当前位置：网站首页>Possible problems with password retrieval function (supplementary)

Possible problems with password retrieval function (supplementary)

2022-06-11 04:05:00 【Sword-heart】

0x00 Background introduction

I have seen a summary of password recovery vulnerabilities before , Now we see some new situations , Write it out to add .

link ： Possible problems with password retrieval function

0x01 review

Already in the last article 7 Here's the point ：

<code>1. The password retrieval voucher is too weak , Easy to be blasted

2. Password retrieval credentials can be retrieved from the client 、URL Medium direct acquisition

3. The password retrieval certificate can be obtained directly from the web page source code

4. The email link for password retrieval is easy to guess , As of time md5

5. Password retrieval and voucher saving is not just a matter of binding with a single user .

6. The mobile phone or email with the password retrieved can be obtained from the page , Can pass firebug modify

7. Finally, change the user when submitting the new password ID For others ID

</code>

0x02 Add

One . Skip the validation step 、 Ways to retrieve , Go directly to the set new password page

WooYun: OPPO Mobile phone synchronization password can be changed at will , Check the SMS address book at will

Two . When retrieving the password, the authentication code is sent without verifying whether the user name matches the mailbox on the server

WooYun: There is a vulnerability in Meizu's account system, which can cause the password of any account to be reset

http://www.zhaojin97.cn/read-196.html

3、 ... and . Returned when resetting the password token It is not bound to the account and verification code

Or the above Meizu password reset problem

Four . The server only verifies whether the corresponding verification information exists , Failed to verify whether it matches the account number

WooYun: OPPO The mobile phone resets any account password （3）

WooYun: Second reset OPPO Any account password on the mobile official website （ Second change ）

WooYun: OPPO Change any account password

5、 ... and . Verify the server's return information locally , Determine whether to perform password reset , But its return information is controllable , Or what you can get

WooYun: oppo Reset arbitrary user password vulnerability (4)

6、 ... and . Sending SMS and other verification information is carried out locally , It can be controlled by modifying the return package

WooYun: OPPO Change any account password -3

WooYun: OPPO Change any account password -2

7、 ... and . When submitting a new password , Only partially controllable information is verified to match

WooYun: AA Find any password of carpool network 2

8、 ... and . There is an injection vulnerability in retrieving the password

WooYun: UFIDA human resource management software （e-HR） Another place SQL Inject holes （ Kill all versions ）

0x03 Repair plan

Retrieving password credentials is complex and unpredictable , Any action is performed on the server side , The transmitted verification parameters shall be encrypted , At the same time, filter the parameters

This article comes from the dark cloud knowledge base , The copyright of this article belongs to Wuyun knowledge base ！

原网站

版权声明
本文为[Sword-heart]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/162/202206110342122891.html