DingleBerries Posted February 23, 2009 Share Posted February 23, 2009 First, I do not take responsibility for the stupid shit you might do with this. If you "own" a website be prepared to accept any consequences that may lay hereinafter. Just beacuse you can doesnt mean you should. This is an education tutorial to show you why you shouldnt use this type of validation/login on your websites. With that being said here we go. Setup: Web Browser - FireFox, Download Them All, Lots of Proxies Software - Flash Decompiler Google dork - allinurl:login filetype:swf VM - No interenet access while we work on the .swf(paranoia) Step 1. Make sure your shits secured. Tor alone isnt enough, there are ways to grab your real ip. I reccomend disabling cookies, reffers, JS, Java, and Flash. Use download them all and filter your downloads with other urls and different methods(will not go into that). Step 2. Grab that .swf. Dont go to any .gov site and try to hack it, can you say V A N? So start to with a free one some where for pratice. Step 3. Decompile is and look for the pass(in script section)... That easy Other things you can do? Does is send commands to another script? Maybe some sql injection? An open dir? You be the judge. There are alot of things that these little files can do. BTW this is old news and most sites have it fixed or use come other type of verification(of which you can see when decompiled)... Quote Link to comment Share on other sites More sharing options...
digip Posted February 23, 2009 Share Posted February 23, 2009 Not to rain on your parade, but aren't most of these going to be grabbing the information from a database on their server. What flash login app is goign to put a user name and password into the compiled swf file? They should all be grabbing or comparing this information with data stored on the site, not in the flash app. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted February 23, 2009 Author Share Posted February 23, 2009 Not to rain on your parade, but aren't most of these going to be grabbing the information from a database on their server. What flash login app is goign to put a user name and password into the compiled swf file? They should all be grabbing or comparing this information with data stored on the site, not in the flash app. BTW this is old news and most sites have it fixed or use come other type of verification(of which you can see when decompiled)... One i did today. What people should be doing and ARE doing are usually two different things... However this is good information. By decompiling the swf you do not have to monitor headers to see what data is being sent and how. Just depends on what you want to do really. Quote Link to comment Share on other sites More sharing options...
digip Posted February 23, 2009 Share Posted February 23, 2009 I like when they use if then else satements to verify users, but leave the payload URL in the file, so you can just pick where it woudl send you if you had the correct info, bypassing the need for name and password. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted February 23, 2009 Author Share Posted February 23, 2009 lol exactly. I am use crawling the site would get you there as well but who knows. I saw this some where else and thought it would be a nice share. Quote Link to comment Share on other sites More sharing options...
ardnat Posted February 23, 2009 Share Posted February 23, 2009 another comment, you dont need a proxy to get the flash source. Just download it via a web brower and it will just look like a client loaded the webpagee Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.