没错,就是他了
重生之鹰图语法:
icp.name="四川大学"
&&web.body="注册"
&&web.body="登录"
很快哈,一眼定睛个系统
注册好一个用户后,来到忘记密码功能
这里先输入正确的验证码,然后下一步进行抓包
抓取响应包
这里的302跳转到重置密码是依靠Location:
/index.php?&m=User&a=resetPwd&_t=1705471852&mobile=1881924****
参数中的_t来认证
经过多次尝试发现:
HTTP/1.1 302 Moved Temporarily
Server: *
Date: Wed, 17 Jan 2024 06:10:52 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location:
/index.php?&m=User&a=resetPwd&_t=1705471852&mobile=1881924****
HTTP/1.1 302 Moved Temporarily
Server: *
Date: Wed, 17 Jan 2024 05:10:12 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location:
/index.php?&m=User&a=resetPwd&_t=1705468212&mobile=1881924****
Vary: Accept-Encoding
Content-Length: 0
HTTP/1.1 302 Moved Temporarily
Server: *
Date: Wed, 17 Jan 2024 05:23:51 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location:
/index.php?&m=User&a=resetPwd&_t=1705469031&mobile=1881924****
Vary: Accept-Encoding
Content-Length: 0
HTTP/1.1 302 Moved Temporarily
Server: *
Date: Wed, 17 Jan 2024 05:33:39 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location:
/index.php?&m=User&a=resetPwd&_t=1705469619&mobile=1881924****
Vary: Accept-Encoding
Content-Length: 0
我们会发现Location:
/index.php?&m=User&a=resetPwd&_t=1705471852&mobile=1881924****
这里进行输入多次正确验证码后下一步抓响应包,发现_t=17054是固定不变的,只需要遍历后5位爆破,从而达到成功重置密码的效果
(这里的重置密码页面并不能直接重置,因为有&_t=后面为鉴权的东西,所以需要遍历出来)
由于有WAF,需要Burp挂上代理池来遍历_t的参数进行爆破,这里使用的是快代理
这个包是如下图重置密码点击确定,然后对Referer头的_t=17054后5位进行Add
直到跑出正确的为止(跑出Length的长度不一样)
也是成功拿下证书