Objectives: mengjie home textile third-party application-bi system brute-force reasons: 1. In view of the first two vulnerabilities, the password strength is insufficient; 2. No verification code is displayed on the logon interface; 3. No Logon error is found at the moment. There are two logon methods on the logon interface: Administrator and user (the difference is whether to select "Administrator Logon" when logging on "). Open burp and log on to the Administrator first (check "Administrator Logon"): the user name and password files are mounted respectively. After a while, pause the brute force cracking and log on to the logon page to check whether the password is disabled: helpless, continue to try user login (do not check "administrator login"), the process is the same as above, not a moment: decisive login (actually a boss !!!) :
Solution:For three reasons, do you have to correct at least one?