Closed gozan10 closed 1 year ago
Hi team,
I found a way to bypass account protection (not blocked when brute-force account).
Step: *this is demo some cases
If I log in wrongly too many times, it will be locked
But i can pass it by insert X-Forwarded-For header, then brute-force without being locked (use intruder plugin of burp suite)
set payload to brute-force and start attack
Result find user (bypass account protection without blocked)
fixed in https://github.com/WBCE/WBCE_CMS/releases/tag/1.5.4. Thanks for reporting.
Hi team,
I found a way to bypass account protection (not blocked when brute-force account).
Step: *this is demo some cases
If I log in wrongly too many times, it will be locked
But i can pass it by insert X-Forwarded-For header, then brute-force without being locked (use intruder plugin of burp suite)
set payload to brute-force and start attack
Result find user (bypass account protection without blocked)