Among logic vulnerabilities, arbitrary user password reset is the most common, which may appear on the new user registration page, or the page for resetting the password after the user logs in, or the password recovery page when the user forgets the password. Among them, the password retrieval function is the hardest hit by the vulnerability. I analyzed the causes of the vulnerabilities in the cases encountered in the daily penetration process. This time, I will focus on any user password reset problems caused by the leakage of reset credentials.
Case number one
When retrieving the password by email, the verification code as the reset credential is sent to the client in the HTTP response, and it can be easily obtained after capturing the packet. First use the attacker account to go through the process of password retrieval. The test account is email@example.com, and the email address is used to retrieve the password:
Click to get the check code and grab the following response:
Among them, VFCode is likely to be a check code. Log in to the mailbox to check the password retrieval email sent from the website:
It is found that the two are the same, then it can almost be confirmed that the server leaked the verification code of the password retrieval to the client, which may cause any account password reset problem.
Try to retrieve the password of the normal account. After entering the mailbox on the password retrieval page, the system will immediately verify whether the mailbox is registered:
Define the UName parameter as an enumerated variable, and use common qq mailboxes as a dictionary to enumerate multiple valid mailboxes:
Take firstname.lastname@example.org as an example, find the check code in the response packet, successfully reset its password to PenTest1024, and verify whether you can log in:
Try to retrieve the password of the administrator account. From the domain name registration information of this website, the email address of the contact person is found to be email@example.com. It can be inferred that the email suffix of the back-end user is @xxxx.cn. Therefore, simple adjustment of common back-end user names can construct a back-end user mailbox dictionary. Then enumerate a large number of background users:
In the same way, the account passwords of these background users can be reset. In order to avoid affecting the business, no actual operation is performed.
When retrieving the password by email, the reset link with the credentials leaked to the client, which can be obtained by capture. Use the attacker’s account to go through the process of password retrieval once. Enter the attacker’s account and email (yangyangwithgnu, firstname.lastname@example.org) on the password recovery page and submit:
Intercept the following responses:
Obviously it is a redirection. The two parameters of isVerify and PassPhrase are suspicious and should be paid attention to in subsequent interactions. Let the data packet pass first, enter the page to send the reset email, enter the verification code and submit. Log in to the attacker’s mailbox to view the reset email:
The following content is visible to members