The most insecure browser - Dangerous Browser
Browser market has always stressed safety. But security is a powerful and often contradictory. Dangerous Browser powerful, but also the most unsafe. Dangerous Browser can run PHP script, you can create standards of PHP5 built-in objects it can strengthen the operation of the back door after the Javascript, the Javascript can create FileSystemObject and OpenTextFile, CreateTextFile visit to a local file, it can even call any Windows API, to create Standard Windows window, completed only the client program to complete the function. (Download: The browser source . php5ts.dll is required)
First, see the interface
Second, the main script code
1 PHP
code main functions: to create a VCL the TForm, in the Form add
a button to add Form OnClick response code, the effect is to make Caption
response to the text as "Clicking a VCL
TForm", the button for the OnClick response code results Is
to change the content of "Clicking
a VCL TButton".
var $name="php file class";
function setName( $n ){
$this->name = $n;
}
function sayHello(){
print "my name is $this->name<BR>";
}
}
function OnFormClick($sender) {
$sender->Caption="Clicking a VCL TForm";
}
function OnButtonClick($sender) {
$sender->Caption="Clicking a VCL TButton";
}
$ds=new dsRE();
//call VCL
$ds->UsingClass("TForm");
$form=new TForm(null);
$ds->RegistMethod("OnFormClick",$form,"OnClick");
$ds->UsingClass("TButton");
$button=new TButton($form);
$ds->RegistMethod("OnButtonClick",$button,"OnClick");
$button->Left=20;
$button->Top=30;
$button->Width=200;
$button->Parent=$form;
$button->Caption="Button1";
$form->Show();
$form->Caption="I am a VCL TForm";
$ds->Share($form,"Form1");
$ds->Share($button,"Button1");
2 backdoor Javascript code main functions: call Windows
API to create a standard Window, in the Window of the pullback in response
to the incident called WM_CREATE MessageBox display window of the Window
Name.
os_api=new shared_dobject("OSAPI");
function GetWindowText(hWnd){
param=new dobject("ApiParams");
dvm.Write2Cpp("DEBUG",hWnd);
param.AppendHandlePointer(hWnd);
param.AllocAsciiStringBuffer(260);
param.AppendUnsignedLong(260);
os_api.CallOSAPI(null,"GetWindowTextA",param);
ret=param.ReadAsciiString(4);
param.Destroy();
return ret;
}
function MessageBox(hWnd,lpText,lpCaption,uType)
{
param=new dobject("ApiParams");
param.AppendHandlePointer(hWnd);
param.AppendAsciiString(lpText);
param.AppendAsciiString(lpCaption);
param.AppendUnsignedLong(uType);
return os_api.CallOSAPI(null,"MessageBoxA",param);
param.Destroy();
}
function MyWndProc(hWnd, message, wParam, lParam)
{
WM_CREATE=0x0001;
if(message==WM_CREATE)
{
MB_OK=0x00000000;
t=GetWindowText(hWnd);
MessageBox(hWnd,t,"Javasript message box!",MB_OK);
}
return 0;
}
function RegisterClassEx(lpwcx)
{
return os_api.CallOSAPI(null,"RegisterClassExA",lpwcx);
}
function MyRegisterClassEx()
{
callback_param=new dobject("ApiParams");
callback_param.AppendHandlePointer(0);
callback_param.AppendUnsignedLong(0);
callback_param.AppendUnsignedLong(0);
callback_param.AppendUnsignedLong(0);
js_callback=new dobject("JavaScriptCallback","MyWndProc");
stdcall_callback=os_api.ApplyCallbackFunction(js_callback,callback_param);
param=new dobject("ApiParams");
/*
typedef struct {
UINT cbSize;
UINT style;
WNDPROC lpfnWndProc;
int cbClsExtra;
int cbWndExtra;
HINSTANCE hInstance;
HICON hIcon;
HCURSOR hCursor;
HBRUSH hbrBackground;
LPCTSTR lpszMenuName;
LPCTSTR lpszClassName;
HICON hIconSm;
} WNDCLASSEX, *PWNDCLASSEX;
*/
param.AppendUnsignedInt(48);//sizeof(WNDCLASSEX)==48;
param.AppendUnsignedInt(3);//CS_HREDRAW | CS_VREDRAW;
param.AppendHandlePointer(stdcall_callback);
param.AppendSignedInt(0);
param.AppendSignedInt(0);
param.AppendHandlePointer(dvm.GetAppHInstance());
param.AppendHandlePointer(0);
param.AppendHandlePointer(0x00010011);
param.AppendUnsignedLong(0x00000006);//(COLOR_WINDOW+1);
param.AppendAsciiString("menu");
param.AppendAsciiString("JavaScriptCallApiWindowClass");
param.AppendHandlePointer(0);
lpwcx=new dobject("ApiParams");
lpwcx.AppendStructurePointer(param);
RegisterClassEx(lpwcx);
param.Destroy();
lpwcx.Destroy();
}
function CreateWindow(lpClassName,lpWindowName,dwStyle,x,y,nWidth,nHeight,hWndParent,hMenu,hInstance,lpParam)
{
/*
HWND
WINAPI
CreateWindowExA(
DWORD dwExStyle,
LPCSTR lpClassName,
LPCSTR lpWindowName,
DWORD dwStyle,
int X,
int Y,
int nWidth,
int nHeight,
HWND hWndParent,
HMENU hMenu,
HINSTANCE hInstance,
LPVOID lpParam);
*/
param=new dobject("ApiParams");
param.AppendSignedLong(0);
param.AppendAsciiString(lpClassName);
param.AppendAsciiString(lpWindowName);
param.AppendSignedLong(dwStyle);
param.AppendSignedLong(x);
param.AppendSignedLong(y);
param.AppendSignedLong(nWidth);
param.AppendSignedLong(nHeight);
param.AppendHandlePointer(hWndParent);
param.AppendHandlePointer(hMenu);
param.AppendHandlePointer(hInstance);
param.AppendHandlePointer(lpParam);
return os_api.CallOSAPI(null,"CreateWindowExA",param);
}
//function MyCreateWindow(){
MyRegisterClassEx();
hWnd = CreateWindow("JavaScriptCallApiWindowClass",
"Javascript call api window",
0x00cf0000, // WS_OVERLAPPEDWINDOW
250,
200,
250,
180,
null, null,
dvm.GetAppHInstance(),
null);
param=new dobject("ApiParams");
param.AppendHandlePointer(hWnd);
param.AppendUnsignedLong(0x00000001);//SW_SHOWNORMAL
os_api.CallOSAPI(null,"ShowWindow",param);
param.Destroy();
//}
</SCRIPT>
Third, what is the insecurity
1 PHP 5.0 script
and Javascrip msscript.ocx running on the back door, have permission to
operate local paper capacity, but also to create any COM object access capabilities,
but also access to the network.
2 can call any
Windows API, the client can do can do anything.
Postscript:
Dangerous Browser can be regarded as support for scripts and embedded IE core of the client, sent from the server running PHP, Javascript, and can call any of these scripts and similar to the Windows API DLL, the client is more "soft." For example, BT client, the client online games, e-mail client, etc., can be completed with this idea to update the complex business, more quickly realize there may be to make a profit.