An unauthorized website of mavericks electric can obtain other administrator's plaintext passwords.
The administrator password can be obtained from an unauthorized website of mavericks. This does not mean 20R is not enough.
Detailed description:
Previous Vulnerability
Find a weak password, xuelong/1q2w3e4r.
Log on to the after-sales system. There are many weak passwords.
As the background functions are so powerful, I think there must be an excessive privilege. If you don't want to look at others, you can go straight to user management.
Go to the employee profile, click to view employee information, and click permission settings.
We can see that ascii hex saves the user's password in plain text.
Packet Capture
Code Region
GET /RightSet/Exec?ECEvent=OPEN&itemid=3123&userright=BNEDCU&winid=setRight&sessionid=769de3f9-bd18-41f9-a31a-1db738f8eec4&seriod_content_no=0.3636090673971921 HTTP/1.1Host: sh.niu.com
You can see that itemid = 3123 is your account. Let's change itemid to 1.
As we have learned before, the administrator id is 1.
You can see that the Administrator's password information is successfully obtained beyond authorization. Decoding 4E6975323031352121 is Niu2015 !!
Log on to the admin account.
Basically, all permissions are available, and various background user information, customer information, dealer information, membership card information, recharge card information, and so on will not go deep. Ask the front-end, ask for 20R
Proof of vulnerability:
See the detailed description;
Solution:
Unauthorized repair!