1. the url is not encrypted, so you can see the real mobile phone number of any user. 2. You can use the url to change the password to any mobile phone number. 3. After logging in, anyone's information, including the mobile phone number, can be changed to the real estate network. The information is very valuable. Problem URL cause: http://j.esf.sina.com.cn/login/retrievepsd below I use admin as an example, as we go to the next step as required, as we can see: the phone number on the page in the middle of the 4 digits was, the url is not encrypted, but directly displayed. Next, you can change the mobile phone number on the url to your mobile phone number (to receive the text message for password retrieval, we get the following page: OK. Next, click "Get Verification Code". Let's receive the verification code on our mobile phone. The verification code is sent to the mobile phone, let's enter the verification code to modify the 'admin' password. We can see this figure. I think everyone knows that it has been more than half done. Why can't we say it was half done? Because we are not sure whether the 'admin' password is modified, we can change it: wooyun (changing the password is to change the password to the one you want to change. Everyone knows this). The password has been changed and the password has been changed, then, we can try to see if the modified 'admin' can be logged on (the password is wooyun) OK. The following example shows that the 186 mobile phone number is the same as that of admin:
Solution:
1. url encryption 2 to prevent burp packet capture