Use the password reset functions to achieve account-hijacking-vulnerability warning-the black bar safety net

ID MYHACK58:62201890085
Type myhack58
Reporter 佚名
Modified 2018-04-26T00:00:00


Recently, I attended a platform to invite vulnerability testing project, in which the discovery of a unique account hijacking vulnerability, the entire vulnerability discovery process very unexpected but also very lucky, by the password reset function can be achieved account hijacking, and I will write it to it to share out. Since the test item confidentiality and privacy principles, sorry screenshot is too small, and hereinafter relates to the site domain name in Part I has been edited to hide, please forgive me. From the Blind XSSspeaking of In a domain name pre-stepped point, I stumbled upon a front-end application, it has a very old main community page, but the login form does not use HTTPS. I think, if even the login page of the certificate are not, that should also be the presence of what vulnerability? So I carefully check and test request, try to in this page of the website to register a new account. Unfortunately, 必须需要一个后缀为@company.com的公司邮箱 or REGISTER account need background administrator to verify the approval to successfully complete the registration. Considering this, I think I should test the front-end application whether the presence of the Blind XSSvulnerability then I log in the“name”and“Last Name”field to submit a validXSStest load, when I click the“Submit”button, you receive the following error message, which makes me surprised. I don't put blind XSSthe test load together with the screenshots, but the whole process returns the following error response: ! Test blind injection vulnerability, Blind SQLi) Well, since so, that I try blind injection vulnerability, Blind SQLi. Generally, the occurrence of such an error response to the information, I will be the first time think of using Sqlmap to test injection vulnerabilities. But unfortunately, probably because of not using the same mailbox two times a registered Account, here to initiate the account registration of the formulaSQL injectionrequest didn't succeed response. In addition, in the Sqlmap in the presence of an option set, you can in the account registration requires email address to add a number, form a special registration request, but I found the manual to do will be faster. Just like that, I repeatedly try to try to go to, and ultimately can only get some invalid syntax response. Fortunately, at a friend Gerben Javado help, I successfully configured a valid account registration type of the SQL request, the response to the prompt, the account has been created successfully, but need to wait for background activation. ! If so, then this is certainly the presence of a blind injection vulnerability, Blind SQLi, but since I can't test the page to view the request in response to the results, I'll instead use the following Payload to continue the test: "-IF(MID(@@version,1,1) = 5, sleep(10), "")-" The Payload, page in 10 seconds after the occurrence of the response, wherein the MID(@@version,1,1) = 5 to test the back-end MySQL database version is 5 or more. In addition, I also found a reflective-typeXSS. Achieve account hijacking Now, you can construct a valid account registration type of the SQL request, it can form an effective blind injection vulnerability, Blind XSS, and to this end, I've been withXSSHunter to the test see if you can find the newXSSpoint, several test is already late at night, trapped by the No, only tomorrow to fight another day. The next day, I carefully review the test records, of consciousness to the next can from 3 aspects in-depth: In the first MySQL error response in the screenshot, in the bottom you can see it prompts“Please contact XXXXXX and let him know you're having trouble.“, the This at least can explain to me given the need to register the mailbox is valid; On the second sheet of account registration type of SQL request in the screenshot, which tips, website system back-end to register email to send a verification message; and In addition, the website system, The password reset function for some of the subsequent analysis. Based on the above three aspects of the situation, I decided to test its password reset function. Since I submitted the above finding blind injection vulnerabilities, the target company informed me that once according to plan, this web application was supposed to be removed off the Assembly line, and for this they make me worry about the risk consequences of a free hand to test. In addition, with the consent of the target company consent, 我获得了一个有效的公司名后缀邮箱 in order for the subsequent test. In the password reset function, the only requirement is to have an effective Company name suffix e-mail, it will send the user an email, the message content of the concrete is unknown. I'm the first to test whether it is vulnerable to HTTP parameter pollution attacks-HTTP Parameter Pollution, isSQL injectionvulnerabilities, but all seem not work. And then I thought, if the system background is to provide me with the email address to send the verification mail, then I can try to use the SMTP header injection method of the SMTP header injection, will I set up their own Email address added to the CC or BCC another email address so that I will be able to receive and provide a mailbox of the same authentication message. SMTP header injection vulnerabilities is to not perform a full review filtering case, the user input is placed into the email header, allowing an attacker to inject an arbitrary value of the other header. This behavior can be used to a third party to send e-mail copies, additional viruses, provides phishing attacks, and often change the email content. A typical application is, spammers usually will in this way, the use of the presence of vulnerabilities the company reputation, to increase its e-mail legitimacy. If the email contains some of the attackers shouldn't see the sensitive information(such as password reset tokens, etc.), then this problem is very serious.-- Portswigger

[1] [2] next