Title: Various methods and techniques for bypassing SMS bombing vulnerabilities

Posted April 10Apr 10

When testing Party A's business or digging for SRC and other services, we often encounter places where SMS verification is sent. What we can think of is logical vulnerabilities such as login by any user, SMS bombing, and any user modifying passwords. Simple vulnerabilities also require clear thinking analysis, use a few SMS to bomb multiple bypass cases to share, and use high-risk and low-risk to collect them. 1. Parameter pollution bypass parameter pollution, that is, when sending text messages in the background, the part of the number will be taken. When you mix other characters, you bypass the verification of the limit of the mobile phone number that has been sent2. Variable pollution bypasses the so-called variable pollution. Perhaps because the background checks the content of the first variable and is treated as a value, but when the data packet is passed to the background, if the parameter names are the same, it will be passed on with the second, third, fourth, and last parameters as the benchmark, so the limitation of the backend is bypassed 3. The definition of data length bypassing mobile phone number is 11 digits, but the background does not check the length of the transmitted mobile phone number, such as 123=0123=00123. This method is used to bypass a mobile phone number: [A vulnerability of the dog] [The picture cannot be found] 4. Bypassing the variable parameter is common. When sending the verification code, the front end brings a state. By modifying this state, the system restrictions can be bypassed. For example, registered users cannot send text messages or, on the contrary, unregistered users cannot send text messages. Flase is changed to true 5. Cookie Replace bypassing soup and not changing the medicine. Verify the user's credentials in the cookie. By modifying some parameters in the cookie, you can bypass the bypass to send/registered mobile phone number to send text messages 6. [Space bypass SMS bombing] [No picture] When sending SMS, it is 11 digits, but the database does not limit the field length to 11. The original verification is bypassed by adding spaces. However, when sending numbers in the background, the fields in front of the valid characters are taken, resulting in a bypassed method. 7. [Verification code can be reused, resulting in SMS bombing vulnerability] [No picture] After taking the username explosion or password explosion vulnerability, verification of the verification code is added, but the verification code is not released when it is sent, and the verification code will not be invalid, causing the SMS bombing vulnerability. 8. [Based on API interface] [No picture] For this vulnerability, generally, input the mobile phone number in the front desk and send a request 1 Go to the background to determine whether the send request can be executed.