Reset any User Password

Reset any User Password

Password retrieval in the wooden ant user center-reset the User Password
The password reset link encryption method received by the mailbox is too simple. You can perform the on-chip connection to reset any user password.

I wanted to retrieve my password.
 

I found that there was a uid parameter, followed by a base64 value. Then I want to recharge the password of any user if I can simulate the base64 value.

Then the result of my base64_decode is: 13930 | 1453091166.

You can directly obtain valid information. Then, if I can know the next two values corresponding to the uid, I can.



13930 | 1453091166 resolution

The first parameter does not know what it represents. The second parameter is the timestamp.

Then I sent a second password to myself. The parsed value is:

13931 | 1453091236

The first parameter is added with 1. I think it is to retrieve the primary key id of the password table, because the uid already exists.

Then I sent the third letter to verify if it was correct.

13932 | 1453091296

Basically, it must be the primary key id of the password retrieval table.

In this case, if a user with uid 1 clicks "retrieve password ",

Simulate the link for retrieving the password with uid = 1
 

"http://u.mumayi.com/?a=resetpasswd&uid=1&id=MTM5NDV8MTQ1MzA5MjE4Mw==".base64_encode('13933|'.time())

This is the address.

So I click the uid on the Internet to retrieve the password. It takes me to find the Administrator email address.
 

There is a section "*", so I tested my own account.
 

The replacement of this model is dynamic, that is, I can know the real length of the email address here.

Then I select "Mailbox retrieval". If an error is entered, the system will prompt that the email address does not exist.
 

In this way, I can use the program to traverse, and traverse 3 digits is still very fast. I am too lazy to traverse the mailbox a *** [email protected] With uid = 1. It should be [email protected. The test shows that the email address is correct.



At this time, use uid for retrieval (I need to send a new email to myself because I need to know the incremental value of the base64 parameter)
 

The operation is successful.

Reset the password of a simulated url link:
 

"http://u.mumayi.com/?a=resetpasswd&uid=1&id=MTM5NDV8MTQ1MzA5MjE4Mw==".base64_encode('13933|'.time())

After obtaining the address, I found that the access failed. There is only one possibility. The second time parameter participates in the judgment,

I have to know the corresponding record time of the data, so I registered another account. (Two accounts a and B)

I used a to enter the email address to retrieve the password.

Then repeat the data [email protected] and retrieve the password in the mailbox.

Then enter B to retrieve the password.

Then, parse the base64 of account a and Account B to get the timestamp of both,

Timestamp B-timestamp of a = [email protected] operation timestamp range

Then traverse
 

//1-13944|1453092166 //2-13946|1453092195 for ($i=1453092166;$i<1453092195;$i++){$res = file_get_contents("http://u.mumayi.com/?a=resetpasswd&uid=1&id=".base64_encode('13945|'.$i));file_put_contents("mumayi.txt",$i."----".strlen($res)."\n",FILE_APPEND);}die;

Expected result
 

The timestamp is determined.

The uid, primary key id, and timestamp parameters all have links to reset the password.


 

The operation will not continue later.

Reset the user password with uid = 1
 

 

Parameter used to reset the password of a simulated chip connection
 

 

Solution:

1. Increase the encryption complexity.

2. Modify the email address encryption method.