Vanke lives here. The APP resets the password of any user.

Vanke lives here. The APP resets the password of any user.

Vanke lives here. The APP resets the password of any user.

Download the official website app http: // **. **/Feedback. aspx

Take 13888888888 as an example to test

Forgot password-> burp packet capture

Account verification will be performed at the beginning, first allow

Then we cut the packet that sent the text message verification code and changed the mobile phone number. In fact, you don't need to change the number. The parameter directly contains the verification code. If you want to read the verification code without knowing it, you can change it.
 

Change Password

If mobile phone verification is not performed after login, you can verify the mobile phone number in the same way.

If the user has verified the owner information, it will all be leaked.

In addition, the user can be run using the mobile phone number, and the userid

Download the official website app http: // **. **/Feedback. aspx

Take 13888888888 as an example to test

Forgot password-> burp packet capture

Account verification will be performed at the beginning, first allow

Then we cut the packet that sent the text message verification code and changed the mobile phone number. In fact, you don't need to change the number. The parameter directly contains the verification code. If you want to read the verification code without knowing it, you can change it.

Change Password
 

 

If mobile phone verification is not performed after login, you can verify the mobile phone number in the same way.

If the user has verified the owner information, it will all be leaked.

In addition, the user can be run using the mobile phone number, and the userid

Solution:

The number of users should be quite large ..