Attackers can modify the password of any user (the verification code is valid for a number of times)

Source: Internet
Author: User

Today, I found that I forgot my username when I log onto the hand in hand... then I detected it... I will test it with my own number... when logging in, click forgot password to go to the password retrieval page... select "retrieve via text message". After Entering the mobile phone number here, the target mobile phone will receive a 6-digit random verification code... packet Capture when you submit a verification code... get the following data... next, perform brute force cracking on the verification code... compare the return package... error package:

HTTP/1.1 200 OKDate: Sun, 21 Jul 2013 03:13:39 GMTContent-Type: text/html; charset=utf-8Connection: closeVary: Accept-EncodingExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheServer: LWSVia: web-1-50Vary: Accept-Encoding{"status":5,"msg":"\u9a8c\u8bc1\u7801\u9519\u8bef"}

 

Correct package:
HTTP/1.1 200 OKDate: Sun, 21 Jul 2013 03:13:39 GMTContent-Type: text/html; charset = utf-8Connection: closeVary: Accept-EncodingExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0 Pragma: no-cacheServer: LWSVia: web-1-48Vary: accept-Encoding {"status": 1, "msg ": "MTg2MDA5M ******* I am a mosaic ********* NTc5MkB ********* jQxOXwzNDQwMDI3NTZkOTY4 ********** hMA % 3D % 3D "}

 

The correct verification code is obtained. However, after repeated tests, it is found that the verification code of the handle is only valid once. After you enter the verification code to the password modification page, if you return the verification code, it is no longer valid, in this way, the verification code we have cracked is invalid .... this is because I have used it once... is there really no way to break through here? When I decided to give up, I suddenly remembered a problem, that is, I used to reset the connection when I used my mailbox to retrieve the password... for example, the password can be reset as long as the connection is enabled. There is no limit on the number of valid times... and, http://www.lashou.com/account/reset? Code = [this code is very familiar here] After comparison, we found that it is the data in the data returned by the correct verification code During brute force guesses... directly combine to reset the password connection... http://www.lashou.com/account/reset? Code = MTg2MDA5M ******* I am a mosaic ******** NTc5MkB ********* jQxOXwzNDQwMDI3NTZkOTY4 ********* * The target user password can be reset after hMA % 3D % 3D access!
  Solution:


It was originally intended to brute force crack the verification code and reset the user password, but it was found that the verification code was only valid once. You should understand this when you want to give up...

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.