Table of contents
4. crossdomain.xml related parameters
2. Upload vulnerability configuration file
1. 0x00 Preface
In many places, you can check whether it is cross-domain
For example, links to certain specific steps, CSRF, flash cross-domain hijacking, etc.
2. Basic knowledge
1、Flash
Since the functions of the HTML language are very limited and cannot achieve people's expected design to achieve refreshing dynamic effects, various scripting languages have emerged as the times require, making web design more diverse. However, programming is not always popular because it requires certain programming skills, and people need an animation design tool that is both simple, intuitive, and powerful, and the emergence of Flash just meets this need.
2. crossdomain.xml file
Generally in the root directory (the configuration file in the root directory is called the "master policy file").
If there is no master policy file in the root directory, the domain will prohibit flash cross-domain requests from any third-party domain.
3. crossdomain.xml format
<?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="www.xxx.com" /> </cross-domain-policy>Among them www.xxx.com is a trusted domain name
4. crossdomain.xml related parameters
1. site-control tag (attribute permitted-cross-domain-policies)
属性值: none: 不允许使用loadPolicyFile方法加载任何策略文件,包括此主策略文件。 master-only: 只允许使用主策略文件[默认值]。 by-content-type: 只允许使用loadPolicyFile方法加载HTTP/HTTPS协议下Content-Type 为text/x-cross-domain-policy的文件作为跨域策略文件。文章来源地址:https://www.yii666.com/article/504083.html by-ftp-filename: 只允许使用loadPolicyFile方法加载FTP协议下文件名为crossdomain.xml的文件作为跨域策略文件。 all: 可使用loadPolicyFile方法加载目标域上的任何文件作为跨域策略文件 示例: <cross-domain-policy> <site-control permitted-cross-domain-policies="by-content-type"/> </cross-domain-policy>
2. allow-access-from tag
属性值: domain: 指定某IP地址、域或通配符域(任何域) to-ports: 指定允许访问读取本域内容的socket连接端口范围(如to-ports="1100,1120-1125",也可使用通配符(*)表示允许所有端口) secure: 指明信息是否经加密传输。当crossdomain.xml文件使用https加载时,secure默认设为true 示例: <cross-domain-policy> <allow-access-from domain="*.baidu.com" secure="true" /> </cross-domain-policy>
3. allow-access-from-identity tag
The node is configured with a cross-domain access policy to allow sources with specific certificates to access resources in this domain across domains.
<allow-access-from-identity> <signatory> <certificate fingerprint="04:ac:……格式的证书" fingerprint-algorithm="sha-1"/> </signatory> </allow-access-from-identity>
4、allow-http-request-headers-from标签
This node authorizes the third-party domain flash to send user-defined http headers to this domain.
属性值: domain: 与allow-access-from中的domain相同 headers: 表明允许发送的http头。可用通配符(*)(以逗号隔开的列表) secure: 与allow-access-from中的secure相同 示例: <cross-domain-policy> <allow-http-request-headers-from domain="*" headers="*" /> </cross-domain-policy>
3. Exploiting vulnerabilities
1. Method:
1. Find any file upload point (test whether you can getshell first)
2. If you cannot getshell (try xss)
3. If xss is not possible (try to upload the configuration file)
Uploading the configuration file is our last resort
2. Upload vulnerability configuration file
There is a vulnerability in the following crossdomain.xml file
(Try to upload the vulnerable configuration file to the root directory)
<?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>It can be seen from * that there is a loophole