Description
First follow to the index.php entry file, which will load the frame file directly, so just visit the following address
http://20.20.20.130:8000/zibbs/index.php
http://20.20.20.130:8000/zibbs
Will directly load the framework file and instantiate the framework class

Directly trace to the core/framework.php file. After analysis, this CMS handles the processing of each controller and operation through 【route】, wherein the parameter route is the controller name and action name to be filled in in this GET request.
core/framework.php

A normal GET request would look like this
http://20.20.20.130:8000/zibbs/index.php?route=admin/login

And here the parameter 【route】 is controllable, The value of the input parameter 【route】 is processed as follows, The value of the parameter【router】is first split through /,Such as route=aaa/bbb, the aaa Is the controller name,bbb for the action of, It also makes conditional judgments about whether the controller and the action name exist, When the Controller name does not exist, it will directly output "aaa Controller Controller does not exist 11111", as shown below


This is for the parameter 【route】, If the controller doesn't exist, The value of the input parameter 【route】 is displayed directly, And the following values, without XSS filtering, Only the addslashes() method is done here, and there is no XSS filtering function in this aspect

Because there is no filtering here, there is reflective XSS, which is tested as follows
Because of the split for / here, the regular XSS payload cannot be taken from a bomb frame, so using the following XSS payload can make a bomb fram
http://20.20.20.130:8000/zibbs/index.php?route=1111%3Cimg%20src=x%20onerror=prompt(1)%3E


The following test statement can also cause a pop-up as normal
route=admin/

Solution:
filter or encode special characters like this
<
"
'
&
%
... ...
and filter some keyword like this
script
javascript
... ...
or filter some label function which can run javascript like this
onclick
onerror
onload
... ...