The password retrieval process generally includes three steps: obtaining the SMS verification code, verifying whether the SMS verification code is valid, and setting a new password. In the second step, the result of verifying whether the SMS verification code is valid should be saved on the server. Some websites are not saved on the server but incorrectly send the result status value to the client, and then rely on the front-end js to determine whether it can enter third step. Then, changing the status value in the response packet can reset other users’ passwords.
Case number one
On the password retrieval page http://www.xx.cn/yy/action/forgot, use the attacker’s mobile phone number 13908081024 to enter the entire password retrieval process, get the SMS verification code 033128, enter the image verification code, enter the SMS verification code and submit:
After the verification of the server is passed, the system responds as follows:
A simple analysis found that the server did not set-cookie to the client when the verification passed. I guess the server did not record the verification status. Whether to enter the set new password page is completely determined by the front-end js based on the response status. Without the SMS verification code, by changing the verification status sent by the server to the client from “Failed” to “Success”, the account password can also be successfully reset and retrieved.
Specifically, take the customer service mobile phone number 13980808888 found during information collection as an example. Enter the phone number, get the SMS verification code, enter the image verification code, enter the wrong SMS verification code 123123 and submit:
Because the SMS verification code is wrong, the system verification must fail, and the system responds as follows:
Intercept the response and replace it with the response packet that was previously captured and verified:
Release to the client and enter the new password setting page smoothly:
Enter the new password PenTest1024 and submit it, the page prompts that the password has been modified successfully:
Try to log in with 13980808888/PenTest1024, the verification is successful。
The following content is visible to members