Discuz! Cross-site encyclopedia_PHP tutorial

In discuz! The subjects in posts, replies, PMs, etc. are not filtered, so you can also add codes.
For example
http://xxx/post.php?action=newthread&fid=2...cript%3E%3Cb%22
The effect is to pop up your own cookie first
Usage method: put the above The code is placed in img.
Applicable version: discuz! 2.x
discuz! 3.x
A way to exploit discuz! 2.0 vulnerability attempts to deceive and obtain cookies
There is a security vulnerability in testing the PM function of the XXXFan forum. The specific description is as follows:
XXXFan sends a quiet link to a member as follows (assuming that the member’s name is XXXFan)
http://XXX/pm.php?action=send&username=XXXFan
Because the forum program does not filter member names, but displays them directly in the send column (TO:), so you can add after the name Upload the script code. For example
http://XXX/pm.php?action=send&username=XXXFan ";><script>alert(document..cookie)</script>Above After clicking the link, the first thing that pops up is your own cookie content.
Of course we can first construct a program on our own site to collect cookies, similar to
getcookie.php?cookie=
But how to induce members to click? If it is simply placed on the forum, Too easy to identify. Therefore, you can use another function of the discuz forum program, the "post to friends" function.
Because this function of discuz does not perform any filtering, identification or template on the filled in emial address, you can fake anyone to send letters to others, and the security is very high. Using this function, we can forge the administrator of ExploitFan to send a letter to a member to induce the member to click on the URL we prepared. If you induce the member, it depends on your own method. For example, you can say "The forum is testing new features, please Please help click on the above address, and we will record your click in the background and add points to you as a reward at the appropriate time, etc.
Because the link address is XXXFan’s, and the sender and email address are both XXXFan’s official addresses, the credibility is very high and no clues will be left. Of course, for higher security, the content in <script> can be encrypted to further increase concealment. <br />As for how to get cookies, you can try cookie spoofing or brute force cracking of MD5 passwords <br />This method is suitable for most forums that use discuz2.0. As for how to use discuz3.0, please participate in the discuz I published before. ! Whisper vulnerability <br />【BUG】Discuz! Voting BUG <br />You can vote using <br />misc.php?action=votepoll&fid=2&tid=16980&pollanswers[]=n <br /> (n is an option, starting from 0) <br />Vote directly through URL<br />But what if n>the largest option, hehe~ <br />The submission is still successful, but an option with an empty title is added<br /></script>

http://www.bkjia.com/PHPjc/629317.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629317.htmlTechArticlein discuz! The subjects in posts, replies, PMs, etc. are not filtered, so you can also add codes. For example, http://xxx/post.php?action=newthreadfid=2...cript%3E%3Cb%22 The effect is the first...