Re-Reset any email password in moji weather by bypassing the patch

Source: Internet
Author: User

Re-Reset any email password in moji weather by bypassing the patch

0x0 environment Introduction


After many feedback and communication on moji weather, moji O & M greatly reported that the developer finally fixed WooYun: moji weather android client Series 2: modifying the password posture of any email user.



Let me see if it is actually fixed.



0x1 diff

WooYun: moji weather android client Series 2: Modify the password posture of any email user. The connection to retrieve the password in step 1 is as follows:
 

http://ugc.moji001.com/mapi/ResetPasswordBefore?E268443E43D93DAB7EBEF303BBE9642F={{mail}}&07CC694B9B3FC636710FA08B6922C42B={{timestamp}}&lan=CH



{Mail}: the email address of which the password is to be modified. It is encoded as hex ascii.

{Timstamp}: Specifies the timestamp at which the client sends the password retrieval request. It is valid for several hours and is encoded as hex ascii.



The recovered password connection is as follows:
 

http://ugc.moji001.com/sns/ResetPasswordBefore?E268443E43D93DAB7EBEF303BBE9642F={{mail}}&07CC694B9B3FC636710FA08B6922C42B={{timestamp}}&9941E268A0F6F8E2AA2898B5A522D23D={{??}}&lan=CH



You can refer to the rough query. One more parameter is {{??}}, What is this?

Decoding {{??}}, The hex ascii code is found, the content is: mail-timestamp-moji_china, connected with "-" mail, timestamp, moji_china and then encoded.



0x2 try to reset

* ** 0x01 An error occurred while trying to replace the two emails to reset the password ****
 



* *** 0x02 continue to guess whether the correct timestamp exists on the server side in addition to the mailbox? Then we need to traverse the timestamp. ****

First, use the captured client to retrieve the password and crop it. The connection is as follows:
 



Then, set the burp instruder to repeat the password three times. The first is mailbox A, the second is mailbox B, and the third is mailbox. (Make sure that the number of instruder threads is 1, so that the timestamp of B is exactly between two A timestamps)
 



The email address is successfully sent. log on to mailbox A and mailbox B respectively to find the timestamp comparison (the timestamp of mailbox B is really between two times)
 



Timestamp:
 



* ** 0x03 since the timestamp of B is between two times, use the reset connection of the first time A to change the mailbox in the connection to B and the timestamp part to the instruder variable, check whether B's password retrieval connection can be traversed (that is, reset B's password )****
 



As a result, no connection with a return code of 200 can reset the B password.
 



* *** 0x04 why is it unsuccessful? Capture the connection request in the mailbox, and find the previous request with a payload of 31343038333437303138313936 (timestamp of B), and send it to the comparer of burp for a look ****
 



* ** 0x04 is case-insensitive. Change the value of instruder to uppercase for all key parameters in the request. For more information, see *****
 





My days, all return 200. This shows that resetting the mailbox password is almost irrelevant to the timestamp, and test found that, as long as the {mail-timestamp-moji_china} parameter is in upper case, you can.

To change the password of user B, as long as user A clicks "forgot password" on the client side to get A connection with the password forgotten


Http://ugc.moji001.com/sns/ResetPasswordBefore? Messages ={{ mail }}& 07cc694b9b3fc610910fa08b6922c42b ={{ timestamp }}& 9941E268A0F6F8E2AA2898B5A522D23D ={{ mail-timestamp-moji_china} & lan = CH.

Then, replace the mail (in two places) in the connection with mailbox B and use hexscii encoding and uppercase.



He has made repeated moves, overestimated the moji programmer's patch...

Solution:

In your email, I am quite clear. In a word: Changing the irreversible encoding method.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.