Arbitrary Account Login vulnerability in a general contribution system

Source: Internet
Author: User

Arbitrary Account Login vulnerability in a general contribution system

Following Chuan Ge's footsteps, it should be repeated to read any password,
If you log on to any account, it will be a big deal. "The vulnerability is already recorded on the platform. Related Information is IDXXX"

Beijing magtek Technology Development Co., Ltd. Design and Development (http://www.magtech.com.cn/CN/model/index.shtml)


Google or Baidu Direct Search: the system by Beijing magtek Technology Development Co., Ltd. design and development technical support: support@magtech.com.cn

There will be a bunch of cases. I believe that Chuan Ge should give the case, so I will not list it here.

Thought http://tsglt.zslib.com.cn/journalx/authorLogOn.action? Mag_Id = 7
 



Register an account directly.

Http://tsglt.zslib.com.cn/journalx/authorregister/Register! Done. action? Id = 11162685103 & magId = 1



Http://nvc.sjtu.edu.cn/JournalX_nvc/authorregister/Register! Done. action? Id = 11 & magId = 1

Modify the id here to access another user's account without any verification.



For example, if I change to 11162682103 for access, then click to directly go to the author center.
 

 

Check that the information I just entered in the registration is not this, so I have successfully logged on to another account (PS: access to the existing id. If the id does not exist, an error is returned. Here we can traverse it through burp)



Then read any password. Although the password should be repeated, I 'd like to mention it again. Modify the logon information. Here, an authorId is provided. You can modify the authorId to access the password modification page of another user. Then, F12 can view the asterisks and passwords.
 

 

Solution:

If yes. Thank you!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.