1. This is the main site of the shopping spree. Go to the Account Logon page of the shopping spree: http://www.mmb.cn/wap/login.do?uuniq=1359436782529555 Of course, we do not log on here, But click [forgot password ?] Button to enter the password reset process: http://www.mmb.cn/wap/findpassword/sendBandPhoneNum.do?findPasswordIndex=1&uuniq=1359436785443054 2. Registered users must use mobile phone verification to retrieve their passwords. Enter the account to be reset, that is, the verified mobile phone number. Because only the test vulnerability exists, only my own account is used here: 3. click Submit. At this time, the text message verification code for resetting the password has been sent to my mobile phone number: 4. check that the SMS Code received by the mobile phone is [0788]. First, I enter any four pure digital SMS code 1234. Click Submit and the following error is returned. Remember to set the browser proxy at this time: 5. the packet capture request is POST/wap/findpassword/sendCheckCode. do? Uuniq = 1359437254334359 HTTP/1.1 Host: www. mmb. cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv: 18.0) Gecko/20100101 Firefox/18.0 Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3Accept-Encoding: gzip, deflateReferer: http://www.mmb.cn/wap/findpassword/sendCheckCode.do?uuniq=1359437104139014Cookie : JSESSIONID = D ********************* 56DD6F039F-1.e; JSESSIONID = 2F582EE5 ****************** 5935.e; newOpu = 92caf70 **************** * ************ 9e1Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 58 phone = 150 ********* & checkCode = 1234 & button = % E6 % 8F % 90% E4 % BA % A4 the parameter checkCode = 1234 above is the SMS code, the parameter phone = 150 ********* is the mobile phone number. 6. after writing so much, let's get started: Set the parameter code as the parameter to be cracked and start brute-force speculation 7. get the correct SMS code by the number of bytes returned or the returned content: When the SMS code is incorrect, the number of returned bytes is 7471, and when the SMS code is correct, the number of bytes is 6645. Here, the SMS verification code is successfully cracked as 0788. 8. use the cracked text message code to reset the account!
9. The password is successfully reset:Solution:1. there is also a very serious bug, which can be seen on the way above, he said there are two ways to reset the password:. click the link in the text message to change the password B. enter the Verification Code received, modify the password when sending the phone Verification Code, also send a connection, http://www.mmb.cn: 80/wap/c. do? R = 3IWB. This link can be used to reset the password. It can be seen from the connection that the password can be reset as long as the value of the r parameter is cracked... Once the above link is obtained, you do not need to reset the password to re-update the password. The brute-force cracking of 2.4-bit pure digital text message codes means an average of 10 thousand requests, I used burpsuite to test the 100 thread of a single machine. In less than one minute, I can reset any mobile phone account! Dangerous 3. The text message code can be 4 pure numbers; you can not set the image Verification Code; you do not even need to set the 30-minute validity period of the text message code here. But why don't I lock the password reset request if the attempt fails several times in a row?