Re-Reset any email password in moji weather by bypassing the patch

Re-Reset any email password in moji weather by bypassing the patch

0x0 environment Introduction

After many feedback and communication on moji weather, moji O & M greatly reported that the developer finally fixed WooYun: moji weather android client Series 2: modifying the password posture of any email user.



Let me see if it is actually fixed.



0x1 diff

WooYun: moji weather android client Series 2: Modify the password posture of any email user. The connection to retrieve the password in step 1 is as follows:
 

http://ugc.moji001.com/mapi/ResetPasswordBefore?E268443E43D93DAB7EBEF303BBE9642F={{mail}}&07CC694B9B3FC636710FA08B6922C42B={{timestamp}}&lan=CH

{Mail}: the email address of which the password is to be modified. It is encoded as hex ascii.

{Timstamp}: Specifies the timestamp at which the client sends the password retrieval request. It is valid for several hours and is encoded as hex ascii.



The recovered password connection is as follows:
 

http://ugc.moji001.com/sns/ResetPasswordBefore?E268443E43D93DAB7EBEF303BBE9642F={{mail}}&07CC694B9B3FC636710FA08B6922C42B={{timestamp}}&9941E268A0F6F8E2AA2898B5A522D23D={{??}}&lan=CH

You can refer to the rough query. One more parameter is {{??}}, What is this?

Decoding {{??}}, The hex ascii code is found, the content is: mail-timestamp-moji_china, connected with "-" mail, timestamp, moji_china and then encoded.



0x2 try to reset

* ** 0x01 An error occurred while trying to replace the two emails to reset the password ****
 

* *** 0x02 continue to guess whether the correct timestamp exists on the server side in addition to the mailbox? Then we need to traverse the timestamp. ****

First, use the captured client to retrieve the password and crop it. The connection is as follows:
 

Then, set the burp instruder to repeat the password three times. The first is mailbox A, the second is mailbox B, and the third is mailbox. (Make sure that the number of instruder threads is 1, so that the timestamp of B is exactly between two A timestamps)
 

The email address is successfully sent. log on to mailbox A and mailbox B respectively to find the timestamp comparison (the timestamp of mailbox B is really between two times)
 

Timestamp:
 

* ** 0x03 since the timestamp of B is between two times, use the reset connection of the first time A to change the mailbox in the connection to B and the timestamp part to the instruder variable, check whether B's password retrieval connection can be traversed (that is, reset B's password )****
 

As a result, no connection with a return code of 200 can reset the B password.
 

* *** 0x04 why is it unsuccessful? Capture the connection request in the mailbox, and find the previous request with a payload of 31343038333437303138313936 (timestamp of B), and send it to the comparer of burp for a look ****
 

* ** 0x04 is case-insensitive. Change the value of instruder to uppercase for all key parameters in the request. For more information, see *****
 

My days, all return 200. This shows that resetting the mailbox password is almost irrelevant to the timestamp, and test found that, as long as the {mail-timestamp-moji_china} parameter is in upper case, you can.

To change the password of user B, as long as user A clicks "forgot password" on the client side to get A connection with the password forgotten

Http://ugc.moji001.com/sns/ResetPasswordBefore? Messages ={{ mail }}& 07cc694b9b3fc610910fa08b6922c42b ={{ timestamp }}& 9941E268A0F6F8E2AA2898B5A522D23D ={{ mail-timestamp-moji_china} & lan = CH.

Then, replace the mail (in two places) in the connection with mailbox B and use hexscii encoding and uppercase.



He has made repeated moves, overestimated the moji programmer's patch...

Solution:

In your email, I am quite clear. In a word: Changing the irreversible encoding method.