You can reset the password of any user if you are not properly designed.

You can reset the password of any user if you are not properly designed.

First, I applied for an account to test the product. But what I never expected was that the design of the website was full of loopholes. Let's talk about the problem from an early age of 1.1!

0x1: In the applied user, if the user changes the account password or binds a mobile phone or email address, enter the old password for lunch break, so in the first step of verification, entering the old password is like a false one!

I have already bound all of them here, including the mobile phone number and email address. You can see that mobile phone verification is required, but you can directly enter the URL in step 2 to change the password!
 

 

The old password verification is required when you need to bind your mobile phone number and email address at the beginning. The method is the same as above. You can directly find the binding address!

0x2: There are some unimplemented functions on the website. For example, if you bind an email address, the email address will receive the address for changing the password, but the password is invalid and cannot be changed. These are minor issues, the key is that you can use the forgot password function to modify the mobile phone number and email address bound to the original account, so as to reset any user password!

http://user.mmbao.com/findPassword.html

Let's use admin for testing!
 

You can see that admin has not set any binding method and you need to contact customer service. But here we can bind any mobile phone or email address, but the mailbox function cannot be used. Just bind the mobile phone and change the password!
 

Brupsuite truncation. We can see that the memberphone and memberemail values are empty. Add the mobile phone number to be bound to the memberphone, just me!
 

Now you can see the page for sending the verification code!
 

Send the verification code. after entering the verification code, you can go to the password modification page!
 

Password Changed to: wooyun123
 

 

0x3: Modify the email address and mobile phone number bound to the user! Use the test account douba!
 

You can see that the initial mailbox is set to 3 *** [email protected], and now submit data truncation to modify the value of membermail!
 

Changed to 9 * [email protected]. Let's check the result!
 

At this time, I will reclaim a link from the modified rest, and click the link to bind it to the new mailbox!
 

But clicking the link does not show the Password Reset page, but the link is invalid!
 

Now let's repeat the above process to see if the binding is successful!
 

OK. The test is successful!

 

Solution:

Re-construct the password modification framework