web security incidents, the account, is usually presented to the attacker's first point of contact with account-related functions if there is a defect, an attacker can obtain the key information and important features, such as, the login fails, the error message can determine whether the because the account does not exist due to, which can be exploited to enumerate valid account, for example, login trial and error without the number of restrictions that can lead to storms break the password, such as, the registration process of each step is not strictly associated, resulting in the bulk registration to any account again, the password retrieve function of each step is not a strict Association, to cause the arbitrary account password reset. I'm in daily penetration encountered a while the presence of these types of issues website https://www.xxxx.com/, the website is a e-Commerce platform, a reasonable combination of several types of problems, then get the administrator privileges, the vulnerability has now been submitted and confirm the Fix, ideas to share to everyone. Before you begin, say a habit, many sites points to the PC version and the mobile version, the mobile version often for feature reduction, the corresponding security Defense is also weak,“persimmon rarity soft pinch”, so, I will first as much as possible to find out the site's mobile version. Specifically, my habit of first using a mobile phone to directly access, the service end will automatically jump to the mobile version, extract the mobile version of the access address; if you feel the phone on the input URL troublesome, you can install firefox's useragent-switcher（https://mybrowseraddon.com/useragent-switcher.html expansion, Analog mobile terminal to access; of course, other means may also be considered, you can pass the subdomain enumeration tool Sublist3r（https://github.com/aboul3la/Sublist3r find similar https://m.xxxx.com/ phone version, it can also be through the path enumeration tool dirsearch（https://github.com/maurosoria/dirsearch find similar https://www. xxxx. com/wap mobile phone version, you can also google hacking （inurl:xxxx.com the mobile terminal find like-https://www. xxxx. com/mobile. The account can be enumerated On the login page https://www.xxxx.com/Wap/User/login enter the account password: ! After the submission of the intercept request, if the account does not exist then the server response is: ! If the account exists then the server response is: ! The analysis found that, although the response is very similar, but there are still differences, the effective account number ratio of the invalid account number more than a“you”, or, from the response body length can also be determined that the account is valid. At the same time, the server does not limit the high-frequency access, so, you can enumerate valid account. The mobile parameter value set for an enumeration variable, to the common Chinese name Pinyin top500 and common back office account as a dictionary, in the enumeration results, the response packet length for the 561 is a valid account: ! Wherein both chenying, the chenyun such normal account, also with admin, ceshi such a background account, the result is stored as username.txt to: ! The password can be the storm to break The service end has the password of trial and error and the upper limit of the mechanism, the error 5 times within one hour prohibited login: ! View login request: ! logintime parameter name and parameter value caught my attention, just is trial and error the upper limit of 5, try to assign the value to 4, server and the normal response, or delete the rectification logintime, also can bypass the trial-and-error limit. Now, with delete logintime after the request packet, the mobile is defined as the enumeration variable 1, the previous generation of username.txt for the dictionary, the password defined for the enumeration variable 2, in a common weak password top1000 of the dictionary, for password storm break: ! Wherein the response packet length for the 380 is a valid password, the memory for logined.txt to: ! Any account registration On the registration page https://www.xxxx.com/Wap/User/register input is not the registered mobile number click on“get verification code”, enter the received SMS verification code after submission, enter the password settings page: ! Enter the password and intercept the request: ! A simple analysis found that register_mobile for the registration of the user name, as long as the value of the parameter is not registered, the request packet can bypass the SMS verification successfully create any account. For example, the system was only allowed to use the phone number when the user name to be registered, the use of the vulnerability, you can create an account yangyangwithgnu/abcd1234, the login confirmation: !