Flash Application Security Series [6]-Sina Weibo worm threats

The basic idea is to use the allowscriptaccess = always condition to enable flash to load our own swf file for Cross-Site purposes.
This time, we will focus on audio playback. When we use the windows system to browse Sina Weibo, the audio will still be played through swf. We found that when playing Sina music library and songtaste songs, the swf player's allowscriptaccess is still always. Because users can submit songs to songtaste, we choose to play songtaste songs for testing. Now we need to think about a problem, how can I load the swf file played by the music into another swf file with the specified address. For this reason, a frequent speaker often downloads a skin.swf or a thumbnail. In this case, we can only control few variables, such as the song name and singer name, can I write some articles here. Let's first look at how the text class information is output. Decompile the swf file (music.sina.com.cn/yueku/js/mwp/feedPlayer.swf? Vers = 3). The key code logic is as follows: var _ loc_3: * = this. view. loaderInfo. parameters ;... globalParam. conf. song = StringUtils. trim (_ loc_3.song | "");... var _ loc_4: * = new SoundBaseVO ();... _ loc_4.songName = GlobalParam. conf. song | "";... private function setFirstSong (param1: SoundBaseVO): void {... if (param1.outLink) {_ loc_2 = "<B> <a href = \' http://t.cn/ "+ GlobalParam. conf. export URL + "\ 'target = \ '_ blank \'>" + param1.songName + "</a> </B>"; this.txt_songName.html Text = _ loc_2; this.txt _ artistName. text = StringDot. getTextLimit (param1.artistName, 13);} we can see that the song value passed in from the loaderInfo object is finally output in the text box named txt_songName as htmlText. Do not think the htmlText here is equivalent to the HTML text language. Adobe's help manual clearly states that Flash Player supports some standard HTML tags, including: anchor label bold label line feed label font label image label italic label list item label paragraph label Span label text format label underline label it is worth mentioning is the image label, the adobe help manual says that the tag allows you to import external image files (JPEG, GIF, and PNG). SWF files and video clips are embedded in text fields and TextArea component instances. In other words, we can use Format to embed a swf file. Cool? Now we need to submit a file named Song, and then reference this songtaste link on Weibo, waiting for others to click to play this music file. Songtaste: http://www.songtaste.com/song/3235631/