若干flash xss漏洞分析

漏洞一

1
2
3
4
5
6
7
8
9
Parameters.getInstance().data = loaderInfo.parameters;

public function get onPlayStart():String{
	return (_data["onPlayStart"]);
}

ExternalInterface.call(Parameters.getInstance().onPlayStart, _arg1);
ExternalInterface.call(Parameters.getInstance().onPlayStop);
ExternalInterface.call(Parameters.getInstance().onFileLoadedError);

漏洞二

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
function reload(u, show_loading) {

    if (show_loading == undefined) {
        show_loading = true;
    }

    if (show_loading) {
        _root.loading = new Loading("Loading data...");
    }

    var _local2 = "";

    if (_root.data != undefined) {
        _local2 = _root.data;
    }

    if (u != undefined) {
        if (u.length > 0) {
            _local2 = u;
        }
    }

    _root.lv = undefined;
    _root.lv = new LoadVars();
    _root.lv.onLoad = LoadVarsOnLoad;
    _root.lv.make_chart = make_chart;
    _root.lv.make_pie = make_pie;
    _root.lv.load(_local2);
}

漏洞三

1
2
var csPreloader;
loader.loadClip(csPreloader, preloader_mc.target);

漏洞四

1
2
3
4
this.loadXML(file);
function init(file, ploader, bookmark, contentpath)
container.init(csConfigFile, preloader_mc, csFilesetBookmark, contentpath);
var csConfigFile;

漏洞五

1
2
3
4
5
6
7
8
9
10
11
12
13
    getURL(_loc2, this.playList.currentClip().getLinkWindow());
    var _loc2 = this.playList.currentClip().getLinkURL();

    _loc1.getLinkURL = function ()
    {
        return (this.linkUrl);
    };

var _loc1 = (_global.org.flowplayer.playlist.Clip = function (name, baseUrl, fileName, start, end, protected, enableControl, linkUrl, linkWindow, type, allowResize, overlayFileName, overlayId, live, showOnLoadBegin, maxPlayCount, info, thumbnailUrl, suggestedClipsInfoUrl, id, keywords)

    {
        this.linkUrl = linkUrl;

漏洞六

1
2
3
4
5
6
7
8
9
10
     this.textField.htmlText = ['', content, ''].join('');

_global.sIFR = function (textField, content)
{  ……
   	   this.write(content);
  	   ……
}

     sIFR.instance = new sIFR(_loc3.txtF, _loc4);
     _loc4 = sIFR.VERSION_WARNING.split("%s").join(_root.version);

漏洞七

1
2
this._setVar("_onClick", [_root.onclick, pConfig.onclick], "String");
getURL(this._onClick, this._onClickTarget);

自动化检测脚本

顺手写了个简单的检测已知漏洞的flash xss检测脚本,下载地址见 FlashScanner