【原创】Flash XSS 挖掘
SWF代码如下:
package { import com.thinkive.ctrl.*; import com.thinkive.view.*; import flash.events.*; import com.thinkive.base.event.*; import com.thinkive.event.*; import com.thinkive.ctrl.external.*; import com.thinkive.config.*; import flash.display.*; import org.aswing.*; import com.thinkive.util.*; import com.alvasun.laf.chrome.*; public class HQ02 extends Sprite { private static var cmd:CommandCenter; private static var win:MainWin; public function HQ02(){ this.addEventListener(Event.ADDED_TO_STAGE, addToStageHandle); } public static function getCommandCenter():CommandCenter{ return (cmd); } public static function getMainPanel():MainWin{ return (win); } private function init():void{ AsWingManager.initAsStandard(this); if ((parent is Stage)){ Util.setParentObj(parent); } else { Util.setParentObj(parent.parent); }; UIManager.setLookAndFeel(new ChromeLAF()); win = new MainWin(); cmd = new CommandCenter(win); if (!this.hasEventListener(TradeEvent.TRANS_TO_HQ)){ this.addEventListener(TradeEvent.TRANS_TO_HQ, trans_to_hq); }; var _local1:String = SharedObjectUtil.getCustTheme(); if (((!((_local1 == null))) && ((_local1.length > 0)))){ cmd.getUIConfig().setTheme(_local1); } else { cmd.getUIConfig().setTheme(Parameter.THEME_TYPE); }; win.setBounds(Util.getParentRect()); win.show(); Util.getParentObj().addEventListener(Event.RESIZE, onResized); AsWingManager.getStage().addEventListener(MouseEvent.CLICK, onMouseClick); } private function onMouseClick(_arg1:Event):void{ cmd.dispatchEvent(new CommandEvent(CommandEvent.JSACTION, "CLICK")); } public function addToStageHandle(_arg1:Event):void{ var _local2:Object = loaderInfo.parameters; var _local3:String = (_local2.secuType as String); if (StringHelper.isEmpty(_local3)){ _local3 = URLHelper.getUrlParamValue("secuType"); }; if (StringHelper.isEmpty(_local3)){ if (ObjUtil.getTop(this) != null){ _local3 = ObjUtil.getTop(this).getParamValue("secuType"); }; }; if (StringHelper.isNotEmpty(_local3)){ Parameter.INITSECUTYPE = _local3; }; var _local4:XMLConfig = new XMLConfig(_local2.url); _local4.loadXml(init); } private function trans_to_hq(_arg1:TradeEvent):void{ cmd.getJsCallback().dispatchEvent(new JsEvent(JsEvent.JS_CALL_ACTION, _arg1.data)); } private function onResized(_arg1:Event):void{ win.setBounds(Util.getParentRect()); } } }//package
其中XMLConfig(_local2.url)
未经过过滤传到_local14
_Local14变量初始化。
_local2.url为获取外部参数。
如果要问我为什么,往上走看到parameters。
可控,走到XMLConfig为获取XML。
找到XML地址、如下:
<?xml version="1.0" encoding="utf-8"?> <hqconfig> <default> <need_buy_menu>0</need_buy_menu> <!--默认行情风格(WHITE和BLACK) BLACK为红黑风格,WHITE为绿白风格 ,默认为BLACK--> <theme>BLACK</theme> </default> <serverlist> <server> <name></name> <port>8080</port> </server> </serverlist> <hkserverlist> <server> <name>港股行情本地服务器</name> <!--港股服务器的IP--> <address></address> <!--港股服务器的端口--> <port>9093</port> </server> <server> <address></address> <port>9094</port> </server> </hkserverlist> <config> <isneedhkhq>false</isneedhkhq> <isneedf10>true</isneedf10> <!--行情启动初始加载Logo图片--> <logourl>XSS</logourl> </config> </hqconfig>
logourl为获取地址。
此处嵌入XSS攻击代码即可。
CKing blck