1. SMS verification code return
1. Principle
Retrieve the password through the mobile phone, and the response package contains the SMS verification code
2. Case
A website chooses to use the mobile phone to retrieve the password:
Click the send button to intercept the return packet, and you can view the SMS verification code, as shown in the following figure:
3. Repair suggestion
Remove the SMS verification code from the response packet
2. Modify the user name, user ID or mobile phone number to reset any account password
1. Principle
Retrieving the password through the mobile phone generally requires SMS verification code verification (here you can try to blast or bypass). When we enter the correct mobile phone number and the correct SMS verification code, and then enter the last step of resetting the password, that is, enter the new password and enter the password. After entering the password, the post data packet submitted to the server needs to contain the identity information of the current user.
The general website identifies the user's identity through the user name or user ID, if the user name or user ID is not bound to the current mobile phone number or SMS verification code;
That is to say, the server only verifies whether the user name and ID exist, but does not verify whether the user matches the current mobile phone number. Then we can modify the password of other users by modifying the user name and ID.
Of course, the place that can be modified is not limited to the data package for retrieving the password. For example, such a loophole may exist in the place where the data is modified.
2. Case
For example, if a website modifies any user data and causes any account password to be changed, the intercepted data packets are:
POST /user/info_do HTTP/1.1
Host: www.XXX.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Refer: http://www.XXX.com/user/info_view
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest
Content-Length: 211
Cookie: yunsuo_session_verify=9341a54b945886e9485ff54a17650468; PHPSESSID=sgbibaqe7f8f6okerps8jip916; sdrcUserlockcount=1; sdrcUseruserid=14943
Connection: keep-alive
password=A123456&email=1%40qq.com&address=1&postcode=1&mobile=13888888888&sex=man&birthday=0000-00-00°ree=collegeLT&testsite=1&post=1&__hash__=b0b15b067dea00bd34fd39421b7ef684_efc2399e5c4b2071f261e75fe3362d4fa
After analysis and experimentation, it is found that the value of sdrcUseruserid in the data packet is used to identify the current user identity, so we wonder if this id can be modified arbitrarily?
The answer is yes, we can successfully modify the id value to 14942 and 14941, the screenshot is as follows:
3. Repair suggestion
-
When the user operates personal information (reading, modifying), the server must verify the identity of the current user to prevent unauthorized operations;
-
The name or ID used to identify the user's identity can use custom encryption, or these parameters can be hidden, and user information can be obtained directly from the cookie;
-
When changing the password, the user should first verify the old password, or use SMS verification;
-
When the user modifies the mobile phone number, the original mobile phone number needs to be verified first.
3. Modify the response packet to reset any account password
1. Principle
Retrieving the password through the mobile phone generally requires SMS verification code verification, and the server needs to tell the client whether the input verification code is correct.
If the client receives true information, it will request the server to enter the next step with true information, and the server will allow the client to enter the next step after receiving true information.
Conversely, if it is false information, the server will not allow the client to enter the next step.
In other words, the key for us to enter the next step is to allow the server to receive the true information from the client.
With the help of burpsuite, we can modify the information returned from the server to the client. In this way, we can enter any SMS verification code, and then change the false information returned by the server to true to bypass the verification of the SMS verification code.
2. Case
The following is a process of retrieving the password. Enter the correct user name and skip to the second step. At this time, you need to enter the SMS verification code. Here we randomly enter a SMS verification code: 123456, and then capture the information returned by the server as follows Show.
After changing the false in the return packet to true, the SMS verification code verification can be bypassed, and the result is shown in the figure below.
3. Repair suggestion
-
The server verifies the verification code, and skips to the next step directly when the result is true, without separately returning the verification result to the client;
-
Enter a new password and submit it to the server. The server should perform a second matching verification on the current user name, mobile phone number, and SMS verification code. Only when they are all true can the modification be successful.
4. Skip the verification step to reset any account password
1. Principle
The password recovery process generally requires four steps:
1. Verify user name;
2. Verify the SMS verification code;
3. Enter the new password;
4. The reset is successful.
These four steps should be closely connected and related to each other. Only after passing the verification of the first step can you enter the next step. If there is no correlation verification between each step, it may lead to skipping key verification steps, resulting in Reset any account password.
2. Case
There are four steps for a website to retrieve the password. The first step is to enter the correct user name, the second step is to enter the mobile phone number and the correct verification code, and the intercepted data packet returned by the server is:
<html><head><title>object moved</title></head><body>
<h2>object moved to <a href="/Personal/sys/getpasswordreset">here</a>.</h2>
</body></html>
The above data packets are used to jump to the password input interface.
We guessed whether we could enter any verification code, and then directly access the password input interface. The result was yes, and the password reset was successful.
After analysis, the key to success here is that the page jumps to the password input interface. When we enter a new password and submit it to the server, the server does not perform secondary verification of the current user identity, but simply obtains the user name Or ID and new password, resulting in skipping SMS verification code verification to reset any account password.
3. Repair suggestion
-
Each step verifies the previous step;
-
Finally, when submitting the new password, the current user name or ID, mobile phone number, and SMS verification code should be verified twice.
5. The token value in the reset password link is not verified or invalid, resulting in any account password reset
1. Principle
When using the mailbox to reset the password, the server sends a link to the mailbox to reset the password, which contains the identity information of the current user (such as user name or user ID) and a randomly generated token information, if the token value is not verified Or if it does not become invalid after verification, we can reset any account password by modifying the user name or user ID.
2. Case
When a website uses the email to retrieve the password, the link sent by the server to the email is:
http://www.xxx.com/GetPwd.aspx?q=0x0531387a5a6c1227e4d6ba0ce16dc72e&r=3244166
The randomly generated q value is not verified or verified but not invalid after verification, so it can be reused. In the end, you only need to modify r to other user IDs to reset other user passwords.
3. Repair suggestion
-
The server verifies the token value submitted by the client;
-
Ensure that the token value becomes invalid after being used once to prevent repeated use;
-
Custom encryption of user IDs;
-
Use the token value generated according to the user ID to identify the user, and the link does not carry the user ID.
6. The SMS verification code for retrieving the password can be blasted to reset the password of any account
1. Principle
When retrieving passwords, SMS verification codes with fewer digits are used, or the verification codes do not have an effective time limit, which leads to attackers using automated tools to blast and obtain SMS verification codes within a certain time range, resulting in the reset of any account password.
2. Case
A data packet that uses a SMS verification code when a website retrieves its password is:
Code=5000&u=13888888888&Check=dc5b94101cb4f23a9ce6ae71197fc5de&a=5
Code can be blasted here, as shown in the figure below:
3. Repair suggestion
-
The verification code meets a certain complexity and limits the effective time of the verification code;
-
Verify the data packet of the SMS verification code using the token value and verify it to prevent automated tools from blasting