一段扫flash跨站的脚本

发表于 2010年06月18日
Vulndb
更新于 2010年08月19日 1:48:04 上午

作者：xy7

没啥技术含量，主要是扫ExternalInterface.call

#!/usr/bin/php -q
<?php

/*--------------------------------xy7@80sec.com----------------------------
#Flash文件跨站检测脚本 2010/6/3
#检测过程如下:
提取ExternalInterface.call调用的参数，检查参数是都是直接通过loaderInfo.parameters获取
#使用方法
./scan.php /as代码目录>log
----------------------------------xy7@80sec.com---------------------------*/

set_time_limit(0);

function find($directory)
{
$mydir=dir($directory);
while($file=$mydir->read()){
if((is_dir("$directory/$file"))&&($file!=".")&&($file!=".."))
{
find("$directory/$file");
}
else{
if($file != "." && $file != ".."&&eregi(".as",$file)){
$fd=realpath($directory."/".$file);
$fp = fopen($fd, "r");
$i=0;
while ($buffer = fgets($fp, 128)) {
$i++;
if(eregi("ExternalInterface.call",$buffer))
{
echo "Line".$i.":".$buffer."\r\n\r\n";
preg_match("/\((.*)\)/i", $buffer, $match);
if (strstr($match[1],"("))
{
preg_match("/\((.*)\)/i", $match[1], $newmatch);
echo "再次提取后参数包含 :".$newmatch[1]."\r\n\r\n";
$oldfp = ftell($fp);
fseek($fp, 0);
$p = 0;
while ($newbuffer = fgets($fp, 128))
{
$p++;
if(eregi("loaderInfo.parameters",$newbuffer))
{
//echo "Line".$p.":".$newbuffer."\r\n";
if (strstr($newbuffer,$newmatch[1]))
{
echo $newmatch[1]."存在漏洞\r\n\r\n";

}
}
}
fseek($fp, $oldfp);
unset($oldfp);
} elseif(strstr($match[1],","))
{
echo "多个参数:$match[1]\r\n";
if (strstr($match[1],"loaderInfo.parameters")){
echo $match[1]."直接调用loaderInfo.parameters传递存在漏洞\r\n\r\n";
}
$var_array = array();
$var_array = explode(",",$match[1]);
$oldfp = ftell($fp);
fseek($fp,0);
while ($newbuffer = fgets($fp, 128))
{
if(eregi("loaderInfo.parameters",$newbuffer))
{
//echo "Line".$p.":".$newbuffer."\r\n\r\n";
foreach ($var_array as $value)
{
if (strstr($newbuffer,$value))
{
echo trim($value)."存在漏洞\r\n\r\n";
}

}

}
}
fseek($fp, $oldfp);
unset($oldfp);
}else
{
echo "唯一参数:".$match[1]."\r\n";
if (strstr($match[1],"loaderInfo.parameters")){
echo $match[1]."直接调用loaderInfo.parameters传递存在漏洞\r\n\r\n";
}
$oldfp = ftell($fp);
fseek($fp,0);
while ($newbuffer = fgets($fp, 128))
{
if(eregi("loaderInfo.parameters",$newbuffer))
{
//echo "Line".$p.":".$newbuffer."\r\n\r\n";
if (strstr($newbuffer,$match[1]))
{
echo trim($match[1])."存在漏洞\r\n\r\n";
}
}
}
fseek($fp, $oldfp);
unset($oldfp);
}
}
}
fclose($fp);

}
}
}
$mydir->close();
}
function all()
{
static $count = 1;
echo $count;
$count++;
}
find($argv[1]);
?>

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

#!/usr/bin/php -q

<?php

/*--------------------------------xy7@80sec.com----------------------------

#Flash文件跨站检测脚本 2010/6/3

#检测过程如下:

提取ExternalInterface.call调用的参数，检查参数是都是直接通过loaderInfo.parameters获取

#使用方法

./scan.php /as代码目录>log

----------------------------------xy7@80sec.com---------------------------*/

set_time_limit(0);

function find($directory)

{

$mydir=dir($directory);

while($file=$mydir->read()){

if((is_dir("$directory/$file"))&&($file!=".")&&($file!=".."))

{

find("$directory/$file");

}

else{

if($file != "." && $file != ".."&&eregi(".as",$file)){

$fd=realpath($directory."/".$file);

$fp = fopen($fd, "r");

$i=0;

while ($buffer = fgets($fp, 128)) {

$i++;

if(eregi("ExternalInterface.call",$buffer))

{

echo "Line".$i.":".$buffer."\r\n\r\n";

preg_match("/$(.*)$/i", $buffer, $match);

if (strstr($match[1],"("))

{

preg_match("/$(.*)$/i", $match[1], $newmatch);

echo "再次提取后参数包含 :".$newmatch[1]."\r\n\r\n";

$oldfp = ftell($fp);

fseek($fp, 0);

$p = 0;

while ($newbuffer = fgets($fp, 128))

{

$p++;

if(eregi("loaderInfo.parameters",$newbuffer))

{

//echo "Line".$p.":".$newbuffer."\r\n";

if (strstr($newbuffer,$newmatch[1]))

{

echo $newmatch[1]."存在漏洞\r\n\r\n";

}

fseek($fp, $oldfp);

unset($oldfp);

} elseif(strstr($match[1],","))

{

echo "多个参数:$match[1]\r\n";

if (strstr($match[1],"loaderInfo.parameters")){

echo $match[1]."直接调用loaderInfo.parameters传递存在漏洞\r\n\r\n";

}

$var_array = array();

$var_array = explode(",",$match[1]);

$oldfp = ftell($fp);

fseek($fp,0);

while ($newbuffer = fgets($fp, 128))

{

if(eregi("loaderInfo.parameters",$newbuffer))

{

//echo "Line".$p.":".$newbuffer."\r\n\r\n";

foreach ($var_array as $value)

{

if (strstr($newbuffer,$value))

{

echo trim($value)."存在漏洞\r\n\r\n";

}

fseek($fp, $oldfp);

unset($oldfp);

}else

{

echo "唯一参数:".$match[1]."\r\n";

if (strstr($match[1],"loaderInfo.parameters")){

echo $match[1]."直接调用loaderInfo.parameters传递存在漏洞\r\n\r\n";

}

$oldfp = ftell($fp);

fseek($fp,0);

while ($newbuffer = fgets($fp, 128))

{

if(eregi("loaderInfo.parameters",$newbuffer))

{

//echo "Line".$p.":".$newbuffer."\r\n\r\n";

if (strstr($newbuffer,$match[1]))

{

echo trim($match[1])."存在漏洞\r\n\r\n";

}

fseek($fp, $oldfp);

unset($oldfp);

}

fclose($fp);

}

$mydir->close();

}

function all()

{

static $count = 1;

echo $count;

$count++;

}

find($argv[1]);

标签：Flash , 跨站原文连接：一段扫flash跨站的脚本 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。

风讯网站管理系统API_Response.asp页面存在越权漏洞 SQL注射中使用Mysql load_file解析bsd目录的脚本