- There are two roles in default cms ,admin and common.
- Both of them have the permission to modify bulletin
- What’s more , /system/notice is the only path out of the XSS Filter.
- so, we can input xss payload and trigger in anyone who has watch the notice include admin .
- Other than administrator , any account can add the same level roles.
But it isn’t configured correctly,we can add any roles with any permissions,even admin.
we use a common role and go to the user registration page
- You can see that you can only register common role.
- we interecept the request and change the roleid to any role you want.
- In the database , we create a admin account.