### 简要描述:
这个必须得高危啊~!!!!!!!!!!!
来个雷劈可好?
### 详细说明:
小白不会审计代码~
然后咱们就直接进入主题吧~!
discuz3.0-3.2有个功能叫直播的。实习版主就能开启哈~
接着咱们就用admin帐号先把一个帖子弄成直播!
[<img src="https://images.seebug.org/upload/201503/04212124e8516134b6f28e1b2100e656d7d4f3cb.jpg" alt="dz3.0.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/04212124e8516134b6f28e1b2100e656d7d4f3cb.jpg)
接着。我们用新注册的用户。。咳咳。得等两分钟。再能发话哈~
然后用等待的时间去进行弄exp
[<img src="https://images.seebug.org/upload/201503/0421260499406eedebb6ac8ddb676fd93afc3794.jpg" alt="10.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0421260499406eedebb6ac8ddb676fd93afc3794.jpg)
弄成base16的~
[<img src="https://images.seebug.org/upload/201503/0421270432463e64acc73882e009092b7104483e.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0421270432463e64acc73882e009092b7104483e.jpg)
点击发表
[<img src="https://images.seebug.org/upload/201503/0421274505cab07b8df963fd7006dc344b6cdfc3.jpg" alt="12.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0421274505cab07b8df963fd7006dc344b6cdfc3.jpg)
呵呵。弹窗了
### 漏洞证明:
来。接着
discuz 3.1版本测试
```
```
[<img src="https://images.seebug.org/upload/201503/042130198c24b0b24a6e36de38f9d5fafabad89e.jpg" alt="dz3.1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/042130198c24b0b24a6e36de38f9d5fafabad89e.jpg)
```
```
discuz 3.2版本测试
```
```
[<img src="https://images.seebug.org/upload/201503/04213419acca247f26620dbc967708d70fca7591.jpg" alt="dz3.2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/04213419acca247f26620dbc967708d70fca7591.jpg)
```
```
exp:
```
\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x3c\x69\x66\x72\x61\x6d\x65\x2f\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e
```
京公网安备 11010502034610号
暂无评论