two bug of zzcms 2019
ZZCMS the lastest version download page :
we can find something in file
$_SERVER['HTTP_HOST'] directly without filtering,so we just need find a page use it and we can inject.
OK just test!
It’s funny that they just judge whether the
$content is empty,so we can do anything to the
so we can use