Dongfang fortune network account brute force registration (burpsuite textbook)

1. The registration location provides three options for users: Mobile Phone registration, email registration, and user name registration.

This Vulnerability refers to the use of email registration. Why? Smart friends may have discovered that there is no verification code in the mailbox registration location (the other two methods have verification codes, which may be neglected by developers ).

2. Enter your email address, password, and nickname, and then register. After registration, you will be prompted to go to the mailbox for verification, but I found that you do not verify the mailbox, you can also log on to the account. In this way, no verification code is registered, and no email verification is required. If there is no token in the post data and there is no request interval limit on the server side, you can register the email with brute force mode.

3. Verify now. Enter your email address, password (123456 here), and nickname.

4. After entering the information, click "register" and use "bp" to capture packets. (You must set up a proxy before capturing packets. If not, please use Baidu ). We can see that there are only three pieces of post data, and there is no token. As long as there is no limit on the time interval of post requests, there is theoretically a violent registration.

5. Choose to send the post data to intruder.

6. Set clear in positions and leave only nick (this is the user name at registration)

7. In payloads, import the dictionary of the previously written account used for registration (I have imported 30 accounts for testing ).

8. Select start attack of intruder for brute force registration.

The registration of 30 accounts is completed in 9 2 seconds.

10 theoretically, the entire process has been tested, but we need to verify whether the registration is successful. Select an account and log on to the system. You can select one account. Because the length shown above is the same as 392, it is either all successful or all failed.

11 The results show that the previous analysis and test are completely correct. The registered account can be successfully logged on. Do not believe you have to try it yourself (test a total of 30 violent registered accounts: px0001 to px0030, password 123456 ).

 



12 What if I registered hundreds of thousands of accounts? Will your database crash? The server does not know if it can survive...

Solution:

1 add Verification Code

2 post data plus token

3. Limit the frequency of post requests