ESPCMS P8 stable version Front-end reflective xss

Download the source code first

In the directory espcms_web\espcms_load.php line 67

if (!is_file($module_filename)) {
    espcms_message_err('public_pack-espcms_module_file_err', array($ac_name));
}

Will return the html code directly

function espcms_message_err($message_code, $format_code = array()) {
    $title = espcms_lan_pack('public_pack-espcms_soft_title_err');
    $message_lan = espcms_lan_pack($message_code);
    if (isset($message_lan) && !empty($message_lan) && is_array($format_code) && count($format_code) > 0) {
        $message = vsprintf($message_lan, $format_code);
    } else {
        $message = $message_lan;
    }
    $message_html_code = '
    
    
        
        
        
        
        
    
    ' . $message . '';
    exit($message_html_code);
}

Directly cause cross-site scripting

We request directly

http://127.0.0.1/espcms/index.php?ac=&at=List