Discuz full-version storage XSS Analysis

Discuz full-version storage XSS Analysis

Discuz sets the post administrator's function to edit comments in the user comments. due to improper processing of the front-end JS Code, the maliciously constructed comments form an XSS after interaction. The following describes the vulnerability formation process through the debugging process of payload.

First, submit the comment in the comment area: 2

Because the server filters quotation marks, you can view the source code and find that the quotation marks have been encoded by the entity.

The Administrator or moderator has the right to manage comments submitted by common users.

When the management or moderator clicks on the user's comment, the front-end JS Code starts to process. An edit box is displayed for the management or moderator to operate. When processing Javascript code, first obtain the content of the user's comment. The code is located on the current page:

The $ () function prototype is in/static/js/common. js:

The native document. getElementById () function is used to obtain the corresponding object on the page. Here, the object marked with id = "e_textarea" is obtained, and its value is the content of the user comment.

Because of JS native functions, the quotation marks escaped by the backend of the server will be rendered back to the quotation marks:

After obtaining the id = "e_textarea" object, the Code judges the browser and assigns the result to the variable var wysiwyg.

Another JavaScript code on the page judges the value of the variable wysiwyg, and then starts rendering the edit box:

The Firfox browser is used for testing. The preceding wysiwyg variable value is 1, so the following code is executed:

newEditor(1, bbcode2html(textobj.value))

The value of textobj. value is 2 (the object obtained by document. getElementById () parses the entity code)

During newEditor (), the passed content is encoded and filtered using the function bbcode2html (). The function prototype is in/static/js/bbcode. js. The following is part of the code that Discuz processes the supported response code.

The program matches the supported response code and then replaces the regular expression with the corresponding front-end format code. Therefore, the payload of the next test is 2. Therefore, the Code marked in red in the figure is executed.

str = str.replace(/\[email=(.[^\[]*)\](.*?)\[\/email\]/ig, '$2');

After regular expression matching and replacement, the str value will change to: 2.

The final bbcode2html () function returns the converted textobj. value with the following value: 2

Then, call the newEditor () function to render the editing box. The function prototype is in/static/js/editor. js.

From the function prototype, we can see that the Code judges the browser type again and then starts rendering. Because the wysiwyq variable value is 1, it will eventually execute

writeEditorContents(isUndefined(initialtext) ? textobj.value: initialtext);

When the newEditor () function is called, The initialtext parameter is passed, and its value is the value of textobj. value after processing by the bbcode2html () function.

The front-end JS finally uses the writeEditorContents () function to render the page. During the process, the value of the initialtext variable is directly written to the page to form XSS.

After rendering is successful, view the page source code:

Alert (2) is triggered when the administrator or moderator interacts with it ).

Even if the backend server filters and escapes the input content, XSS may still be formed during the previous rendering.