Any user password reset (6): There are status parameters in the response that affect the subsequent logic

Category: Tag:

Previous article:

Any user password reset (2): The receiver of the reset credential can be tampered

Any user password reset (1): reset credentials leak

Any user password reset (3): user confusion

Any user password reset (4): The reset credentials are not verified

Any user password reset (5): reset credentials can be blasted

The password retrieval process generally includes three steps: obtaining the SMS verification code, verifying whether the SMS verification code is valid, and setting a new password. In the second step, the result of verifying whether the SMS verification code is valid should be saved on the server. Some websites are not saved on the server but incorrectly send the result status value to the client, and then rely on the front-end js to determine whether it can enter third step. Then, changing the status value in the response packet can reset other users’ passwords.

Case number one

On the password retrieval page http://www.xx.cn/yy/action/forgot, use the attacker’s mobile phone number 13908081024 to enter the entire password retrieval process, get the SMS verification code 033128, enter the image verification code, enter the SMS verification code and submit:

 

After the verification of the server is passed, the system responds as follows:

 

 

A simple analysis found that the server did not set-cookie to the client when the verification passed. I guess the server did not record the verification status. Whether to enter the set new password page is completely determined by the front-end js based on the response status. Without the SMS verification code, by changing the verification status sent by the server to the client from “Failed” to “Success”, the account password can also be successfully reset and retrieved.

Specifically, take the customer service mobile phone number 13980808888 found during information collection as an example. Enter the phone number, get the SMS verification code, enter the image verification code, enter the wrong SMS verification code 123123 and submit:

 

Because the SMS verification code is wrong, the system verification must fail, and the system responds as follows:

 

Intercept the response and replace it with the response packet that was previously captured and verified:

 

 

Release to the client and enter the new password setting page smoothly:

 

Enter the new password PenTest1024 and submit it, the page prompts that the password has been modified successfully:

 

Try to log in with 13980808888/PenTest1024, the verification is successful。

 

 

Case two

The following content is visible to members

You do not have permission to read this content, click here to become a member and refresh this page to read it

Reviews

There are no reviews yet.

Be the first to review “Any user password reset (6): There are status parameters in the response that affect the subsequent logic”

Your email address will not be published. Required fields are marked *