A function design logic defect of the public assistant can hit the database

A function design logic defect of the public assistant can hit the database

RT

Http ://**.**.**.**/

There is no verification code on this login page to crack the proof, and the password is also transmitted in plaintext

Burp packet capture, set the password to abc123, and use the username dictionary to crack the account

If the length is 600 +, the correct account is displayed.
 

Continue to check the responses in other states and find the correct account password error prompt WRONG_PASSWROD
 

The account prompt NOT_FOUND is incorrect.
 

The status of the account with a length of 1352 is not activated.
 

Therefore, you can first crack accounts in batches, and then save-> results-table to save the selected payload and save the existing accounts (with a length of 414) As dictionaries in batches, then, use the password dictionary to crack down, greatly improving the efficiency.

I ran more than 80 thousand million user names in the account Dictionary (only the user name is displayed here)
 

There are just two thousand user names in C.

Then run the password dictionary with the username dictionary. Maybe my password dictionary is too weak, and I ran more than 60 thousand to report the two.

So far, it will not continue running.

It should be clear.

Solution:

Add a verification code to the login page and encrypt the password for transmission. Do not disclose too much information in the response state.