A vulnerability in the site Cool Network allows tens of thousands of users to log on to the site at will (see how I log on to the accounts of a large number of gold medal designers)
The problem parameter is here: theoretically, only the details of his QQ number can be changed, and his mailbox can be changed.
Automatically complete logon Verification
Http://passport.zcool.com.cn/verifyEmail.do? Name = "" & appId = 1006
appId=1006
This appID test is almost universal ~~~ 1006 the default value is 1006. There is no other mechanism to limit it. It's speechless.
We only need to pay attention to the name parameter here.
How can I change his password?
First, find 1 member
Zcool.com.cn/
For example:
Http://www.zcool.com.cn/special/gogoup4/ pay attention to the following comments:
Example:
Let's find several popular designers to change their passwords.
Expand his details
For example: http://fangkuaiashou.zcool.com.cn/
Square monster
Pay attention to his QQ:
[Email protected]
The problem parameters are also set up.
If his email address exists, it will succeed.
Access: http://passport.zcool.com.cn/verifyEmail.do? Name = [email protected] & amp; appId = 1006
Next, we only need to change his email address to change his password.
We replaced his email address ~~
It should be noted that because the email entered his pants is verified once, the mailbox cannot be used again after the second repeat
Then we can register a few more.
Change once, register one, and then register the other.
If I have registered a mailbox that has not been used 163
[Email protected] feng163
Next:
First enter 163 wait
Then we will be there
Click Modify email
Change the current email address to the registered 163 email address.
[email protected]
Then submit it.
At this time, 163 will receive the registration information
At this time, an activation message will be sent. We only need to click to activate the code automatically.
At this time, the designer's mailbox was changed.
Let's see.
At this time, pay attention to the mailbox. It's our mailbox.
The user is the gold medal designer we have changed.
Everything has
========================================================== ======================================
Let's change it to another ordinary member.
Let's look
Prepare our unused 163 mailbox
[Email protected] 19971030
I'm ready
Next
Find a member
These designers only need QQ details.
I found 1 member
Http://www.zcool.com.cn/u/1975332
Design fans:
Pay attention to his QQ
451204869
Combination
For [email protected]
Setup problem parameters:
Http://passport.zcool.com.cn/verifyEmail.do? Name = [email protected] & amp; appId = 1006
Access
Good luck. Sure enough. If this mailbox is not used, it will certainly prompt that it does not exist.
Next, let's change the email address.
Change this to an email address we have never used.
[Email protected]
Then submit ~~
In the same way, our mailbox contains our contents.
Access
Http://passport.zcool.com.cn/verfy.do? Name = [email protected] & code = 17f287028bfb1f8b9b887846d05f7a70 & appId = 1006
In this way, this so-called design enthusiast, we just got in.
The email here is our previous [email protected ].
http://passport.zcool.com.cn/verifyEmail.do?name=“”&appId=1006
Contact the member ID for details ~ Then register a new mailbox, change the mailbox, enter the mailbox, and automatically activate logon ~~~~
Solution:
Filter