Chinese small and medium enterprises (SME) Web blockout # vulnerabilities cause 10828 enterprise accounts to log on to publish recruitment information

Chinese small and medium enterprises (SME) Web blockout # vulnerabilities cause 10828 enterprise accounts to log on to publish recruitment information

Ten thousand eight hundred and twenty-eight enterprise member accounts can be logged on at will, and recruitment information can be posted for fraud purposes (give me some money and give you a satisfactory job)
You have the following permissions.
Modify enterprise basic information, password, and contact information,
Publish and modify supply and demand, product, and technical information, and publish recruitment information.

Detailed description: Code Region

Http: // **. **/admin/Main. aspx weak password. Account admin password 123456

You can log on to the enterprise member account without a password.


Then you can directly jump to the front-end of the website. The following page appears.
 

We can see that there are several permissions:

Code Region

Modify the basic information, password, contact information, and publish and modify the supply and demand, product, and technical information. You can publish recruitment information. It can be used for fraud.

Proof of vulnerability:

Solution: