The replacement verification code page is used to authenticate the account #80
Comments
|
As I said, why don't you give it a try before question? This requires a lot of work on the proxy (client side), dispatch server cannot be done alone. |
|
Please try it yourself first, then come here later. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Replace the verification code with the password input box to authenticate the account
Pop up verification code:
/account/risky/api/check
{"retcode":0,"message":"OK","data":{"id":"","action":"ACTION_GEETEST","geetest":{"challenge":"","gt":"","new_captcha":1,"success":1}}}
Change action to action_ Geetest and new_ Change CAPTCHA to 1
Hijacking verification code:
https://api-na.geetest.com/gettype.php
geetest_********({"status": "success", "data": {"type": "fullpage", "static_servers": ["static.geetest.com/", "dn-staticdown.qbox.me/"], "click": "/static/js/click.3.0.4.js", "pencil": "/static/js/pencil.1.0.3.js", "voice": "/static/js/voice.1.2.0.js", "fullpage": "/static/js/fullpage.9.0.9.js", "beeline": "/static/js/beeline.1.0.1.js", "slide": "/static/js/slide.7.8.6.js", "geetest": "/static/js/geetest.6.0.9.js", "aspect_radio": {"slide": 103, "click": 128, "voice": 128, "pencil": 128, "beeline": 50}}})
Modify the content of the request and replace the JS address in it
I think we can hijack the verification code page through the above methods and change the verification code page to the password input box to provide account authentication
The text was updated successfully, but these errors were encountered: