"GetWindowTextA",param); ret=param.ReadAsciiString(4); param.Destroy(); return ret;}
function
MessageBox(hWnd,lpText,lpCaption,uType)
{ param=new dobject("ApiParams"); param.AppendHandlePointer(hWnd); param.AppendAsciiString(lpText); param.AppendAsciiString(lpCaption); param.AppendUnsignedLong(uType); return os_api.CallOSAPI(null,"MessageBoxA",param); param.Destroy(); }
function
MyWndProc(hWnd, message, wParam, lParam)
{ WM_CREATE=0x0001; if(message==WM_CREATE) {
MB_OK=0x00000000; t=GetWindowText(hWnd); MessageBox(hWnd,t,"Javasript message box!",MB_OK); } return 0;}
function
RegisterClassEx(lpwcx)
{ return os_api.CallOSAPI(null,"RegisterClassExA",lpwcx);}
function
MyRegisterClassEx()
{ callback_param=new dobject("ApiParams"); callback_param.AppendHandlePointer(0); callback_param.AppendUnsignedLong(0); callback_param.AppendUnsignedLong(0); callback_param.AppendUnsignedLong(0); js_callback=new dobject("JavaScriptCallback","MyWndProc"); stdcall_callback=os_api.ApplyCallbackFunction(js_callback,callback_param); param=new dobject("ApiParams"); /* typedef struct { UINT cbSize; UINT style; WNDPROC lpfnWndProc; int cbClsExtra; int cbWndExtra; HINSTANCE hInstance; HICON hIcon; HCURSOR hCursor; HBRUSH hbrBackground; LPCTSTR lpszMenuName; LPCTSTR lpszClassName; HICON hIconSm; } WNDCLASSEX, *PWNDCLASSEX; */ param.AppendUnsignedInt(48);//sizeof(WNDCLASSEX)==48; param.AppendUnsignedInt(3);//CS_HREDRAW | CS_VREDRAW; param.AppendHandlePointer(stdcall_callback); param.AppendSignedInt(0); param.AppendSignedInt(0); param.AppendHandlePointer(dvm.GetAppHInstance()); param.AppendHandlePointer(0); param.AppendHandlePointer(0x00010011); param.AppendUnsignedLong(0x00000006);//(COLOR_WINDOW+1); param.AppendAsciiString("menu"); param.AppendAsciiString("JavaScriptCallApiWindowClass"); param.AppendHandlePointer(0); lpwcx=new dobject("ApiParams"); lpwcx.AppendStructurePointer(param); RegisterClassEx(lpwcx); param.Destroy(); lpwcx.Destroy();}
function
CreateWindow(lpClassName,lpWindowName,dwStyle,x,y,nWidth,nHeight,hWndParent,hMenu,hInstance,lpParam)
{ /* HWND WINAPI CreateWindowExA( DWORD dwExStyle, LPCSTR lpClassName, LPCSTR lpWindowName, DWORD dwStyle, int X, int Y, int nWidth, int nHeight, HWND hWndParent, HMENU hMenu, HINSTANCE hInstance, LPVOID lpParam); */ param=new dobject("ApiParams"); param.AppendSignedLong(0); param.AppendAsciiString(lpClassName); param.AppendAsciiString(lpWindowName); param.AppendSignedLong(dwStyle); param.AppendSignedLong(x); param.AppendSignedLong(y); param.AppendSignedLong(nWidth); param.AppendSignedLong(nHeight); param.AppendHandlePointer(hWndParent); param.AppendHandlePointer(hMenu); param.AppendHandlePointer(hInstance); param.AppendHandlePointer(lpParam); return os_api.CallOSAPI(null,"CreateWindowExA",param);}
//
function MyCreateWindow(){
MyRegisterClassEx(); hWnd
=
CreateWindow(
"
JavaScriptCallApiWindowClass
"
,
"
Javascript call api window
"
,
0x00cf0000
,
//
WS_OVERLAPPEDWINDOW
250
,
200
,
250
,
180
,
null
,
null
, dvm.GetAppHInstance(),
null
); param
=
new
dobject(
"
ApiParams
"
); param.AppendHandlePointer(hWnd); param.AppendUnsignedLong(
0x00000001
);
//
SW_SHOWNORMAL
os_api.CallOSAPI(
null
,
"
ShowWindow
"
,param); param.Destroy();
//
}
三、不安全性何在
1 PHP 5.0 脚本和Javascrip运行基于 msscript.ocx 的后门,都有操作本地文件的权限能力,也有创建任意COM对象权限能力,还能访问网络。
2 可以调用任意 Windows API,可以做客户端能做的任何事情。
【后记】
可以把 Dangerous Browser 视作支持脚本和内嵌IE内核的客户端,运行服务器发送过来的 PHP, Javascript,而且这些脚本可以调用任何 Windows API 以及相仿的DLL,使客户端软件更“软”。例如BT客户端,网游客户端,邮件客户端等等,都可以借助这种构想完成随时更新的复杂业务,更为迅速地实现可能存在的赢利模式。
【诚聘翻译】翻译本文及浏览器内显示的文本为e文,联系 
发表于 @ 2008年09月10日 22:37:00|评论(3<script type="text/javascript">AddFeedbackCountStack("2911011")</script>)|编辑|收藏
扫一扫
1593
到【灌水乐园】发言
评论
# HELIANGLEIBLUEICE 发表于2008-09-11 13:02:18 IP: 125.70.162.*-
你丫脑残
# sz_haitao 发表于2008-09-11 13:23:35 IP: 219.134.185.*-
我有一个梦——应用浏览器!
——现在的B/S应用模式,其实是赶鸭子上架:让“网页浏览器”干“应用浏览器”才能做的事情!所以冒出很多ajax之类的变通手段。。。。。。
—— 微软在浏览器上奋起直追,不惜免费也要扩大自己的浏览器(IE)的份额,也是把“网页浏览器”看成下一代OS(或OS的取代者):“应用浏览器(应用容 器)”或“应用浏览器”的跳板!与其让别人的“应用浏览器”来取代自己的Windows,不如让自己的“应用浏览器”来取代自己的Windows!
建立一种“数据、界面、逻辑处理代码均位于服务端”的程序框架,而很多界面相关的操作逻辑处理由客户端来执行,但是代码还是来自服务端!
ibm的lotus notes其实就是这种框架,只是它的客户端庞杂而且界面怪畸,它的代码的语言是一种basic,也是怪畸得很
asp/jsp/php等Browser/webServer结构,加上ajax,倒是基本符合这种框架,只是它的实现(开发以及运行)比较困难,无论服务端还是客户端(js),而且总体的操作还是比客户端麻烦。。。。
目前,已经创立了一种: http://liwei.youkuaiyun.com/Forum/topic.aspx?topicid=677&total=71&page=4
使用一个绿色的win32客户端(首次使用可以从网站下载,以后可以从webserver自动检测、更新自己)
与后台的连接就采用http/https协议,后台是一个delphi写的isapi应用,负责真正与后台的数据库打交道
isapi的dll只负责数据的传递到客户端和操作命令(及参数)传递到服务端。。。。。
这样,客户端是win32(或浏览器+js),收到数据后,显示展现有win32或js实现,网络中无须传送与界面有关的html代码,网络里传输的都是最纯粹的数据
更进一步,实现一个基于delphi的win32客户端+delphi语法脚本的Notes:
http://www.cndev.org/.imgdb/sn10100/GUID-CDCDBE17-AB26-4732-81C1-AF47E54D958E.jpg
(它其实是一个rar包,下载了转存为xxx.rar即可解压,执行里面的testLoadFormApp.exe即可,unit1.pas/dfm和unit2.pas/dfm就是2个实例,
testLoadFormApp.exe就是delphi的win32客户端,它可以加载硬盘里的pas/dfm文件,并把dfm对应的form显示出来,而且实现pas里的事件响应
就好像外部的pas/dfm是预先被编译进exe的一样!唯一的差别是,你修改了硬盘里的pas/dfm文件,让exe重新加载,即可看到你新改的代码的效果!
这才证明外部的pas/dfm不是预先被编译进exe的!)
很欣赏notes的架构:业务数据、业务表单、业务脚本都存储在后台的数据库,使用时加载到前台
只是一直受不了notes客户端的庞大、不稳定,也不喜欢它的basic脚本,所以很想全部使用delphi实现类似的架构
上面的例子就是第一步,把外部的pas/dfm文件改进为从webserver后台动态下载加载,就做到了:业务数据
# sz_haitao 发表于2008-09-11 13:24:22 IP: 219.134.185.*-
上面的例子就是第一步,把外部的pas/dfm文件改进为从webserver后台动态下载加载,就做到了:业务数据、业务表单、业务脚本都存储在后台,使用时加载到前台!
而设计这些业务表单,编写调试这些业务脚本,都可以通过delphi来进行,只有调试通过了,才把它们的源代码(有必要可以先加密)发布到webserver,供已经在客户电脑安家的exe来取得运行
运行效果gif图片动画:
http://www.cndev.org/.imgdb/sn10087/GUID-56451A8B-5DC4-4706-B87D-C89CC1EEE642.jpg
http://www.cndev.org/.imgdb/sn10087/GUID-C6729A9D-3DFA-41D1-9D11-D550F7D5DCAE.jp