Skip to content
This repository has been archived by the owner on Jul 4, 2023. It is now read-only.

H5SC Mini Challenge 4

Jump to bottom
Cure53 edited this page Apr 1, 2016 · 18 revisions

H5SC Mini-Challenge 4

This challenge was public for a few hours on 1st of April 2016. It involved Flash, ExternalInterface, one obvious - and another less obvious solution. So, keep reading - it might not be that boring in the end.

Source Code

{
    import flash.display.Sprite;
    import flash.external.ExternalInterface;
    import flash.text.TextField;
    
    public class Main extends Sprite
    {
        public function Main() 
        {
            ExternalInterface.call('console.dir', loaderInfo.parameters);
            var text:TextField = new TextField();
            text.height = 200;
            text.width = 600;
            text.text = "Can you XSS me? Execute an alert(1) and win fame and glory :)\r\nSend a mail to [email protected] once you did it.";
            text.text += loaderInfo.parameters.text?loaderInfo.parameters.text:"";
            addChild(text);
        }
    }
}

The obvious solution

There is one solution, that is obvious - and it involves breaking the string that contains the value of one of the Flash variables. You can simply do this to trigger the alert:

https://html5sec.org/minichallenges/4?text=\%22})));alert(1)}catch(e){}//

As many people found out via Flash de-compilation (JPEXS is a great tool for that), there is a Flash variable (flashVar) in use and its name is text. So why not go with that. Flash forgets to escape the escaper, we break the string, payload arrives in the try-catch block ExternalInterface generates and boom. The classic way.

But we can also do this:

https://html5sec.org/minichallenges/4?x=\%22})));alert(1)}catch(e){}//

We don't need to use the existing flashVar, we can use whatever we variable name want. Can we go even further? What if the SWF file we attack now starts to escape properly on its own? By replaing \ with \\ for example, as often seen in the wild?

The not so obvious solution

TBD

Solvers

  1. @xrekkusu 10 chars
  2. @tunnelshade_ 10 chars
  3. @petecorey 10 chars
  4. Y. Q. Yang 12 chars
  5. @smiegles 13 chars
  6. @pouyadarabi 13 chars
  7. @avlidienbrunn 14 chars
  8. @fransrosen 27 chars
  9. @mriccia 27 chars
  10. @hykatza 26 chars
  11. @llamakko_cafe 26 chars
  12. @fab_tc 31 chars
  13. @en4rab 32 chars
  14. M. B. Rad 33 chars
  15. @simps0n 34 chars
Clone this wiki locally