发表更新powershell / tip3 分钟读完 (大约411个字)

PowerShell 技能连载 - 从 PowerShell 函数中窃取敏感数据

PowerShell 函数常常处理敏感的信息,例如包含密码的登录信息,并且将这些信息存储在变量中。让我们假设有这样一个函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
function Connect-Server
{
    param
    (
        [Parameter(Mandatory)]
        [pscredential]
        [System.Management.Automation.Credential()]
        $Credential
    )

    "You entered a credential for {0}." -f $Credential.UserName
    # now you could do something with $Credential
}

当运行这个函数时,会弹出提示输入凭据和密码。您的信息在函数中体现在 $Credential 变量中,并且当函数完成时,内部信息自动从内存中移除:

1
2
3
4
5
6
PS> Connect-Server -Credential tobias
You entered a credential for Tobias.

PS> $Credential

PS>

然而,任何攻击者都可以通过 dot-sourced 方式运行该函数。当函数执行完毕之后,所有内部变量都还在内存中:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS> . Connect-Server -Credential tobias
You entered a credential for Tobias.

PS> $Credential

UserName                     Password
--------                     --------
Tobias   System.Security.SecureString



PS> $Credential.GetNetworkCredential().Password
test

PS>

如您所见,攻击者现在可以访问凭据对象,并且也可以看到原始的密码。

要防止这种情况,您可以再次从内存中手动移除敏感的数据。您可以用 Remove-Variable 移除变量:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
function Connect-Server
{
    param
    (
        [Parameter(Mandatory)]
        [pscredential]
        [System.Management.Automation.Credential()]
        $Credential
    )

    "You entered a credential for {0}." -f $Credential.UserName
    # now you could do something with $Credential, i.e. submit it to
    # other cmdlets that support the -Credential parameter
    # i.e.
    # Get-WmiObject -Class Win32_BIOS -ComputerName SomeComputer -Credential $Credential

    Remove-Variable -Name Credential
}

现在不再能获取到变量:

1
2
3
4
5
6
7
8
PS> Remove-Variable -Name Credential

PS> . Connect-Server -Credential tobias
You entered a credential for Tobias.

PS> $credential

PS>

PowerShell 技能连载 - 从 PowerShell 函数中窃取敏感数据

http://blog.vichamp.com/2018/09/21/stealing-sensitive-data-from-powershell-functions/

作者

吴波

发布于

2018-09-21

更新于

2022-07-06

许可协议

#

喜欢这篇文章?打赏一下作者吧

评论

关注我

链接

分类

最新文章

归档

标签

.net2
0day1
C#1
QQ3
ad2
angularjs3
animation1
apache1
appz1
asciiart1
batch3
bestpractice2
block2
blog1
book1
bug1
c#1
career1
cdn1
cheatsheet1
cmd1
cmdlet1
command3
community5
csharp1
css1
database2
ddns1
delicious3
develop2
dos1
download5
drone1
ebook2
ed2k1
embedded1
encoding1
excel1
extension1
front-end1
gallery1
geek30
git1
gtd1
guide2
guideline11
gvim1
hexo1
html1
icon1
ide1
ionic1
ip1
iso2
javascript7
language1
learning6
lesson1
link6
linux1
markdown1
microsoft4
module1
mongodb2
mongoose1
monthly1
mvp1
node.js2
nodejs2
nosql2
oray1
picture1
powershell1921
powertip1852
preface1
productivity1
proxy1
qq2
regex5
registry1
release2
repack1
resource1
scm1
script25
series1852
server2
skill4
software1
sp11
study1
style1
text9
tip1851
tip个1
tool1
uac1
update1
video2
vim2
visualstudio3
vmware1
web5
window1
windows1
xampp2

订阅更新

×