Any user password reset (7): Token is predictable

Category: Tag:

Previous article:

Any user password reset (2): The receiver of the reset credential can be tampered

Any user password reset (1): reset credentials leak

Any user password reset (3): user confusion

Any user password reset (4): The reset credentials are not verified

Any user password reset (6): There are status parameters in the response that affect the subsequent logic

Any user password reset (5): reset credentials can be blasted

When the password is retrieved through the mailbox, a reset URL containing a token will appear in the email, and the token is the reset credential. From experience, developers are accustomed to using one of three types of information such as timestamp, incremental serial number, and key fields (such as email addresses) as a factor, using a certain encryption algorithm or encoding to generate tokens. The attacker can use the key fields that can be collected to calculate it with a common encryption algorithm, so as to judge whether the token can be predicted.

Case 1: Token generated based on timestamp is an online CTF topic:

The “forgot password” function is an attack point, try to reset the admin password:

The corresponding request and response are:


Except for a reminder that a reset email has been sent, there is no other information. Try to reset another account yangyangwithgnu:


Get the reset URL information After visiting, it prompts that the reset is successful. So, the current situation is that the admin’s reset URL is not displayed, and the URLs of other accounts are displayed. As long as you get the admin’s reset URL, you may be able to see the flag.

The sukey parameter in the above reset URL caught my attention, obviously it is to reset credentials. The value 8135f8b07653b2cbc3ec05c781a29591 is first decoded with base64, but it has no effect, and then it is decrypted by MD5 to obtain the plaintext 1530342360:


Looks like unix timestamp, verify it:



Sure enough, the reset certificate is obtained by MD5 encryption of the current unix timestamp.

Then, such an attack model can be designed to achieve the purpose of resetting any account password: retrieve the yangyangwithgnu password for the first time and get the reset URL, where the sukey parameter contains the timestamp information; retrieve the admin password for the second time, Although the reset URL cannot be obtained temporarily, it does not matter, the server has already generated it; the third time, the password of yangyangwithgnu is retrieved and the reset URL is obtained. The sukey parameter contains time stamp information. The first and third timestamps are used as the time interval. Since the entire process is completed in a short time, the second timestamp can be easily broken.

Specifically, first initiate a request to retrieve the yangyangwithgnu password:



Get the timestamp 1530347130; then initiate a request to retrieve the admin password:



Then initiate a request to retrieve the yangyangwithgnu password again:



Get the timestamp 1530347161. Now we know that the timestamp of admin is in [1530347130, 1530347161]. Based on the reset URL format obtained before, we can construct the password reset URL of admin similar to sukey={md5(unix_timestamp)}&username=admin. Next, I put the URL into intruder to brute force, and define unix_timestamp as an enumeration variable:



Take [1530347130, 1530347161] as a dictionary and set MD5 encryption algorithm as payload preprocessing:



Soon, the admin reset URL was blasted out, and the flag was successfully obtained:



Case 2: Token generated based on increasing sequence number

The following content is visible to members

You do not have permission to read this content, click here to become a member and refresh this page to read it


There are no reviews yet.

Be the first to review “Any user password reset (7): Token is predictable”

Your email address will not be published. Required fields are marked *