By embedding the follow SWF code, when ran in an individual page a new tab comes up with the desired URL and an ad bar over the top. There is no user interaction required.
<embed width="1" height="1" align="middle"
pluginspage=""
type="application/x-shockwave-flash" allowscriptaccess="sameDomain"
name="blog" bgcolor="000000" wmode="transparent" quality="high"
src=".swf"
flashvars="web=www.agitehabbero/index.php&creador=supercito">
If the code is embedded into a frame, then no new tabs are created, and rather the frame is modified to add the html page.
Edit: There is NO JAVASCRIPT on the page.
How can a SWF file do this? (Inject content into an webpage)?
By embedding the follow SWF code, when ran in an individual page a new tab comes up with the desired URL and an ad bar over the top. There is no user interaction required.
<embed width="1" height="1" align="middle"
pluginspage="http://www.macromedia.com/go/getflashplayer"
type="application/x-shockwave-flash" allowscriptaccess="sameDomain"
name="blog" bgcolor="000000" wmode="transparent" quality="high"
src="http://i1177.photobucket.com/albums/x348/hosting504/red.swf"
flashvars="web=www.agitehabbero.com/index.php&creador=supercito">
If the code is embedded into a frame, then no new tabs are created, and rather the frame is modified to add the html page.
Edit: There is NO JAVASCRIPT on the page.
How can a SWF file do this? (Inject content into an webpage)?
Share Improve this question edited Jun 7, 2012 at 22:13 Kijewski 26k14 gold badges107 silver badges147 bronze badges asked May 29, 2012 at 6:58 apscienceapscience 7,25311 gold badges57 silver badges89 bronze badges 4- I tried embedding the code into an iframe and a regular frame, but both cases the code opened (or tried to open) a new window/tab instead of modifying the frame. Are you sure it modified the frame itself? – Jeffery To Commented Jun 3, 2012 at 18:28
- I'd better get that bounty :) – oxygen Commented Jun 5, 2012 at 18:36
- Your question is misleading, and you accepted an answer which dissasembles for the worst solution possible, found in that red.swf file. – oxygen Commented Jun 9, 2012 at 14:25
- Tiberiu: The accepted solution does not require 'AllowScriptAccess' to be set to always. Yours does. – apscience Commented Jun 21, 2012 at 11:37
7 Answers
Reset to default 6This ActionScript3.0 code will inject an anonymous function, then execute it while passing the single param "hello":
ExternalInterface.call("function(msg){ alert(msg); }", "hello"); (this gets executed like this Javascript code: function(msg){ alert(msg); }("hello");).
Since you can inject code, you can write the code to manipulate the document (add elements, modify styles, change element values, etc.). For example this AS3 code: ExternalInterface.call("function(){ document.write(\"Hello, world!\"); }"); will display "Hello, world!" on the HTML page.
Also, from the docs:
- In the object tag for the SWF file in the containing HTML page, set the following parameter:
<param name="allowScriptAccess" value="always" /> - In the SWF file, add the following ActionScript:
flash.system.Security.allowDomain(sourceDomain)
I tested all of the above, and it works just fine on my browsers: Google Chrome 19, Internet Explorer 8, Firefox 12.
As you requested, no javascript on the document side :)
There is a class in AS called ExternalInterface. It helps flash communicate with JS (call a js function or JS call a flash function). Then throw DOM the can add content into a page. It could be this.
An example
AS3
package {
import flash.display.Sprite;
import flash.external.ExternalInterface;
import flash.events.*;
public class MyApp extends Sprite {
private var btn:Sprite;
public function MyApp() {
//add an entry point from js (html page) to swf, so js can call the swfFunc
ExternalInterface.addCallback('swfFunc', swfFunc);
btn = new Sprite();
btn.mouseEnabled = true;
btn.x = 0;
btn.graphics.beginFill(0xFF0000, 0);
btn.graphics.drawRect(0, 0, 300, 50);
btn.graphics.endFill();
btn.addEventListener(MouseEvent.CLICK, jsFunc);
addChild(btn);
}
public function jsFunc(evt:MouseEvent):void {
// call the js function named jsFunc
ExternalInterface.call('jsFunc', 'Test JS');
}
//this method is called from the js
public function swfFunc(text:String):void {
trace(text);
}
}
}
HTML
<object id='MySWF' type='application/x-shockwave-flash' data='MyApp.swf' width='300' height='50'>
<param name='movie' value='MyApp.swf' />
<param name='allowscriptaccess' value='always' />
<param name='swliveconnect' value='true' />
</object>
<div id="container">
A Text
</div>
<button type="button" onclick="swfFunc();">Call SWF</button>
JS
function jsFunc(text) {
document.getElementById('container').innerHTML = text;
}
function swfFunc() {
var swfObj = window['MySWF'] || documment['MySWF'];
swfObj.swfFunc('Test SWF');
}
Got it!
No Javascript, just as you said.
Sneaky piece of code, I don't fully understand why, but managed to get it working.
Downloaded and decompiled red.swf, and has 2 frames, only the second one has code which is the following (comments are mine)
/*
flashvars are loaded to the _root as following:
_root.web = www.agitehabbero.com/index.php&creador=supercito
oddly the amperesand (&) gets interpreted too so we also get.
_root.creador=supercito
*/
stop();
var url = _root.web;
if ("supercito" == _root.creador) {//verifies that the url passed has a value pair creador=supercito I guess to avoid it being used for something else?
getURL ("http://supercito.com.ar/g3/web.php?url=" + url, "glu");
/* the getURL calls this site, in a new window (frames are treated as windows by browsers)
somehow flash , as it doesn't find the frame or window, converts it into a pop up */
} else {
getURL ("http://supercito.com.ar/404", "glu");
}
Oh, and this is barely ActionScript 2, looks like AS1 (which uses the same VM).
To test further I simplified the flash code and uploaded to a server:
stop();
getURL ("http://supercito.com.ar/g3/web.php?url=" + _root.web, _root.marco);
In the server now we can play with different inputs and see what happens. The link is: http://m0.cl/t/dwit/assets/no-usar/testing-odd.php
(sorry for the messy address I was in the middle of something else)
If we use any value for the frame param the http: / / supercito.com.ar page loads and makes the window into a pop-up unless we use _self.
The thing is I can't see the part where this new window turns into a pop up, maybe It's hidden in the jquery file it loads. Beats me. Even checked with Charles.
If anyone has an idea, let me know and I'll try.
Hope this helps.
This is my first post here :)
EDIT:
I uploaded a modification for better testing.
Now we can change the main URL also.
stop();
getURL (_root.main + _root.web, _root.marco);
EDIT Nº2
It's flash!
with the new setup, you can try any URL and it will make it into a pop-up as long as the targeted window is not _self or _top, the thing is, that Chrome interprets it as a pop-up, but IE just reads it as a _blank window.
Looks like a bug to me.
There are a few ways to open a new browser window from Flash (with no help from the HTML page): http://helpx.adobe.com/flash-player/kb/create-pop-browser-windows-flash.html
Not sure if that's possible.
Modern browsers have rather strong pop-up blockers which, in most cases, do not allow opening a new window/tab if there is no user interaction.
Even if you manage to trick one browser there is a possibility that it won't work in different browser/OS.
BTW, if there is no JS on the page and you can't edit HTML you can run JS directly from Flash using a 'pseudo-protocol':
var req:URLRequest = new URLRequest('javascript:void(alert('This is called from Flash'))');
navigateToURL(req);
So, in theory, you could have quite complex JS 'injected' onto your HTML page.
First you should make sure you're using window.top.document. From there try opening the window -- if your window handle is null, then open a 100% iframe.
/**
* @public
*/
public function JSTest():void {
ExternalInterface.call('eval', [
"window.createFrame = function() {",
"var doc = window.top.document;",
"var ifrm = doc.createElement('IFRAME');",
"ifrm.style.position = 'absolute';",
"ifrm.style.left = '0';",
"ifrm.style.top = '0';",
"ifrm.style.width = '100%';",
"ifrm.style.height = '100%';",
"ifrm.setAttribute('src', 'http://vimeo.com');",
"doc.body.appendChild(ifrm);",
"}",
// try opening window, otherwise, open an iframe
"if (!window.open('http://www.vimeo.com', '_top')) {",
"window.createFrame();",
"}"
].join('\n'));
}