Any user password reset (5): reset credentials can be blasted

Category: Tag:

Previous article:

Any user password reset (2): The receiver of the reset credential can be tampered

Any user password reset (1): reset credentials leak

Any user password reset (3): user confusion

Any user password reset (4): The reset credentials are not verified

Any user password reset (6): There are status parameters in the response that affect the subsequent logic

Any user password reset (7): Token is predictable

Password retrieval needs to identify the legal identity of the user. There are usually two methods. One is that the website sends the reset verification code to the user’s bound mailbox or mobile phone number, and the user uses the reset verification code to prove it, and the other is the user input password protection The answer to the question. Among them, the verification code and the secret answer are important credentials for resetting the password. Some websites generate four-digit reset verification codes, which are less complex. [0000, 9999] is only 10,000 combinations. With today’s computing power and network bandwidth, it can be enumerated in three to five minutes with tools. . If the server does not set the validity period of the verification code and does not restrict high-frequency access, it is extremely easy to break.

Case number one

Password recovery page http://www.xxxx.com/find-pw.html, use the attacker account number 13908081024 to enter the password recovery process, enter the picture verification code, select the mobile phone to retrieve, obtain the SMS verification code, and find the SMS verification code is 4 digits. And the validity period information is not seen from the content of the SMS, so the SMS verification code can be blasted to perform the subsequent reset process.

Take the ordinary mobile phone number 13908093346 obtained by traversing the account enumeration vulnerability as an example, enter the password retrieval process and submit the SMS verification code:

 

Among them, 1234 is the wrong SMS verification code that I randomly entered. The code parameter value needs to be blasted to find the correct SMS verification code.

Specifically, I defined the code parameter value in the request as an enumerated variable, used [0000, 9999] as a dictionary, and set 32 threads to brute force:

 

 

The SMS verification code was quickly blasted out as 6909:

 

 

After submitting the SMS verification code, enter the new password setting page smoothly, reset the password to PenTest1024 and submit, the server returns “modified successfully”:

 

 

Try to log in with 13908093346/PenTest1024, the verification is successful:

 

 

Case two

On the password retrieval page http://xx.xxxx.com/xxxx/findpassword, use the attacker account number 13908081024 to enter the entire password retrieval process, enter the picture verification code, select the mobile phone to retrieve it, and obtain the SMS verification code. The SMS verification code is found to be 4 digits and the validity period is not notified on the content of the SMS, so the SMS verification code can be blasted to perform the subsequent reset process.

Take the ordinary mobile phone number 15012804897 obtained by the user name enumeration as an example, enter the password retrieval process and submit the SMS verification code:

 

Among them, 1234 is the wrong SMS verification code that I randomly entered. The auto parameter needs to be blasted to find the correct SMS verification code:

 

The SMS verification code 9997 was quickly blasted out. After entering it, enter the new password submission page, reset the password to PenTest1024 and submit:

 

Try to log in with 15012804897/PenTest1024, the verification is successful:

 

 

Reinforcement measures

The strength of the password reset certificate is improved. It is recommended to have six digits and a validity period of ten minutes, and the verification code should be invalidated immediately after verification. In addition, the server should limit malicious requests such as enumeration.

Reviews

There are no reviews yet.

Be the first to review “Any user password reset (5): reset credentials can be blasted”

Your email address will not be published. Required fields are marked *