Figure 2. Password Reset hash algorithm cracking can cause any User Password Reset

Many websites also have the same problem. The hash algorithm is too simple and can be easily cracked.
Detailed Description: First reset the password, received an email, reset the password address is:

Http://tuchong.com/account/reset? Code = 1372415571 & sign = 9c4a3cab666fcddfdcec52a0d87ff73f & email = smtp_admin % 40yeah.net

The code is a timestamp and the email is my mailbox. So what is the sign?

The hand base test, take the 1372415571smtp_admin@40yeah.net to dig 5 encryption, the result is exactly 9c4a3cab666fcddfdcec52a0d87ff73f !!!

Therefore, the hash algorithm of the graph worm should be

$ Sign = md5 ($ code. $ email );

From then on, the hash algorithm for Password Reset has been broken.

To prove this vulnerability, I performed another password retrieval operation.

Next, enable the Chrome review element function, and write down the time for the server to return data after password retrieval (Greenwich Mean Time, which must be plus 8 hours ).

Open the online tool and convert the time to the timestamp.

The obtained timestamp is 1372423073.

Get the 1372423073smtp_admin@yeah.net to dig 5 encryption, the result is 790f0f42e5dcb3e00977ece88c0f50bc

In this way, all three parameters for Password Reset are available.

Construct url: http://tuchong.com/account/reset? Code = 1372423073 & sign = 790f0f42e5dcb3e00977ece88c0f50bc & email = smtp_admin % 40yeah.net

 
 

The password reset link is not logged on to the mailbox to view the email.

Now, log on to the mailbox and check whether the received link is the same?

Completely consistent
 

Solution:

1. complicate the encryption algorithm, such

$ Sign = md5 (md5 ($ code). md5 (md5 (rand (). $ email ));