Pipi genie bypasses the background of an important website
The official website of Pipi genie has design defects and can be bypassed. You can modify and publish any information. If attackers exploit this information, they can imagine that the official website will be highlighted.
Http://www.fingerage.com/Shenzhen times Network Technology Co., Ltd.
Let's take a look at the background:
http://www.fingerage.com/admin/index.html
<Script> $ (document ). ready (function () {// click the submitted logon check $ ("# login "). bind ("click", function () {var name = $ ("# name "). val (); var pwd = $ ("# password "). val (); if (name. length <= 0) {alert ("Enter the user name"); return;} if (pwd. length <= 0) {alert ("Enter Password"); return ;}$. post ("/admin/Ajaxchecklogin.html", {"name": name, "password": pwd}, function (date) {if (date = 'OK') {window. location. href = "/admin/main.html";} else {alert ("incorrect user name or password"); $ ("# name "). val (""); $ ("# password "). val (""); $ ("# name "). focus () ;}}) ;}); // enter the logon test $ ("# password "). bind ('keylow', function (event) {if (event. keyCode = 13) {var name = $ ("# name "). val (); var pwd = $ ("# password "). val (); if (name. length <= 0) {alert ("Enter the user name"); return;} if (pwd. length <= 0) {alert ("Enter Password"); return ;}$. post ("/admin/Ajaxchecklogin.html", {"name": name, "password": pwd}, function (date) {if (date = 'OK') {window. location. href = "/admin/main.html";} else {alert ("incorrect user name or password"); $ ("# name "). val (""); $ ("# password "). val (""); $ ("# name "). focus () ;}})}); </script>
It's really interesting for programmers to write. Read this sentence:
$. Post ("/admin/Ajaxchecklogin.html", {"name": name, "password": pwd}, function (date) {if (date = 'OK') {window. location. href = "/admin/main.html";} else {alert ("incorrect user name or password"); $ ("# name "). val (""); $ ("# password "). val (""); $ ("# name "). focus ();
First visit:
http://www.fingerage.com//admin/Ajaxchecklogin.html
Access again:
http://www.fingerage.com//admin/main.html
Solution:
Filter