IceCMS is a standalone content management system before Spring Boot + Vue. IceCMS v2.0.1 has a logic flaw, and there is a functional logic vulnerability in the background administrator login (/login). The designers used a slider captcha to prevent an attacker from blasting the user's password. But after we capture the packet, we can still blast to get the administrator password! Harm: Cause us to enter the background and obtain some sensitive information of the website!

Admin login, there is a slider captcha!

After passing the verification code, enter a random password and use yakit to capture packets!

After grabbing the packet, send it to the web fuzz module, insert a dictionary at the password for blasting!

You can see that the login credentials have been successfully obtained in the local environment!

Conclusion: The captcha here is only intercepted on the front-end. If the admin password is weak, we can enumerate the correct account!