Discuz! Cross-site encyclopedia_PHP tutorial
Jul 13, 2016 pm 05:12 PM
In discuz! The subjects in posts, replies, PMs, etc. are not filtered, so you can also add codes.
For example
http://xxx/post.php?action=newthread&fid=2...cript%3E%3Cb%22
The effect is to pop up your own cookie first
Usage method: put the above The code is placed in img.
Applicable version: discuz! 2.x
discuz! 3.x
A way to exploit discuz! 2.0 vulnerability attempts to deceive and obtain cookies
There is a security vulnerability in testing the PM function of the XXXFan forum. The specific description is as follows:
XXXFan sends a quiet link to a member as follows (assuming that the member’s name is XXXFan)
http://XXX/pm.php?action=send&username=XXXFan
Because the forum program does not filter member names, but displays them directly in the send column (TO:), so you can add after the name Upload the script code. For example
http://XXX/pm.php?action=send&username=XXXFan ";><script>alert(document..cookie)</script><b%20"
Above After clicking the link, the first thing that pops up is your own cookie content.
Of course we can first construct a program on our own site to collect cookies, similar to
getcookie.php?cookie=
But how to induce members to click? If it is simply placed on the forum, Too easy to identify. Therefore, you can use another function of the discuz forum program, the "post to friends" function.
Because this function of discuz does not perform any filtering, identification or template on the filled in emial address, you can fake anyone to send letters to others, and the security is very high. Using this function, we can forge the administrator of ExploitFan to send a letter to a member to induce the member to click on the URL we prepared. If you induce the member, it depends on your own method. For example, you can say "The forum is testing new features, please Please help click on the above address, and we will record your click in the background and add points to you as a reward at the appropriate time, etc.
Because the link address is XXXFan’s, and the sender and email address are both XXXFan’s official addresses, the credibility is very high and no clues will be left. Of course, for higher security, the content in <script> can be encrypted to further increase concealment.
As for how to get cookies, you can try cookie spoofing or brute force cracking of MD5 passwords
This method is suitable for most forums that use discuz2.0. As for how to use discuz3.0, please participate in the discuz I published before. ! Whisper vulnerability
【BUG】Discuz! Voting BUG
You can vote using
misc.php?action=votepoll&fid=2&tid=16980&pollanswers[]=n
(n is an option, starting from 0)
Vote directly through URL
But what if n>the largest option, hehe~
The submission is still successful, but an option with an empty title is added

Hot Article

Hot tools Tags

Hot Article

Hot Article Tags

Notepad++7.3.1
Easy-to-use and free code editor

SublimeText3 Chinese version
Chinese version, very easy to use

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Hot Topics

Discuz background login problem solution revealed

What is Discuz? Definition and function introduction of Discuz

A must-have for Discuz users! Comprehensive analysis of renaming props!

What should I do if I encounter an incorrect Discuz password? Quick solution sharing!

Discuz domain name modification operation guide

Detailed explanation of Discuz registration process: allowing you to easily modify personal information

Detailed explanation of steps to modify Discuz domain name

Discuz background login failed? Teach you how to solve it easily!
