原文: https://hackerone.com/reports/703972 废话不多说，直接开始复现：第一步：输入邮箱地址，重置密码 <img src="https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/qsDcWDETvM85RugcAHTbk3YT?response-content-disposition=attachment%3B%20filename%3D%220.png%22%3B%20filename%2A%3DUTF-8%27%270.png&response-content-type=image%2Fpng&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQX4P72V4B%2F20210401%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210401T015605Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEE8aCXVzLXdlc3QtMiJIMEYCIQCmq%2BqU%2FBrheZcVon404rIE2iVw8%2FC6TGj3Rvsqo9o%2B5gIhAOjxGUeefU41%2Bzo75zge%2FAoXDh7sZlwHQyuGceCjrFWQKr0DCJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMMDEzNjE5Mjc0ODQ5Igzu7lgTtmkHv7rFj1oqkQO2B35kjNiXL8TW3rDk3iFZWVIXGjoUzACP4yEOkInOBR4Z7z80R63f2xpnVYpv96zzx0zSCWKwxhSYU6I3qa7xo7pqUT0pAey3mNLNrZYb3IMlGJbel6mkm6VSlvEbJLne12tkHrwkqyLBh3PSd5IWNem4r06bZcc8nIO5VErZqmR6hjHBU69YKAHa8I92nV74vDRhztwhfz%2FAXhhPSabCAHXUoUH6QcwP8kOfvSiaah%2FMAN6zKWKTvTPVEqjYtjfqTUHHjt1XiPNXRzg98zLK7cdVSaQVPGtjv3EJWCbdpre8y%2BQGEvIgBk6inogEmNFgaIhstS3CsFd7CS%2By3TsrDxFLs73%2FruFrSkoDzJDHIwlCJaMLF343w3xiRqY8Ds4ap6%2BXcIjgBTcVnzGdKW2NTvyzIZeay0u9F8oekmXPxkRiAhlaUPizHN8Qocq4EuJnAD9XshF5XNPTHvITkME9Q2f%2FBnDq7g0kVt6RRssmUYYe6JwPxi0q6faA2P73eejhP8k75hfxMVQQhGZc2GHYLTC3%2FJODBjrqARRQPg6R54XHhEg3IwtjVcgnMruUOVx5mT6YJ2gLbJDxCvqlbe3qrTnqFevayO%2Fo1MXbj%2FkQXI3nFtNJRkCtwg87OfJepBQfen8NqR5FPQfWCXU5ZoSlW81onwnk9Uhkz0mGX5gJRWOV034Lmb1nOeiMEJDNfrthh81V2rsO3O40ngQMi82TMsAWF8Ks5D%2FfK3hm6uXD8Bkj3rHBPuqz8qRhEzFdb%2Bv7sj6IOUYRDSIyPMP2Fhj%2FD1a31UbCel0e2tu%2Bu1ImzD2YUrxpH0BmMVugVHVzT9INZNMyVfm2O%2FbNSO5w%2FdWSwcrUNg%3D%3D&X-Amz-Signature=a01156de051e7a6f90a82c9bab6d7f22e47cf6250843f80b514b2063e5cbb497" title="" alt=""> 然后点击提交， <img src="https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/gkn57zGaFp19TYLCWjdEYAUG?response-content-disposition=attachment%3B%20filename%3D%221.png%22%3B%20filename%2A%3DUTF-8%27%271.png&response-content-type=image%2Fpng&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQX4P72V4B%2F20210401%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210401T015605Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEE8aCXVzLXdlc3QtMiJIMEYCIQCmq%2BqU%2FBrheZcVon404rIE2iVw8%2FC6TGj3Rvsqo9o%2B5gIhAOjxGUeefU41%2Bzo75zge%2FAoXDh7sZlwHQyuGceCjrFWQKr0DCJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMMDEzNjE5Mjc0ODQ5Igzu7lgTtmkHv7rFj1oqkQO2B35kjNiXL8TW3rDk3iFZWVIXGjoUzACP4yEOkInOBR4Z7z80R63f2xpnVYpv96zzx0zSCWKwxhSYU6I3qa7xo7pqUT0pAey3mNLNrZYb3IMlGJbel6mkm6VSlvEbJLne12tkHrwkqyLBh3PSd5IWNem4r06bZcc8nIO5VErZqmR6hjHBU69YKAHa8I92nV74vDRhztwhfz%2FAXhhPSabCAHXUoUH6QcwP8kOfvSiaah%2FMAN6zKWKTvTPVEqjYtjfqTUHHjt1XiPNXRzg98zLK7cdVSaQVPGtjv3EJWCbdpre8y%2BQGEvIgBk6inogEmNFgaIhstS3CsFd7CS%2By3TsrDxFLs73%2FruFrSkoDzJDHIwlCJaMLF343w3xiRqY8Ds4ap6%2BXcIjgBTcVnzGdKW2NTvyzIZeay0u9F8oekmXPxkRiAhlaUPizHN8Qocq4EuJnAD9XshF5XNPTHvITkME9Q2f%2FBnDq7g0kVt6RRssmUYYe6JwPxi0q6faA2P73eejhP8k75hfxMVQQhGZc2GHYLTC3%2FJODBjrqARRQPg6R54XHhEg3IwtjVcgnMruUOVx5mT6YJ2gLbJDxCvqlbe3qrTnqFevayO%2Fo1MXbj%2FkQXI3nFtNJRkCtwg87OfJepBQfen8NqR5FPQfWCXU5ZoSlW81onwnk9Uhkz0mGX5gJRWOV034Lmb1nOeiMEJDNfrthh81V2rsO3O40ngQMi82TMsAWF8Ks5D%2FfK3hm6uXD8Bkj3rHBPuqz8qRhEzFdb%2Bv7sj6IOUYRDSIyPMP2Fhj%2FD1a31UbCel0e2tu%2Bu1ImzD2YUrxpH0BmMVugVHVzT9INZNMyVfm2O%2FbNSO5w%2FdWSwcrUNg%3D%3D&X-Amz-Signature=6487f7a97b05c9d0bfc1dade14222982ce98640a41cfcfa56928e45b4c011d03" title="" alt=""> 这里的验证码是有限制的。第二步: 输入正确的验证码后，就到达了第三步 <img src="https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ydGGrCRrzbrrspH3B4Nn1TtP?response-content-disposition=attachment%3B%20filename%3D%222.png%22%3B%20filename%2A%3DUTF-8%27%272.png&response-content-type=image%2Fpng&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQX4P72V4B%2F20210401%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210401T015605Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEE8aCXVzLXdlc3QtMiJIMEYCIQCmq%2BqU%2FBrheZcVon404rIE2iVw8%2FC6TGj3Rvsqo9o%2B5gIhAOjxGUeefU41%2Bzo75zge%2FAoXDh7sZlwHQyuGceCjrFWQKr0DCJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMMDEzNjE5Mjc0ODQ5Igzu7lgTtmkHv7rFj1oqkQO2B35kjNiXL8TW3rDk3iFZWVIXGjoUzACP4yEOkInOBR4Z7z80R63f2xpnVYpv96zzx0zSCWKwxhSYU6I3qa7xo7pqUT0pAey3mNLNrZYb3IMlGJbel6mkm6VSlvEbJLne12tkHrwkqyLBh3PSd5IWNem4r06bZcc8nIO5VErZqmR6hjHBU69YKAHa8I92nV74vDRhztwhfz%2FAXhhPSabCAHXUoUH6QcwP8kOfvSiaah%2FMAN6zKWKTvTPVEqjYtjfqTUHHjt1XiPNXRzg98zLK7cdVSaQVPGtjv3EJWCbdpre8y%2BQGEvIgBk6inogEmNFgaIhstS3CsFd7CS%2By3TsrDxFLs73%2FruFrSkoDzJDHIwlCJaMLF343w3xiRqY8Ds4ap6%2BXcIjgBTcVnzGdKW2NTvyzIZeay0u9F8oekmXPxkRiAhlaUPizHN8Qocq4EuJnAD9XshF5XNPTHvITkME9Q2f%2FBnDq7g0kVt6RRssmUYYe6JwPxi0q6faA2P73eejhP8k75hfxMVQQhGZc2GHYLTC3%2FJODBjrqARRQPg6R54XHhEg3IwtjVcgnMruUOVx5mT6YJ2gLbJDxCvqlbe3qrTnqFevayO%2Fo1MXbj%2FkQXI3nFtNJRkCtwg87OfJepBQfen8NqR5FPQfWCXU5ZoSlW81onwnk9Uhkz0mGX5gJRWOV034Lmb1nOeiMEJDNfrthh81V2rsO3O40ngQMi82TMsAWF8Ks5D%2FfK3hm6uXD8Bkj3rHBPuqz8qRhEzFdb%2Bv7sj6IOUYRDSIyPMP2Fhj%2FD1a31UbCel0e2tu%2Bu1ImzD2YUrxpH0BmMVugVHVzT9INZNMyVfm2O%2FbNSO5w%2FdWSwcrUNg%3D%3D&X-Amz-Signature=7cba2ff09ad8e189e8632e498ea9e3736836ea0c7e5873c4f8ce555bead2ab76" title="" alt=""> 这里的验证码没有限制，就可以跑起来重置密码了。作者还给了个视频演示： https://reurl.cc/E2azGa 作者同时还对这个漏洞画了个图来解释： <img src="https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/J5HCzC1SMUqjrXBFtebdzAp4?response-content-disposition=inline%3B%20filename%3D%224.png%22%3B%20filename%2A%3DUTF-8%27%274.png&response-content-type=image%2Fpng&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQWLMBU5P5%2F20210401%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210401T015607Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEE8aCXVzLXdlc3QtMiJIMEYCIQCsARv7I%2F%2FsHehi76qJRQNXX4T2eC3YavRIO71%2BbiAG4AIhALyoBdHAL3UoIf7rTsKr9n7CbBaakjFKVLmqxTwZ5gAjKr0DCJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMMDEzNjE5Mjc0ODQ5IgwctekAEeGhd1P8BcsqkQNu5mH19ChLQyD0R0TkDTwZ9Xr8jNPNbDIkJbYJCgv3wDKqEd0ON78WZSpMdt4Awp2fQkNBuNVQzxW3YjuZzbyVxoqeDNPQEdl6rJ%2BB6M5YIjZJJpanIa5jpdTlrEQT91cgu64%2B5h4wJOU2ywKJE66rsWgJwWedxCL9F7fURdlu7Y4QAb3fZNxzKY8h%2Bg77HA6HAr0%2BPCasbXHpE20hXnwY5uzylqsjCg6pOosnW7W1C%2BWkyklmcxCcthD21G3buKKAYcor7mY3LL9LyCorV5zZ7KG23e88yjk%2FpV27JlnYTSLnmRjXZQR0VKJWH52IE5p7kz78Z2ULwv%2BPE1JiOH4HwTo%2F0QCiIMItrDjftPh37jR1LDoo1n7jSbJmLOjH5ri2DvG%2BPb8IUM6KBKu9QZBrPhNJ65%2F9ZbLg9YnkifSfYbjGEY%2F7QtE56KKwaW7JUOYqZEgSQ1OoAmuF0ZemV6%2FnTW15zq80l2Zl82YsuhMW%2BT2oWoCMp6urDIBB6bYGJ7GuvgahVXKiYEfoRCMTty8LVjDV%2FZODBjrqAdONxilkDxmRBTzhxNyIYtuizLkW3zyrIC%2FApwyFRGBfGli0KwUFKgnLgfG5t2gvV7aoU2nSM6TiWLVRw%2FfKpUfFhNg1w%2BJtV0sPQ%2BSN6de6%2B7BlRWTB7AgMPYW1I3zZRjgz%2FWHrQIxnrCJIc0hfSlUAnlXTyu1tcavpb463BSL4i76EO7995GhWoxTLWs7QT9XSFc6OsgNifCo349zf%2FqmRgCnUDQGk9ds8N8uuJ1y2rAJvfMrRlQKFHFr7Eo3Ot2XY5JQU8k%2BMsQ5mjUviVlYmUl7YohcuTkSgN%2B4ChzmXdzXZ%2FDCqF%2Bo48A%3D%3D&X-Amz-Signature=6c66bf49655345df9547c99c5b3f85e29ce0dcf66a68b1a95725b5defe072274" title="" alt=""> <img src="https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/XoKirNDiR7GrAF1srJgE4CSw?response-content-disposition=inline%3B%20filename%3D%225.png%22%3B%20filename%2A%3DUTF-8%27%275.png&response-content-type=image%2Fpng&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQWLMBU5P5%2F20210401%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210401T015607Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEE8aCXVzLXdlc3QtMiJIMEYCIQCsARv7I%2F%2FsHehi76qJRQNXX4T2eC3YavRIO71%2BbiAG4AIhALyoBdHAL3UoIf7rTsKr9n7CbBaakjFKVLmqxTwZ5gAjKr0DCJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMMDEzNjE5Mjc0ODQ5IgwctekAEeGhd1P8BcsqkQNu5mH19ChLQyD0R0TkDTwZ9Xr8jNPNbDIkJbYJCgv3wDKqEd0ON78WZSpMdt4Awp2fQkNBuNVQzxW3YjuZzbyVxoqeDNPQEdl6rJ%2BB6M5YIjZJJpanIa5jpdTlrEQT91cgu64%2B5h4wJOU2ywKJE66rsWgJwWedxCL9F7fURdlu7Y4QAb3fZNxzKY8h%2Bg77HA6HAr0%2BPCasbXHpE20hXnwY5uzylqsjCg6pOosnW7W1C%2BWkyklmcxCcthD21G3buKKAYcor7mY3LL9LyCorV5zZ7KG23e88yjk%2FpV27JlnYTSLnmRjXZQR0VKJWH52IE5p7kz78Z2ULwv%2BPE1JiOH4HwTo%2F0QCiIMItrDjftPh37jR1LDoo1n7jSbJmLOjH5ri2DvG%2BPb8IUM6KBKu9QZBrPhNJ65%2F9ZbLg9YnkifSfYbjGEY%2F7QtE56KKwaW7JUOYqZEgSQ1OoAmuF0ZemV6%2FnTW15zq80l2Zl82YsuhMW%2BT2oWoCMp6urDIBB6bYGJ7GuvgahVXKiYEfoRCMTty8LVjDV%2FZODBjrqAdONxilkDxmRBTzhxNyIYtuizLkW3zyrIC%2FApwyFRGBfGli0KwUFKgnLgfG5t2gvV7aoU2nSM6TiWLVRw%2FfKpUfFhNg1w%2BJtV0sPQ%2BSN6de6%2B7BlRWTB7AgMPYW1I3zZRjgz%2FWHrQIxnrCJIc0hfSlUAnlXTyu1tcavpb463BSL4i76EO7995GhWoxTLWs7QT9XSFc6OsgNifCo349zf%2FqmRgCnUDQGk9ds8N8uuJ1y2rAJvfMrRlQKFHFr7Eo3Ot2XY5JQU8k%2BMsQ5mjUviVlYmUl7YohcuTkSgN%2B4ChzmXdzXZ%2FDCqF%2Bo48A%3D%3D&X-Amz-Signature=08522652a2e48190f2045c7bc63a3367317b2396fc4276c5ef4081a39eddf8ac" title="" alt=""> 译者按：我们想一下这个漏洞的问题出在哪，首先第二步是肯定不能跳过的，第三步不应该继续用验证码，应该用第二步返回来的token。我们再想一下，如果修该怎么修，第一种方法，第三步验证码加频率限制，第二种方法，删除第三步验证码，从第二部返回token，用这个token作为第三步的验证。还有一点像这种验证码爆破的，最好附一个成功案例，这样更容易说服厂商。本文迁移自知识星球“火线Zone”

翻译文章|pixiv重置任意用户密码

44567

原文:

https://hackerone.com/reports/703972

废话不多说，直接开始复现：

第一步：输入邮箱地址，重置密码

然后点击提交，

这里的验证码是有限制的。

第二步:

输入正确的验证码后，就到达了第三步

这里的验证码没有限制，就可以跑起来重置密码了。

作者还给了个视频演示：

https://reurl.cc/E2azGa

作者同时还对这个漏洞画了个图来解释：

译者按：

我们想一下这个漏洞的问题出在哪，首先第二步是肯定不能跳过的，第三步不应该继续用验证码，应该用第二步返回来的token。我们再想一下，如果修该怎么修，第一种方法，第三步验证码加频率限制，第二种方法，删除第三步验证码，从第二部返回token，用这个token作为第三步的验证。还有一点像这种验证码爆破的，最好附一个成功案例，这样更容易说服厂商。

本文迁移自知识星球“火线Zone”