A database hit by an interface in Suning affects user account Security (bypassing restriction skills)

A database hit by an interface in Suning affects user account Security (bypassing restriction skills)

An interface of Suning may affect User Account Security

The main site logon interface can be cracked

Host: passport.suning.com/ids/loginPOST:jsonViewType=true&username=§username§&password=§password§&loginTheme=defaultTheme&loginChannel=208000000000&rememberMe=false

The path is/ids/login, and the back-end should be protected by the IDS hardware device.

The logon interface imposes logon restrictions.

1. When a logon request is sent frequently, it will be intercepted. The returned length is 4177.

2. If the request from the same ip address exceeds the limit, a verification code is required and the return value is needVerifyCode: true.

Use the burp function to bypass the restriction.

First set Number of threds: "thread" to 10 (there is no hard requirement here, but it cannot be too high)

Then the most important thing is the Throttle (milliseconds): "insert a fixed time delay between events". You can set both 1000-2000 and 1000-2000 here.

The last step is to set X-Forwarded-For to bypass the ip address restriction.

If this is not the case, you can manually switch the IP address or mount an automatic proxy software.

Start blasting

Error code: badPassword. msg1 or errorCode: badPassword. msg2

Or the user does not exist.

And that's not important.

Find the correct response length.

According to different accounts, the returned values include 859, 840, and so on.

And there is a feature. The data returned after successful logon has a keyword segment: snapshotId.
 

The following are some successful accounts, which may be due to reasons such as long logon failure. They all need secondary verification.

[email protected]guangliang[email protected]        5486312[email protected]8380495[email protected]7758258[email protected]1986829sun

 

 

 

 

 

 

Solution:

Filter