1. Any user information modification first registers two users. The user IDs are 5855480 and 5855481, respectively. Log On with the user 5855480 and enter the target user 5855481 information to be modified. Click "OK" and use "burpsuite" to intercept, modify userid to 5855481, and then submit. The mailbox can also be changed. to retrieve the password, you only need the user name and email address, so that you can reset the user password. However, during the test, QQ mail was used, and no password reset email was received. I don't know if it is a problem with QQ mail.
2. the basic investment amount, single store, franchise/agent identity, shop conditions, shop image, operation management, and other condition forms in the "Edit franchise fee/condition" menu of the stored XSS can all be XSS, there is no limit on the number of bytes, which should be blind.
Solution:
You should understand