PHPYUN无视GPC(可注入全站信息)

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

### 简要描述: PHPYUN无视GPC(可注入全站信息) 180个字符的注入,等于没有限制,什么都能注入出来 ### 详细说明: 首先我们看这个文件: api/locoy/model/news.class.php: ``` class news_controller extends common{ function addnews_action(){//新闻添加 include("locoy_config.php"); if($locoyinfo['locoy_online']!=1){ echo 4;die; } if($locoyinfo['locoy_key']!=trim($_GET['key'])){ echo 5;die; } if(!$_POST['title'] || !$_POST['content'] || !$_POST['nid']){ echo 2;die; } $row=$this->obj->DB_select_once("news_base","`title`='".trim($_POST['title'])."' and `nid`='".$_POST['nid']."'"); if(is_array($row)){ echo 3;die; } $content=$_POST['content']; $value=""; $value.="`title`='".trim($_POST['title'])."',"; $value.="`nid`='".$_POST['nid']."',"; $value.="`did`='0',"; $value.="`author`='".$_POST['author']."',"; $description=mb_substr(strip_tags(html_entity_decode($content,ENT_NOQUOTES,"GB2312")),0,180,"gbk"); $description=$_POST['description']?$_POST['description']:$description; $description=str_replace(array(' ',"\n","\r","\r\n"," "),array(''),$description);...

0%

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息