Any password of 51CTO may be reset (comprehensive use of various combinations)

Any password of 51CTO may be reset (comprehensive use of various combinations)

Email 1 -- get three Password Reset links: URL 1
Http://ucenter.51cto.com/setemailpass.php? Id = 7804861 & unid = 7747d234f4b2b8cab3e55485f2884abc
Unid MD5 decryption:
1458607665
URL 2
Http://ucenter.51cto.com/setemailpass.php? Id = 7804861 & unid = 679c5b68bc1b974db24b3c2ca41060a4
Unid MD5 decryption:
1458607794
URL 3
Http://ucenter.51cto.com/setemailpass.php? Id = 7804861 & unid = 27b8a923b86dfba72b40673a7fbecc14
Unid MD5 decryption:
1458607984
Mailbox 2 -- get two links: URL 1
Http://ucenter.51cto.com/setemailpass.php? Id = 10007943 & unid = fc0b2180ee91325e44e9782f5b79cad8
Unid MD5 decryption:
1458608098
URL 2
Http://ucenter.51cto.com/setemailpass.php? Id = 10007943 & unid = cca1df879eec29c438ff2b3767769ef7
Unid MD5 decryption:
1458608188
At this time, we can compare the decrypted uind and find that only the last four digits are different:

In this case, we can generate a four-digit dictionary, and add 145860 in front of each dictionary. This constant will not change in a day, then perform 32-bit md5 encryption to crack the unid. After the unid problem is solved, how can we obtain the user id accurately? The teacher said that taking notes in class is a good habit. When I took a note at 51CTO, I found that there was a classmate's note. Of course, the focus was not on the note, but on the user's name, I checked the elements and found that Hu's id parameter has been leaked in the source code of the webpage:

In order to confirm that this is the user id value, I logged on to the mailbox 1 and checked that it is indeed the same as the id value in the Password Reset:

Now everything is ready. In order not to affect other users, I reset it with mailbox 2: first, splice the constant to generate a 32-bit md5-encrypted dictionary:

Then, the unid is cracked by obtaining the id value ,:

Successful brute force cracking: