Password retrieve logic vulnerability summary-vulnerability warning-the black bar safety net

ID MYHACK58:62201559769
Type myhack58
Reporter 佚名
Modified 2015-03-10T00:00:00


0x00 background description

Please note these two articles:

Password retrieve function there may be a problem

Password retrieve function there may be issues supplemented

From the above two documents the past six months, recently finishing a password to get back to the mind map, open the collection case, and the emergence of some new situations, here together will all see the case summary and share to everyone, in the test according to this framework to tap!

0x01 password to retrieve the logical test of the General process

  • First try a normal password retrieve process, choose a different get back manner, recording all data packets

  • Analysis of the data packet, find the sensitive parts of the

  • Analysis of the background to retrieve the mechanism used means of verification

  • Modify the data packet to verify speculation

  • 0x02 brain figure


0x03 details

User credentials brute force

Four bits or six bits of pure digital example

Tick: dangdang arbitrary User Password Change vulnerability

Tick: wechat arbitrary User Password Change vulnerability

Return voucher

the url returns a code and token examples

Tick: the catwalks network show mission any password to modify the defect

Tick: every day, network any account password reset II

Password to retrieve the credentials in the page

Through the secret question to retrieve your password example

Tick: sohu mailbox to any user reset password

Return to the SMS verification code


Tick: Sina a station arbitrary user password modification code and retrieve the logical design of the improper)

Mailbox weak token

Timestamp md5 example

Tick: the odd Tiger 3 6 0 arbitrary User Password Change vulnerability

User name & server time

Tick: ZTE a website, any user of the password reset vulnerability, classic design defect cases

User credentials validity

SMS verification code examples

Tick: the OPPO phone is reset any account password(3)

Tick: the second reset OPPO mobile official website any account password in seconds, change)

Tick: OPPO modify any account password

The mailbox token


Tick: identity pass any password to modify-leakage of a large number of citizens information

Reset password token


Tick: Meizu account the system memory in vulnerability can lead to arbitrary account password reset


Mobile binding examples

Tick: Netease mailbox can directly modify other user's password

Tick: 1 2 3 0 8 can modify any user's password

Mailbox binding


Tick: a lottery design defects can modify any user's password

Tick: the Chinese industrial control network of any user of the password reset vulnerability

Server Authentication

The final submission step examples

Tick: Ctrip to any owner password to modify(Qing in the tick Section 1 0 0 hole)

Server to verify the controllable content


Tick: AA carpool network any password retrieve 2

Tick: Sichuan I want to go 5 1 7 travel network reset any account password vulnerability

The server authentication logic is empty


Tick: a government and enterprise use the mail system of suspected presence of a common design problem

User authentication

Account number and phone number binding

Tick: Shanghai Telecom pass any password reset

Account with the email account bound


Tick: Meizu account the system memory in vulnerability can lead to arbitrary account password reset

Tick: and the News Network to modify any user password vulnerability

Back step

Skip the verification step, the back way, directly to the set new password page example

Tick: OPPO Mobile Sync password free to modify, SMS contacts free to view

Tick: China Telecom a IDC information security management system design flaws causing the system to fall

[1] [2] next