Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


discuz full version storage dom xss (printable administrator) with 4 official development pits & verification script of discuz

Posted by mitry at 2020-04-06

2015-08-17 classification: PHP reading (1495) review (0)

4 big holes in discuz's official development: 1. The results of the patch and diff's official latest version of the installation package are not necessarily the same (resulting in background upgrade, and the vulnerability that has been fixed in the new version after manual update is still there). 2. The announcement that the patch will not be issued (resulting in the secondary development site not willing to update in the first time considering the compatibility). 3. The code will be modified online but no patch will be issued. 4. The patch will be issued The installation time of the new version of the package is inconsistent with that of the patch posted on the forum. See

Storage XSS caused by improper handling of discuz editor JS. Cause: JS takes the HTML content in element natively, which will reverse the single and double quotation mark entity code escaped by the server. Code analysis: the latest version of the local test payload here is: [align = "OnMouseOver =" alert (1)] the official forum site quietly changed the code on January 21, 2015, resulting in the above payload being filtered, but using the

It can be bypassed. /Forum. PHP? Mod = Post & action = edit & FID = x x & TID = XX & PID = XX & page = x / static / JS / common. JS: / static / JS / BBCode. JS: / static / JS / editor.js debugging process:

Trigger process:

Post, input in editor

, the supported BBCode types can be viewed in bbcode.js.

When you click Edit, it will trigger. Because it is a problem in the front end of the editor, the roles with permission to edit posts will be affected, including moderator and administrator.