Yilong loan User Password Change Vulnerability (logical vulnerability not cracked)
On the official website of Yilong loan, there is a random user password change vulnerability when retrieving the password.
Step 1: retrieve the password, click "Send verification code", enter the Incorrect verification code, and capture the packet:
Write down the error return code.
Part 2: enter the correct verification code and capture the packet:
Step 3: enter the correct verification code, enter the new password, and capture the packet:
Part 4: I have a customer service hotline at 13601303959 on your website. It's about him. Repeat the first step, capture the wrong package: return the wrong package, change it to the correct package, and then send it again (this step must be noted that you must manually click to send the verification code. Otherwise, the Verification Code cannot be generated in the background, and errors will occur.) -- "enter the edit password page, enter our password, GO, and continue to capture packets.
Step 5: return the correct packet. If an error is returned, copy the intercepted packet in step 3 and send it again.
Finally:
This is your customer service user interface. Click.
Solution:
We recommend that you change the verification code in the last step. At the same time, it is handed over to the background for processing.
The front-end verification is not reliable!