教育edusrc-证书站挖掘-逻辑漏洞篇

发布于2024年2月16日2025年7月19日作者:cve-20

教育edusrc-证书站挖掘-逻辑漏洞篇

原创 PWN师傅 PwnPigPig 2024-02-16 10:15

一眼定睛

没错,就是他了

重生之鹰图语法:

icp.name=”四川大学”

&&web.body=”注册”

&&web.body=”登录”

很快哈,一眼定睛个系统

注册好一个用户后,来到忘记密码功能

这里先输入正确的验证码,然后下一步进行抓包

抓取响应包

这里的302跳转到重置密码是依靠Location:

/index.php?&m=User&a=resetPwd&_t=1705471852&mobile=1881924****参数中的_t来认证经过多次尝试发现:

HTTP/1.1 302 Moved Temporarily
Server: *
Date: Wed, 17 Jan 2024 06:10:52 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location:
/index.php?&m=User&a=resetPwd&_t=1705471852&mobile=1881924****

HTTP/1.1 302 Moved Temporarily
Server: *
Date: Wed, 17 Jan 2024 05:10:12 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location:
/index.php?&m=User&a=resetPwd&_t=1705468212&mobile=1881924****
Vary: Accept-Encoding
Content-Length: 0

HTTP/1.1 302 Moved Temporarily
Server: *
Date: Wed, 17 Jan 2024 05:23:51 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location:
/index.php?&m=User&a=resetPwd&_t=1705469031&mobile=1881924****
Vary: Accept-Encoding
Content-Length: 0

HTTP/1.1 302 Moved Temporarily
Server: *
Date: Wed, 17 Jan 2024 05:33:39 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location:
/index.php?&m=User&a=resetPwd&_t=1705469619&mobile=1881924****
Vary: Accept-Encoding
Content-Length: 0

我们会发现Location:

/index.php?&m=User&a=resetPwd&_t=1705471852&mobile=1881924****这里进行输入多次正确验证码后下一步抓响应包,发现_t=17054是固定不变的,只需要遍历后5位爆破,从而达到成功重置密码的效果