zoukankan      html  css  js  c++  java
  • 【原创】Flash XSS 挖掘

    SWF代码如下:

    package {
        import com.thinkive.ctrl.*;
        import com.thinkive.view.*;
        import flash.events.*;
        import com.thinkive.base.event.*;
        import com.thinkive.event.*;
        import com.thinkive.ctrl.external.*;
        import com.thinkive.config.*;
        import flash.display.*;
        import org.aswing.*;
        import com.thinkive.util.*;
        import com.alvasun.laf.chrome.*;
    
        public class HQ02 extends Sprite {
    
            private static var cmd:CommandCenter;
            private static var win:MainWin;
    
            public function HQ02(){
                this.addEventListener(Event.ADDED_TO_STAGE, addToStageHandle);
            }
            public static function getCommandCenter():CommandCenter{
                return (cmd);
            }
            public static function getMainPanel():MainWin{
                return (win);
            }
    
            private function init():void{
                AsWingManager.initAsStandard(this);
                if ((parent is Stage)){
                    Util.setParentObj(parent);
                } else {
                    Util.setParentObj(parent.parent);
                };
                UIManager.setLookAndFeel(new ChromeLAF());
                win = new MainWin();
                cmd = new CommandCenter(win);
                if (!this.hasEventListener(TradeEvent.TRANS_TO_HQ)){
                    this.addEventListener(TradeEvent.TRANS_TO_HQ, trans_to_hq);
                };
                var _local1:String = SharedObjectUtil.getCustTheme();
                if (((!((_local1 == null))) && ((_local1.length > 0)))){
                    cmd.getUIConfig().setTheme(_local1);
                } else {
                    cmd.getUIConfig().setTheme(Parameter.THEME_TYPE);
                };
                win.setBounds(Util.getParentRect());
                win.show();
                Util.getParentObj().addEventListener(Event.RESIZE, onResized);
                AsWingManager.getStage().addEventListener(MouseEvent.CLICK, onMouseClick);
            }
            private function onMouseClick(_arg1:Event):void{
                cmd.dispatchEvent(new CommandEvent(CommandEvent.JSACTION, "CLICK"));
            }
            public function addToStageHandle(_arg1:Event):void{
                var _local2:Object = loaderInfo.parameters;
                var _local3:String = (_local2.secuType as String);
                if (StringHelper.isEmpty(_local3)){
                    _local3 = URLHelper.getUrlParamValue("secuType");
                };
                if (StringHelper.isEmpty(_local3)){
                    if (ObjUtil.getTop(this) != null){
                        _local3 = ObjUtil.getTop(this).getParamValue("secuType");
                    };
                };
                if (StringHelper.isNotEmpty(_local3)){
                    Parameter.INITSECUTYPE = _local3;
                };
                var _local4:XMLConfig = new XMLConfig(_local2.url);
                _local4.loadXml(init);
            }
            private function trans_to_hq(_arg1:TradeEvent):void{
                cmd.getJsCallback().dispatchEvent(new JsEvent(JsEvent.JS_CALL_ACTION, _arg1.data));
            }
            private function onResized(_arg1:Event):void{
                win.setBounds(Util.getParentRect());
            }
    
        }
    }//package 

    其中XMLConfig(_local2.url)

    未经过过滤传到_local14

    _Local14变量初始化。

    _local2.url为获取外部参数。

    如果要问我为什么,往上走看到parameters。

    可控,走到XMLConfig为获取XML。

    找到XML地址、如下:

    <?xml version="1.0" encoding="utf-8"?>
    <hqconfig>
        <default>
        
            <need_buy_menu>0</need_buy_menu>
        <!--默认行情风格(WHITE和BLACK) BLACK为红黑风格,WHITE为绿白风格 ,默认为BLACK-->    
            <theme>BLACK</theme>
        </default>
        
        <serverlist>
              
            <server>
                <name></name>
                
                <port>8080</port>
            </server>
             
            
        </serverlist>
        
        <hkserverlist>
               
            <server>
                  
                <name>港股行情本地服务器</name>
                <!--港股服务器的IP-->
                <address></address>
                <!--港股服务器的端口-->
                <port>9093</port>
            </server>
            
            <server>
                
                <address></address>
                <port>9094</port>
            </server>
        </hkserverlist>
            
        <config>
             
            <isneedhkhq>false</isneedhkhq>
            
            <isneedf10>true</isneedf10>
            <!--行情启动初始加载Logo图片-->
            <logourl>XSS</logourl>
        </config>
    </hqconfig>

    logourl为获取地址。

    此处嵌入XSS攻击代码即可。

  • 相关阅读:
    键盘事件
    冒泡事件-捕获事件-阻止事件
    Date()常用属性
    dom树节点的增删改插
    boost/c++11 变量类型打印、相等判断以及成员函数指针相关
    c++ std:call_once 与 单例模式实现
    c++11 异步编程 std::async
    c++ STL中一些常用函数/模板
    c++11 std::atomic 原子操作
    C++ std::atomic_flag 实现spinLock
  • 原文地址:https://www.cnblogs.com/blck/p/6293884.html
Copyright © 2011-2022 走看看