Any user password reset (6): There are status parameters in the response that affect the subsequent logic

Category: Tag:

Previous article:

Any user password reset (2): The receiver of the reset credential can be tampered

Any user password reset (1): reset credentials leak

Any user password reset (3): user confusion

Any user password reset (4): The reset credentials are not verified

Any user password reset (5): reset credentials can be blasted

The password retrieval process generally includes three steps: obtaining the SMS verification code, verifying whether the SMS verification code is valid, and setting a new password. In the second step, the result of verifying whether the SMS verification code is valid should be saved on the server. Some websites are not saved on the server but incorrectly send the result status value to the client, and then rely on the front-end js to determine whether it can enter third step. Then, changing the status value in the response packet can reset other users’ passwords.

Case number one

On the password retrieval page http://www.xx.cn/yy/action/forgot, use the attacker’s mobile phone number 13908081024 to enter the entire password retrieval process, get the SMS verification code 033128, enter the image verification code, enter the SMS verification code and submit:

 

After the verification of the server is passed, the system responds as follows:

 

 

A simple analysis found that the server did not set-cookie to the client when the verification passed. I guess the server did not record the verification status. Whether to enter the set new password page is completely determined by the front-end js based on the response status. Without the SMS verification code, by changing the verification status sent by the server to the client from “Failed” to “Success”, the account password can also be successfully reset and retrieved.

Specifically, take the customer service mobile phone number 13980808888 found during information collection as an example. Enter the phone number, get the SMS verification code, enter the image verification code, enter the wrong SMS verification code 123123 and submit:

 

Because the SMS verification code is wrong, the system verification must fail, and the system responds as follows:

 

Intercept the response and replace it with the response packet that was previously captured and verified:

 

 

Release to the client and enter the new password setting page smoothly:

 

Enter the new password PenTest1024 and submit it, the page prompts that the password has been modified successfully:

 

Try to log in with 13980808888/PenTest1024, the verification is successful。

 

 

Case two

The following content is visible to members

[wc_pay_can_read   id=’2026,2029,2030′  tishi=’You do not have permission to read this content, click here to become a member and refresh this page to read it’]

On the password retrieval page http://www.xx.cn/yy/forgot, use the attacker’s mobile phone number 13908081024 to enter the entire password retrieval process, get the SMS verification code 2118, enter the SMS verification code and submit:

 

After the server verification is passed, the system responds as follows:

 

 

A simple analysis found that the server did not set-cookie to the client when the verification passed, and the verification status code sent by the server to the client was changed to “0000” to reset other user passwords.

Specifically, take the mobile phone number 13888888888 as an example. Enter your phone number, get the SMS verification code, and enter the wrong SMS verification code 1234 and submit. Due to the wrong SMS verification code, the server verification failed, and the response is as follows:

 

Intercept the response and replace it with the response packet that was previously captured and verified, then release it to the client and enter the new password setting page smoothly:

 

 

Enter the new password PenTest1024 and submit it. The page prompts that the password has been modified successfully. Try to log in with 13888888888/PenTest1024, the verification is successful:

 

 

Reinforcement measures

After verifying the SMS verification code, the server should record the status through the cookie, and should not judge by the status parameter on the front end. In addition, the server should limit malicious requests such as enumeration.

[/wc_pay_can_read]

Reviews

There are no reviews yet.

Be the first to review “Any user password reset (6): There are status parameters in the response that affect the subsequent logic”

Your email address will not be published. Required fields are marked *