This file appears to be a test file. If the website administrator does not delete it, there may be an xss vulnerability and some information leakage.
Later, I found that this file was also referenced in the background, so it is not a test file.
By looking at line 619 of the code in the
/client/manage/ourphp_tz.phpfile, we can see that.
If the get method passes in two parameters, an atc parameter with a value of rt and a parameter named callback, the page will directly echo the contents of our callback parameter.
So payload is simple, as follows
Let’s download the code through the following link and install it directly in PHP Study.
After installation, directly access the following path