Happy buy mobile phone edition reproduction User Password Reset Vulnerability

1. It is the mobile phone version of haole buy. Go to the logon page of the mobile phone version haole buy account:
Http://www.okbuy.com/topic/show/521

Of course, we do not log on here, But click [forgot password ?] Button to enter the password reset process:

2. Registered users must use their mobile phones for verification before they can use their mobile phone numbers to retrieve their passwords.
Enter the account to be reset, that is, the verified mobile phone number. Because only the test vulnerability exists, only my own account is used here:

3. Click Submit. At this time, the text message verification code for resetting the password has been sent to my mobile phone number.

4. check that the SMS Code received by the mobile phone is [38330]. First, I enter any 5-digit pure-number SMS code 38331. Click Submit and the following error is returned. Remember to set the browser proxy at this time:

5. At the same time, the packet capture request is:
POST, member, getpwdok, HTTP, 1.1
Host: m.okbuy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv: 18.0) Gecko/20100101 Firefox/18.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Referer: http://m.okbuy.com/member/getpwd? Mobile = 150 ********* & sid = ********* 21a761359213142 ~ Sjbjsy_1 & ref_1 = & ref_2 = & ref_3 = & httprefer = http://m.okbuy.com & ref_1 = & ref_2 = & ref_3 =
Cookie: OK _SES = 1358728501246_74201451; *********; obsid = *********** 7g83ncmfkdojc9c4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 109

Username = 150 ******** & code = § 38331 § & pwd = ******* & sid = ********* 21a7613591_142% 7Esjbjsy_1 & ref_1 = & ref_2 = & ref_3 = & step = 1

The above parameter code = 38331 is the SMS code, and the parameter username = 150 ******** is the mobile phone number.
6. After writing so much, let's get started: Set the parameter code as the parameter to be cracked and start brute force speculation. Here, because it is a test I started from 37330:

 

7. Get the correct text message code by the number of bytes returned or the returned content:
When the SMS code is incorrect, the number of returned bytes is 5947, and when the SMS code is correct, the number of bytes is 529, which is obvious!

8. Use the cracked text message code to reset your account!

9. The password is successfully reset:

Solution:
1. Here, the brute-force cracking of the five pure text message codes, that is, the average number of 10 thousand requests, I used burpsuite to test a single machine with 100 threads, and reset any mobile phone account in less than five minutes! Dangerous

2. The text message code can be 5 pure numbers. You do not need to set the image verification code or even set the 10-minute validity period of the text message code. But why don't I lock the password reset request if the attempt fails several times in a row?