### 简要描述: rt ### 详细说明: Phpmps 是基于PHP + MYSQL的开源分类信息发布系统 注册用户后,发布信息。 post.php ``` $catid = $_POST['catid'] ? intval($_POST['catid']) : ''; $title = $_POST['title'] ? htmlspecialchars(trim($_POST['title'])) : ''; $areaid = $_POST['areaid'] ? intval($_POST['areaid']) : ''; $postdate = time(); $enddate = $_POST['enddate']>0 ? (intval($_POST['enddate']*3600*24)) + time() : '0'; $content = $_POST['content'] ? htmlspecialchars(trim($_POST['content'])) : ''; $keywords = $_POST['keyword'] ? htmlspecialchars(trim($_POST['keyword'])) : ''; $description = cut_str($content,100); $linkman = $_POST['linkman'] ? htmlspecialchars(trim($_POST['linkman'])) : ''; $phone = $_POST['phone'] ? trim($_POST['phone']) : ''; $qq = $_POST['qq'] ? intval($_POST['qq']) : ''; $email = $_POST['email'] ? htmlspecialchars(trim($_POST['email'])) : ''; $password = $_POST['password'] ? trim($_POST['password']) : ''; $address = $_POST['address'] ? trim($_POST['address']) : ''; $mappoint = $_POST['mappoint'] ?...
### 简要描述: rt ### 详细说明: Phpmps 是基于PHP + MYSQL的开源分类信息发布系统 注册用户后,发布信息。 post.php ``` $catid = $_POST['catid'] ? intval($_POST['catid']) : ''; $title = $_POST['title'] ? htmlspecialchars(trim($_POST['title'])) : ''; $areaid = $_POST['areaid'] ? intval($_POST['areaid']) : ''; $postdate = time(); $enddate = $_POST['enddate']>0 ? (intval($_POST['enddate']*3600*24)) + time() : '0'; $content = $_POST['content'] ? htmlspecialchars(trim($_POST['content'])) : ''; $keywords = $_POST['keyword'] ? htmlspecialchars(trim($_POST['keyword'])) : ''; $description = cut_str($content,100); $linkman = $_POST['linkman'] ? htmlspecialchars(trim($_POST['linkman'])) : ''; $phone = $_POST['phone'] ? trim($_POST['phone']) : ''; $qq = $_POST['qq'] ? intval($_POST['qq']) : ''; $email = $_POST['email'] ? htmlspecialchars(trim($_POST['email'])) : ''; $password = $_POST['password'] ? trim($_POST['password']) : ''; $address = $_POST['address'] ? trim($_POST['address']) : ''; $mappoint = $_POST['mappoint'] ? trim($_POST['mappoint']) : ''; $checkcode = $_POST['checkcode'] ? trim($_POST['checkcode']) : ''; $number = $_POST['number'] ? intval($_POST['number']) : ''; $top_type = $_POST['top_type'] ? intval($_POST['top_type']) : ''; $is_type = $_POST['is_top'] ? intval($_POST['is_top']) : ''; $is_check = $CFG['post_check'] == '1' ? '0' : '1'; $title = censor($title); $content = censor($content); ``` address没有任何过滤。 提交` <script>alert(1)</script>` alert [<img src="https://images.seebug.org/upload/201406/1508033660188c607e06b240fa905f8a72110da8.jpg" alt="e1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/1508033660188c607e06b240fa905f8a72110da8.jpg) 后台审核编辑,或者 前台用户查看时,触发 可盗取用户 cookie ### 漏洞证明: [<img src="https://images.seebug.org/upload/201406/1508033660188c607e06b240fa905f8a72110da8.jpg" alt="e1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/1508033660188c607e06b240fa905f8a72110da8.jpg)
