Prepared to go to bed, before going to bed in the translation of the word around, found a friend of the translation of the blog, [url] http://www.thinkdap.com [/url], and then clicked to look at it. I accidentally found a login link in the lower right of the page and clicked it. . . So I lost a username and password, and I got it:
Then I tested the admin user name and got it again:
Have you found anything?
Yes, it is an error message. The first figure describes the username that I enter at will. The error message is displayed in detail, for fear that you do not know that you have used the wrong username. Then I tested it with admin. In the second figure, the error message is invalid password. What does this mean? Obviously, the admin user name is the Login User Name of the blogger. Haha. The password can be entered with a hacker dictionary and a cracking tool...
The wordpress error prompt is too detailed, but it is a vulnerability. Solution: 1. Do not display the login link on your blog page. 2. Modify the wordpress error message and do not display such a detailed error message.
This friend's blog also lists his gmail address, msn information and QQ number. So I clicked the forget password button and entered his gmail address. The mail was sent out correctly, this indicates that the login information of the blog is related to his gmail account. I also knew his QQ number, so I pretended to be a mm, and added his QQ number to chat with him. It was very easy to get some of his information and crack his blog password, you don't even need to use any brute force cracking software... This can also help to understand what is social engineering. This article is from the blog "{: Alex Space =>" Ruby Notes "}"