Haier Group's password reset vulnerability details, non-violent cracking

The Haier Group's password reset vulnerability is still non-mainstream. No burp suite, no brute force, as long as a gentle blow, You can reset any user password.
Test environment: Attacker: xfkxfk victim: peterhang, admin. Here we will talk about our preparations. Because we need a user name to retrieve the password, the user name is a problem. However, Haier gave us the condition that when we can view our own message, there is an idnumber in the url. This is what we can change this idnumber to see any user's message. Haha, that's great, and there is a user name in these messages, which is not easy to do, all kinds of user names will be ready. , We get the user name of peterhang, And next we start to reset his password... ===== The first way to retrieve the password through the phone ===== 1, first log on to Haier's official website, login address: http://user.haier.com/ids/cn/haier_login.jsp? ReturnUrl = http://www.haier.com/cn/here, we click to forget the password 2. Enter the user name of peterhang: 3. Select the method for retrieval: 4. The verification code has been sent to the phone of peterhang. Enter the verification code to start verification. Here is the key. Generally, we want to start brute-force cracking of the verification code, and then click "verify now" on a single machine to start verification. But we do not have to perform brute-force cracking here. We can enter 6 numbers in the input box and press enter to jump to Step 3 to reset the password. Haha, this is too non-mainstream, bypass without verification... 5. The verification code is successfully bypassed, and a new password is set. 6. The new password is successfully set. 7. The new password is used for Logon. 8. Conclusion: The verification code is successfully bypassed. It is easy to crack the verification code through brute force attacks. First, there is no expiration limit after the verification code is sent to the mobile phone. The verification code is 6 digits. The strange problem is that I tried it for more than 10 times, all the verification codes are composed of the seven digits 0123456 and then combined into six digits, so that the cracking will not be faster. Do you mean easy ?! ===== The second method is to retrieve the password through the mailbox ===== 1. In the same way as to retrieve the password on the mobile phone, you can choose to retrieve the password through the mailbox. Here we use the admin account for testing.

2. Now the password reset link has been sent to the admin email address, which leaks the admin email address !!! The link to reset the password is like this: http://user.haier.com/ids/cn/forget_password_reset.jsp? Code = ******** the final change is the code parameter. This parameter has 6 digits encoded using base64, And I have tested it for more than 10 times, after decoding the value of the code parameter, it is also a 6-digit number consisting of seven digits: 0123456. Isn't it easy to get a password reset connection when writing a script like this ?!

 Solution:

1. If you press ENTER for any verification code, you will be able to bypass this and do not know how to set it. After analysis, I cannot figure it out, so I cannot. 2. The above two methods add a limit on the number of times, which is easy to say. 3. Also, add a permission restriction so that any user information can be viewed.