【原创】Flash XSS 挖掘

SWF代码如下:

package {
    import com.thinkive.ctrl.*;
    import com.thinkive.view.*;
    import flash.events.*;
    import com.thinkive.base.event.*;
    import com.thinkive.event.*;
    import com.thinkive.ctrl.external.*;
    import com.thinkive.config.*;
    import flash.display.*;
    import org.aswing.*;
    import com.thinkive.util.*;
    import com.alvasun.laf.chrome.*;

    public class HQ02 extends Sprite {

        private static var cmd:CommandCenter;
        private static var win:MainWin;

        public function HQ02(){
            this.addEventListener(Event.ADDED_TO_STAGE, addToStageHandle);
        }
        public static function getCommandCenter():CommandCenter{
            return (cmd);
        }
        public static function getMainPanel():MainWin{
            return (win);
        }

        private function init():void{
            AsWingManager.initAsStandard(this);
            if ((parent is Stage)){
                Util.setParentObj(parent);
            } else {
                Util.setParentObj(parent.parent);
            };
            UIManager.setLookAndFeel(new ChromeLAF());
            win = new MainWin();
            cmd = new CommandCenter(win);
            if (!this.hasEventListener(TradeEvent.TRANS_TO_HQ)){
                this.addEventListener(TradeEvent.TRANS_TO_HQ, trans_to_hq);
            };
            var _local1:String = SharedObjectUtil.getCustTheme();
            if (((!((_local1 == null))) && ((_local1.length > 0)))){
                cmd.getUIConfig().setTheme(_local1);
            } else {
                cmd.getUIConfig().setTheme(Parameter.THEME_TYPE);
            };
            win.setBounds(Util.getParentRect());
            win.show();
            Util.getParentObj().addEventListener(Event.RESIZE, onResized);
            AsWingManager.getStage().addEventListener(MouseEvent.CLICK, onMouseClick);
        }
        private function onMouseClick(_arg1:Event):void{
            cmd.dispatchEvent(new CommandEvent(CommandEvent.JSACTION, "CLICK"));
        }
        public function addToStageHandle(_arg1:Event):void{
            var _local2:Object = loaderInfo.parameters;
            var _local3:String = (_local2.secuType as String);
            if (StringHelper.isEmpty(_local3)){
                _local3 = URLHelper.getUrlParamValue("secuType");
            };
            if (StringHelper.isEmpty(_local3)){
                if (ObjUtil.getTop(this) != null){
                    _local3 = ObjUtil.getTop(this).getParamValue("secuType");
                };
            };
            if (StringHelper.isNotEmpty(_local3)){
                Parameter.INITSECUTYPE = _local3;
            };
            var _local4:XMLConfig = new XMLConfig(_local2.url);
            _local4.loadXml(init);
        }
        private function trans_to_hq(_arg1:TradeEvent):void{
            cmd.getJsCallback().dispatchEvent(new JsEvent(JsEvent.JS_CALL_ACTION, _arg1.data));
        }
        private function onResized(_arg1:Event):void{
            win.setBounds(Util.getParentRect());
        }

    }
}//package 

其中XMLConfig(_local2.url)

未经过过滤传到_local14

_Local14变量初始化。

_local2.url为获取外部参数。

如果要问我为什么,往上走看到parameters。

可控,走到XMLConfig为获取XML。

找到XML地址、如下:

<?xml version="1.0" encoding="utf-8"?>
<hqconfig>
    <default>
    
        <need_buy_menu>0</need_buy_menu>
    <!--默认行情风格(WHITE和BLACK) BLACK为红黑风格,WHITE为绿白风格 ,默认为BLACK-->    
        <theme>BLACK</theme>
    </default>
    
    <serverlist>
          
        <server>
            <name></name>
            
            <port>8080</port>
        </server>
         
        
    </serverlist>
    
    <hkserverlist>
           
        <server>
              
            <name>港股行情本地服务器</name>
            <!--港股服务器的IP-->
            <address></address>
            <!--港股服务器的端口-->
            <port>9093</port>
        </server>
        
        <server>
            
            <address></address>
            <port>9094</port>
        </server>
    </hkserverlist>
        
    <config>
         
        <isneedhkhq>false</isneedhkhq>
        
        <isneedf10>true</isneedf10>
        <!--行情启动初始加载Logo图片-->
        <logourl>XSS</logourl>
    </config>
</hqconfig>

logourl为获取地址。

此处嵌入XSS攻击代码即可。

posted @ 2017-01-17 17:18  blck  阅读(371)  评论(0编辑  收藏  举报