史上最不安全的浏览器——Dangerous Browser
浏览器市场一向强调安全性。但是安全往往与功能强大是矛盾的。Dangerous Browser 功能强大,但也是最不安全的。Dangerous Browser 可以运行PHP脚本,可以创建标准的 PHP5 内置对象;它可以在后门运行强化后的Javascript,这样的Javascript 可以创建 FileSystemObject 和 OpenTextFile,CreateTextFile 访问本地文件,甚至它可以调用任何 Windows API,去创建标准的 Windows 窗口,完成只有客户端程序才能完成的功能。(下载:本浏览器源码)
一、界面
二、主要脚本代码
1 PHP 代码 主要功能:创建一个 VCL 的 TForm,在该 Form 中添加一个按钮,为 Form 添加OnClick响应代码,响应效果是使 Caption 的文字为 "Clicking a VCL TForm",为按钮的OnClick响应代码的效果也是改变内容为"Clicking a VCL TButton" 。
class first_class{
var $name="php file class";
function setName( $n ){
$this->name = $n;
}
function sayHello(){
print "my name is $this->name<BR>";
}
}
function OnFormClick($sender) {
$sender->Caption="Clicking a VCL TForm";
}
function OnButtonClick($sender) {
$sender->Caption="Clicking a VCL TButton";
}
$ds=new dsRE();
//call VCL
$ds->UsingClass("TForm");
$form=new TForm(null);
$ds->RegistMethod("OnFormClick",$form,"OnClick");
$ds->UsingClass("TButton");
$button=new TButton($form);
$ds->RegistMethod("OnButtonClick",$button,"OnClick");
$button->Left=20;
$button->Top=30;
$button->Width=200;
$button->Parent=$form;
$button->Caption="Button1";
$form->Show();
$form->Caption="I am a VCL TForm";
$ds->Share($form,"Form1");
$ds->Share($button,"Button1");
var $name="php file class";
function setName( $n ){
$this->name = $n;
}
function sayHello(){
print "my name is $this->name<BR>";
}
}
function OnFormClick($sender) {
$sender->Caption="Clicking a VCL TForm";
}
function OnButtonClick($sender) {
$sender->Caption="Clicking a VCL TButton";
}
$ds=new dsRE();
//call VCL
$ds->UsingClass("TForm");
$form=new TForm(null);
$ds->RegistMethod("OnFormClick",$form,"OnClick");
$ds->UsingClass("TButton");
$button=new TButton($form);
$ds->RegistMethod("OnButtonClick",$button,"OnClick");
$button->Left=20;
$button->Top=30;
$button->Width=200;
$button->Parent=$form;
$button->Caption="Button1";
$form->Show();
$form->Caption="I am a VCL TForm";
$ds->Share($form,"Form1");
$ds->Share($button,"Button1");
2 后门 Javascript 代码 主要功能:调用 Windows API 创建一个标准的 Window,在该 Window 的回调中响应 WM_CREATE 事件调用 MessageBox显示这个窗口的 Window Name。
os_api=new shared_dobject("OSAPI");function GetWindowText(hWnd)
{
param=new dobject("ApiParams"); dvm.Write2Cpp("DEBUG",hWnd); param.AppendHandlePointer(hWnd); param.AllocAsciiStringBuffer(260); param.AppendUnsignedLong(260); os_api.CallOSAPI(null,"GetWindowTextA",param); ret=param.ReadAsciiString(4); param.Destroy(); return ret;
}function MessageBox(hWnd,lpText,lpCaption,uType){ param=new dobject("ApiParams"); param.AppendHandlePointer(hWnd); param.AppendAsciiString(lpText); param.AppendAsciiString(lpCaption); param.AppendUnsignedLong(uType); return os_api.CallOSAPI(null,"MessageBoxA",param); param.Destroy(); }function MyWndProc(hWnd, message, wParam, lParam){ WM_CREATE=0x0001; if(message==WM_CREATE)
{
MB_OK=0x00000000; t=GetWindowText(hWnd); MessageBox(hWnd,t,"Javasript message box!",MB_OK);
} return 0;}function RegisterClassEx(lpwcx){ return os_api.CallOSAPI(null,"RegisterClassExA",lpwcx);}function MyRegisterClassEx(){ callback_param=new dobject("ApiParams"); callback_param.AppendHandlePointer(0); callback_param.AppendUnsignedLong(0); callback_param.AppendUnsignedLong(0); callback_param.AppendUnsignedLong(0); js_callback=new dobject("JavaScriptCallback","MyWndProc"); stdcall_callback=os_api.ApplyCallbackFunction(js_callback,callback_param); param=new dobject("ApiParams"); /* typedef struct { UINT cbSize; UINT style; WNDPROC lpfnWndProc; int cbClsExtra; int cbWndExtra; HINSTANCE hInstance; HICON hIcon; HCURSOR hCursor; HBRUSH hbrBackground; LPCTSTR lpszMenuName; LPCTSTR lpszClassName; HICON hIconSm; } WNDCLASSEX, *PWNDCLASSEX; */ param.AppendUnsignedInt(48);//sizeof(WNDCLASSEX)==48; param.AppendUnsignedInt(3);//CS_HREDRAW | CS_VREDRAW; param.AppendHandlePointer(stdcall_callback); param.AppendSignedInt(0); param.AppendSignedInt(0); param.AppendHandlePointer(dvm.GetAppHInstance()); param.AppendHandlePointer(0); param.AppendHandlePointer(0x00010011); param.AppendUnsignedLong(0x00000006);//(COLOR_WINDOW+1); param.AppendAsciiString("menu"); param.AppendAsciiString("JavaScriptCallApiWindowClass"); param.AppendHandlePointer(0); lpwcx=new dobject("ApiParams"); lpwcx.AppendStructurePointer(param); RegisterClassEx(lpwcx); param.Destroy(); lpwcx.Destroy();}function CreateWindow(lpClassName,lpWindowName,dwStyle,x,y,nWidth,nHeight,hWndParent,hMenu,hInstance,lpParam){ /* HWND WINAPI CreateWindowExA( DWORD dwExStyle, LPCSTR lpClassName, LPCSTR lpWindowName, DWORD dwStyle, int X, int Y, int nWidth, int nHeight, HWND hWndParent, HMENU hMenu, HINSTANCE hInstance, LPVOID lpParam); */ param=new dobject("ApiParams"); param.AppendSignedLong(0); param.AppendAsciiString(lpClassName); param.AppendAsciiString(lpWindowName); param.AppendSignedLong(dwStyle); param.AppendSignedLong(x); param.AppendSignedLong(y); param.AppendSignedLong(nWidth); param.AppendSignedLong(nHeight); param.AppendHandlePointer(hWndParent); param.AppendHandlePointer(hMenu); param.AppendHandlePointer(hInstance); param.AppendHandlePointer(lpParam); return os_api.CallOSAPI(null,"CreateWindowExA",param);}//function MyCreateWindow(){ MyRegisterClassEx(); hWnd = CreateWindow("JavaScriptCallApiWindowClass", "Javascript call api window", 0x00cf0000, // WS_OVERLAPPEDWINDOW 250, 200, 250, 180, null, null, dvm.GetAppHInstance(), null); param=new dobject("ApiParams"); param.AppendHandlePointer(hWnd); param.AppendUnsignedLong(0x00000001);//SW_SHOWNORMAL os_api.CallOSAPI(null,"ShowWindow",param); param.Destroy();//}
三、不安全性何在
1 PHP 5.0 脚本和Javascrip运行基于 msscript.ocx 的后门,都有操作本地文件的权限能力,也有创建任意COM对象权限能力,还能访问网络。
2 可以调用任意 Windows API,可以做客户端能做的任何事情。
【后记】
可以把 Dangerous Browser 视作支持脚本和内嵌IE内核的客户端,运行服务器发送过来的 PHP, Javascript,而且这些脚本可以调用任何 Windows API 以及相仿的DLL,使客户端软件更“软”。例如BT客户端,网游客户端,邮件客户端等等,都可以借助这种构想完成随时更新的复杂业务,更为迅速地实现可能存在的赢利模式。
【诚聘翻译】翻译本文及浏览器内显示的文本为e文,联系 
