BY superhei@ph4nt0m.org
Dz's Forum program Upgrade notification is a good feature. Many security programs have similar features, such as wordpress.
Let's first look at the dz function implementation code:
Adminglobal. func. php
00438: echo <script language = "JavaScript" src = "http://customer.discuz.net/news.php? Version =. rawurlencode (DISCUZ_VERSION ). & amp; release =. rawurlencode (DISCUZ_RELEASE ). & php =. PHP_VERSION. & amp; mysql =. $ dbversion. & charset =. rawurlencode ($ charset ). & bbname =. rawurlencode ($ bbname ). & members =. $ members. & threads =. $ threads. & amp; posts =. $ posts. & amp; msn =. $ msns. & md5hash =. md5 (preg_replace ("/http ://(. + ?) /. */I "," \ 1 ", $ _ SERVER [HTTP_REFERER]). $ _ SERVER [HTTP_USER_AGENT]. DISCUZ_VERSION.DISCUZ_RELEASE. $ bbname. $ members. $ threads. $ posts ). "> </script>;
The submitted version and some Forum information can be determined by sending js to customer.discuz.net. We need to capture a package:
GET/news. php? Version = 5.5.0 & release = 20070301 & php = 5.1.2 & mysql = 4.1.9-max & charset = gbk & bbname = Discuz % 21% 20 Board & members = 5 & threads = 21 & posts = 22 & amp; msn = 0 & md5hash = c322d618261ae0e89bece292886897d6 HTTP/1.1
Host: customer.discuz.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv: 1.8.1.6) Gecko/20070725 (FoxPlus) Firefox/2.0.0.6
....
We can see the meanings of some sent variables:
DISCUZ_VERSION is the version number.
Date of DISCUZ_RELEASE version
// Both are defined in discuz_version.php:
Define (DISCUZ_VERSION, 5.5.0 );
Define (DISCUZ_RELEASE, 20070301 );
Php version
$ Dbversion mysql version
$ Charset Encoding
$ Bbname: Forum name
$ Members, $ threads, $ posts, and $ msns are all Forum information. I guess dz collects customer information.
Md5hash: md5 (preg_replace ("/http: // (. + ?) /. */I "," \ 1 ", $ _ SERVER [HTTP_REFERER]). $ _ SERVER [HTTP_USER_AGENT]. DISCUZ_VERSION.DISCUZ_RELEASE. $ bbname. $ members. $ threads. $ posts) Note that HTTP_REFERER and HTTP_USER_AGENT are used to determine the [dz, pw common means :)].
Below we will make a simple black box for these parameters, first write a test php:
<?
// $ Version = "5.5.0 ";
// $ Version = "5.5.0 and 1 = 1 ";
$ Version = "5.5.0 <script> alert (document. cookie) </script> ";
$ Res = "20070301 ";
$ Dbversion = "4.1.9-max ";
$ Charset = "gbk ";
$ Bbname = "1 ";
$ Members = "1 ";
// $ Posts = "% 27 ";
// $ Msns = "<script> ";
$ Sef = $ _ SERVER [HTTP_REFERER];
$ Url = http://customer.discuz.net/news.php? Version =. rawurlencode ($ version ). & amp; release =. rawurlencode ($ res ). & php =. PHP_VERSION. & amp; mysql =. $ dbversion. & charset =. rawurlencode ($ charset ). & bbname =. rawurlencode ($ bbname ). & members =. $ members. & threads =. $ threads. & amp; posts =. $ posts. & amp; msn =. $ msns. & md5hash =
. Md5 (preg_replace ("/http: // (. + ?) /. */I "," \ 1 ", $ sef). $ _ SERVER [HTTP_USER_AGENT]. $ version. $ res. $ bbname. $ members.
$ Threads. $ posts );
Print $ url;
Print <iframe src = ". $ url." height = 1000 width = 1000>;
First, I used % 27 and1 = 1 to test whether there was any injection for each variable. Unfortunately, no obvious injection was found. We tested xss.
After testing, $ version is filtered out, but the returned content can be displayed as xss [and they do not know how to filter the Code separately]
However, there is not much practical application significance, mainly because you need to get the HTTP_USER_AGENT and HTTP_REFERER of your xss object first. however, if you use social engineering, it is easy to get these things.
Then, this function is used to collect information such as php, mysql, msn, users, and posts. After the information is submitted, it should be stored in the database, then, you can view the information in the management background. In this update/insert ---> select process, if any variable is not filtered out, so we can cross the background?
[Test you found that there are several variables with obvious int or function-like filters]
Is there a vulnerability? We can use src for a remote js. Does the tool execute your code to judge? However, these are only YY. I do not know the specific code and management methods :(.
The bug in this article makes no sense. I just want to talk about the test idea without code: according to the function, think about the programmer's miscellaneous implementation of this function --> yy out of the pseudo codz --> test possible bugs.