1) Two friends sent a question about the Password Reset Logic Design of mccaw. I couldn't help but read it. When I registered a user and came to the password reset function, I found that I could retrieve the password through the user name or email address;
2) enter the user name and click "OK". Two methods can be used to retrieve the password: register the email address (directly sent) and bind the mobile phone number (enter the registered mobile phone number ), here we choose to use the email registration method; 3) log on to the corresponding email address to check the password reset link sent by the system; 4) we find that the password reset link looks like a "Drip ", there is a reset key "p1", and the corresponding email account "p2"; As a wooyun white hat, we do not believe the so-called dripping water, so we re-use the password reset function and capture packets. 5) The analysis found that during the password reset process, the system seemed to have interacted with some unknown data. What did the data do, so I checked the password reset connection received by the mailbox for the second time and compared the two received Password Reset links. I found that the two received Password Reset links are the same. 6) system interaction data intercepted by packet capture: {"decrypt_email": "decrypt", "decrypt_cus Tno ":" 1j8D5pO_g_2_w I am hiding some hpSvQ_g_3 _ g_3 _ "," ___ cache_expire ___ ":" Mon Jan 14 2013 23:51:43 GMT + 0800 (China Standard Time) "} 7) receive the password reset link from the system: http://www.m18.com/gmkt.inc/Member/ForgotMemberPwdSearch.aspx? P1 = 1j8D5pO_g_2_w I am hiding part of hpSvQ_g_3 _ g_3 _ & p2 = xxxxx@sina.com8) Kiss, tell me what you found? Yes, the "decrypt_custno" parameter in the intercepted packets is exactly our password reset key, and the password reset key of the same user remains unchanged; 9) Well, I won't tell you, in fact, the "p2" parameter in the password reset link is meaningless. You can directly use the key to reset the password-_-|
10) Here we will use the account of Jianxin's sister-in-law paper as an example to demonstrate it to everyone; 10.1) We will directly go to the mail sending link; 10.2) Click "send mail and capture packets". Haha, we will not mosaic here; 10.3) with the key to directly construct a link to reset the Jianxin sister paper account; http://www.m18.com/gmkt.inc/Member/ForgotMemberPwdSearch.aspx? P1 = T6W_g_2_vO0pyOBYOspiYmVW5w_g_3 _ g_3 _ 10.4). In this way, the swordsman paper will be conquered :) 11) at the end. Conclusion: as long as you know the user name (this is public ), you can use the mailbox password reset function to capture packets to capture the password reset key of the corresponding account, and reset the password (no need to know the mailbox account); and the key remains unchanged, this is equivalent to a long-term control of the user account !!!