Any user password reset (7): Token is predictable

Category: Tag:

Previous article:

Any user password reset (2): The receiver of the reset credential can be tampered

Any user password reset (1): reset credentials leak

Any user password reset (3): user confusion

Any user password reset (4): The reset credentials are not verified

Any user password reset (6): There are status parameters in the response that affect the subsequent logic

Any user password reset (5): reset credentials can be blasted

When the password is retrieved through the mailbox, a reset URL containing a token will appear in the email, and the token is the reset credential. From experience, developers are accustomed to using one of three types of information such as timestamp, incremental serial number, and key fields (such as email addresses) as a factor, using a certain encryption algorithm or encoding to generate tokens. The attacker can use the key fields that can be collected to calculate it with a common encryption algorithm, so as to judge whether the token can be predicted.

Case 1: Token generated based on timestamp is an online CTF topic:

The “forgot password” function is an attack point, try to reset the admin password:

The corresponding request and response are:


Except for a reminder that a reset email has been sent, there is no other information. Try to reset another account yangyangwithgnu:


Get the reset URL information After visiting, it prompts that the reset is successful. So, the current situation is that the admin’s reset URL is not displayed, and the URLs of other accounts are displayed. As long as you get the admin’s reset URL, you may be able to see the flag.

The sukey parameter in the above reset URL caught my attention, obviously it is to reset credentials. The value 8135f8b07653b2cbc3ec05c781a29591 is first decoded with base64, but it has no effect, and then it is decrypted by MD5 to obtain the plaintext 1530342360:


Looks like unix timestamp, verify it:



Sure enough, the reset certificate is obtained by MD5 encryption of the current unix timestamp.

Then, such an attack model can be designed to achieve the purpose of resetting any account password: retrieve the yangyangwithgnu password for the first time and get the reset URL, where the sukey parameter contains the timestamp information; retrieve the admin password for the second time, Although the reset URL cannot be obtained temporarily, it does not matter, the server has already generated it; the third time, the password of yangyangwithgnu is retrieved and the reset URL is obtained. The sukey parameter contains time stamp information. The first and third timestamps are used as the time interval. Since the entire process is completed in a short time, the second timestamp can be easily broken.

Specifically, first initiate a request to retrieve the yangyangwithgnu password:



Get the timestamp 1530347130; then initiate a request to retrieve the admin password:



Then initiate a request to retrieve the yangyangwithgnu password again:



Get the timestamp 1530347161. Now we know that the timestamp of admin is in [1530347130, 1530347161]. Based on the reset URL format obtained before, we can construct the password reset URL of admin similar to sukey={md5(unix_timestamp)}&username=admin. Next, I put the URL into intruder to brute force, and define unix_timestamp as an enumeration variable:



Take [1530347130, 1530347161] as a dictionary and set MD5 encryption algorithm as payload preprocessing:



Soon, the admin reset URL was blasted out, and the flag was successfully obtained:



Case 2: Token generated based on increasing sequence number

The following content is visible to members

[wc_pay_can_read   id=’2026,2029,2030′  tishi=’You do not have permission to read this content, click here to become a member and refresh this page to read it’]

First look at the password recovery link with credentials as follows:

Guessing from the parameter name, u may be username and t is token. In order to reduce the complexity, the test found that deleting the u parameter and value can also reset the password normally. Therefore, you can ignore the u parameter and focus on the t parameter.

Get the reset link five times in a row, and extract five t parameter values from the email as follows:



Observe carefully and find the changes are as follows:

It can be seen that the 5-8 digits and the last 4 digits of the t parameter value show incremental changes in increments of 2.

Analyze the changing rules of the credentials clearly, and reset any account is easy. For example, to reset the password of the common account admin, you can first trigger the retrieval of the password of the attacker’s account, obtain t as 52df773f24ac5b651d288d42, and then trigger the retrieval of the admin password, t is unknown. Then trigger to retrieve the password of the attacker’s account again, and obtain t as 52df774d24ac5b651d288d54. According to the change rule learned from the previous analysis, the 5-8 digits of t of the ordinary account must be an even number between [7740, 774c], and the last 4 digits have a certain range, It is an even number between [8d44, 8d52]. A few enumerations can get a valid t parameter value:


Case 3: Token generated based on key fields

For the password retrieval function of a website, the request contains three parameters:



username is the mailbox, rvcode image verification code, sid is unknown, log in to the mailbox to view the reset URL:



The key parameter is reset credentials, try to analyze the generation method. Put it directly into the md5 online cracking website, but it has no effect. Then try to md5 with the permutation and combination of three parameters such as username, rvcode, and sid. When trying to md5(username + sid), the generated result is consistent with the credentials in the email:



I have guessed the key generation algorithm, so I will have no pressure to reset the password of any account in the future.

Similarly, the reset link with the certificate is I have obtained the reset link several times and found that the F at the end of the certificate f198a79b9cF is constant, and the first 10 characters are suspected md5 encryption, try to md5 encryption for the permutation and combination of different parameters, when trying to md5 (phone number + picture verification code), the generated result is consistent with the certificate in the email:


Reinforcement measures

The token in the password reset link should be as random as possible. If a conventional encryption algorithm is used, it must be a factor that the client cannot view and guess. In addition, the server should limit malicious requests such as enumeration.



There are no reviews yet.

Be the first to review “Any user password reset (7): Token is predictable”

Your email address will not be published. Required fields are marked *