Discuz! Cross-Site Daquan

In discuz! The Post, post, PM, and other subject are not filtered, so you can also add code.
For example
Http: // xxx/post. php? Action = newthread & fid = 2... percentage % 3E % 3Cb % 22
The result is that your cookie is first popped up.
Method of exploits: place the above Code in img.
Applicable version: discuz! 2. x
Discuz! 3. x
Discuz! 2.0 try to cheat in obtaining cookies
A security vulnerability exists in the pm function of the XXXFan forum, which is described as follows:
The following is a private link from XXXFan to a member (assuming the member name is XXXFan)
Http: // XXX/pm. php? Action = send & username = XXXFan
Because the Forum program does not filter Member names, but is directly displayed in the column (TO :), you can add script code after the name. For example
Http: // XXX/pm. php? Action = send & username = XXXFan ";> <script> alert (document .. cookie) </script> <B % 20"
After clicking the above link, the first pop-up is your own cookie content.
Of course, we can first construct a program on our own site to collect cookies, similar
Getcookie. php? Cookie =
But how can we trick members into clicking? It is too easy to be recognized if it is simply put on a forum. Therefore, you can use another feature of the discuz Forum program, "post to friends.
Because discuz does not filter, identify, or template the entered emial address, it can counterfeit anyone to send emails to others, which is highly secure. Using this function, we can forge an ExploitFan administrator to send a letter to a member, entice the Member to click on the URL we have prepared, and if tempted, we will look at our own means, for example, you can say "the Forum is testing new features. Please click the above address. We will record your clicks in the background and add points to you at the right time to reward you.
Because the link address is XXXFan, and the sender and email address are both official addresses of XXXFan, the reliability is very high and no handle is left. Of course, for higher security, you can encrypt the content in <script> to further increase concealment.
You can try cookie spoofing or brute-force cracking to obtain the MD5 password.
This method is applicable to most forums where discuz2.0 is used. For discuz3.0 usage methods, please participate in the discuz I posted earlier! Whisper Vulnerability
[BUG] Discuz! Voting BUG
Voting is available
Misc. php? Action = votepoll & fid = 2 & tid = 16980 & pollanswers [] = n
(N is the option, starting from 0)
Directly vote through URL
But what if n> the largest option ~
The submission is successful, but an option with the title blank is added.