How do browser injections work?
These applications typically do not take data directly from the browser.
They analyze the current window (title). For example if there is something like (shopping cart, checkout, transfer, secure https), then take user input (data are taken directly, not from the browser).
They can retrieve all user input and only send sensitive data to the server, the data is checked first by regulary expressions.
You can get keyloggers examples here:
http://www.rohitab.com/discuss/topic/14610-awsome-c-keylogger/
http://sourceforge.net/apps/mediawiki/pykeylogger/index.php?title=Main_Page
They work by injecting malicious code into your browser (or your system). They exploit some vulnerability to inject the malicious code and cause the malicious code to be injected. The malicious code contains a payload of some sort. The payload may do things like spy upon your interactions with your browser or with web sites.
If you are asking how bad guys are able to inject malicious code into your system, then the key phrase is "drive-by downloads". Search for that, and you'll find lots more. Basically, drive-by download attacks exploit some vulnerability in the browser that lets them inject malicious code.
If you are asking how the payload is able to steal your credit card, the answer is that once malicious code is running on your system, it is able to read all keystrokes, spy on all your interactions with all of your applications, and hook into internal browser APIs. So once malicious code is running on your system, you are hosed.