Mailbox bombing may be very harmful to the enterprise, but it is very harmful to users. Compared with mailbox bombing, SMS bombing involves enterprises and users.
那么这些问题都存在在哪些方面呢?
①:登录处
②:注册处
③:找回密码处
④:绑定处
⑤:活动领取处
⑥:独特功能处
⑦:反馈处
First, let’s talk about the idea of bypassing the bombing restrictions.
0x01 Use spaces to bypass SMS & mailbox bombing restrictions
For example, the general parameters are like this: mobile1=XXXXXX or [email protected] There are generally 5 opportunities. If the number of sending is more than 5 times, then it can be sent in one time or one day, but when it is in front of the mobile phone number Or you can send 5 more times when you add a space after it, and the SMS or email is received, the modified parameter is like: mobile1= XXXXXX, add a space in front, each time you add a space, the SMS will be sent repeatedly Or mail opportunity.
0x02 Use the calling interface to bypass the SMS & mailbox bombing restrictions. For
example, the parameter: terminal=01&Mobile=XXXXXXX, the previous interface is the interface for calling the SMS to send content, for example, the terminal parameter value of 01 is to call the SMS notification of successful registration, and 02 is to call. The SMS reminder of successful password reset, 03 is the SMS reminder of successful registration, etc. When the value of this interface is modified, the purpose of SMS bombing or mailbox bombing is achieved.
0x03 Modify the cookie value to bypass the SMS & mailbox bombing restrictions.
Some may not directly verify the phone number to determine the number, but verify the current cookie. If the current cookie is used to verify the number of sent, it is easy to bypass it. Here, if the verification is not login If the state cookie is the cookie in the normal state, the verification can be bypassed by modifying the cookie.
I found a similar example:
https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=27614
0x04 Modify the IP to bypass the SMS & mailbox bombing restrictions.
Some are also verifying the current IP. If the current IP is within a short period of time If you get short messages or emails frequently or reach a certain number of times, there will be restrictions. Then you can use modify IP or proxy IP to bypass the restrictions.
0x05 Use case to bypass mailbox bombing restrictions
As mentioned earlier, the limitation of adding spaces can also be used for mailboxes, but there is another way to bypass the mailbox bombing limitation, that is, by modifying the capitalization, you can bypass the restriction by modifying the capitalization of the letters at the back of the mailbox, such as The parameter is like this: [email protected] When the number of times reaches the limit, just change a letter to uppercase: [email protected] to bypass the limit.
0x06 Modify the return value to bypass the SMS & mailbox bombing restrictions. For
example, the return value is success after a successful transmission, and the return value for a failed transmission is error. Then when the number of times is reached, the return value can be modified to the correct return value: success, thereby bypassing Limit, achieve the purpose of sending successfully.
0x07 Use different accounts to achieve SMS & email bombing
This can be considered as a bypass problem, mainly due to improper verification. For example, one account can get 5 times, then I can get another 5 times with another account. Without other verification, it can lead to a large-scale SMS bombing. Although the number of bombings is small, But it is indeed large-scale, and its nature will also affect enterprises and users.
The idea of directly causing SMS & mailbox bombing
0x01 Use the login area to reach SMS bombardment. For
example, some websites support mobile phone dynamic verification code login. If there is no website verification code here, it is likely to cause harm by sending the packet in batches. If there is a website verification code, a new one is involved here. The idea is to bypass the problem of website verification code. First, log in through your own account via SMS, get the correct website verification code and the correct mobile phone verification code, and click to capture the packet when you log in. Here I use burpsuite and send it to Repeater mode, then change the phone number to the phone number that needs to be bombed, and then replay, you will find that the phone verification code is sent successfully. This involves the website verification code bypass problem. The steps are probably to enter the correct account and verify the correct website. Code and so on, grab the packet when logging in, and then use the successfully logged in data packet to modify the value to bypass the bombing problem.
Some websites require mobile phone verification at the login area. There are three locations for verification:
First place: directly display the verification code at the login place.
Second place: When you click to log in, the verification will pop up at the login place.
Third place: When Click to log in and jump to a specially verified page.
These points may be bombarded. You can directly capture the packets and bomb them.
0x02 Use the registration office & retrieve the password to bomb
In the registration and retrieval of passwords, verification codes are often required. If verification codes and other restrictions are not applied, it may cause bombing problems.
0x03 Use the modification to bomb
A verification code is required when modifying the mobile phone number or modifying the mailbox in the personal management interface. If the handling here is not done properly at this time, it can also cause bombing problems.
0x04 Use feedback to bomb
Some platforms support feedback or complaints, etc. The mobile phone number or email address is customizable, which means that you can enter it at will. In my previous mining process, although the use of this problem is very limited, there is still a problem in nature. Generally these feedback functions will not verify the number of submissions, so you can submit in batches, and the phone number or email address can specify the object to be bombed. After the background review, a SMS or email notification will be sent. How many times will it be notified, then it will cause harm.
0x05 Use certain active pages for bombing
For example, for some events or advertisements that have just been launched, you can claim something and request a mobile phone verification code to receive it. Generally, there are most problems here. If the last event is offline and the sending interface still exists, then it can be changed. Hidden use.
0x06 Bomb with unique features
For example, the personal background can add corporate information or something, and then it will ask to enter the mobile phone number. When the addition is successful, there will be a SMS notification. At this time, if you add it repeatedly, adding a notification once will cause the harm of SMS bombing.
Other hazards caused by SMS & mailbox bombing
0x01 Blast potential users
For example, if you enter a mobile phone number or email address at the registration office, it will determine whether the mobile phone number or email address exists, and if it exists, it will pass back and perform the next step. If it does not exist, it will return a non-existent information prompt, then you can blast in batches here. The mobile phone number or mailbox number that the potential user has registered can then be used to crash the database!
0x02 phishing problem
Some interfaces for sending mobile phone numbers or email interfaces capture packets when sending. If it is not filtered, the information to be sent will be included in the request packet, that is to say, the content to be sent can be customized, and the official account is used to send , Then it is easy to cause phishing problems. For example, the modified content can be sent to many users in batches, and the modified content can be a phishing website or other, etc. If the website has a URL redirection problem, then use phishing to use this custom content to send the problem , Then it is very likely to cause more trustworthy phishing hazards.