- Log in to the website background using the website default password admin/admin
- Visit the csrf attack website,Add an administrator user
- The user was successfully created but could not log in. There was a problem with the system code. The created users could not log in. After checking the code, we found that the stored password was not the password we entered, but the 6th to 25th digits of the value encrypted by cmd5.
4.Attack content
- The user who created it has a security authentication string for protection, but it does not seem to verify whether it matches the authentication string in the page.
- The websites used in this test have not been attacked, and the test users have been deleted.