Remember to get the password of college student account once, from scratch

Statement ： My original intention is to share and popularize network knowledge , If readers do any harm to network security, they will bear the consequences , It has nothing to do with Hetian Wangan laboratory and the original author , This article is the original work of Hutian network security laboratory , If you want to reprint , Please indicate the source ！

This record , It is intended to show the strength of information collection and arouse the attention of colleges and universities to network security ..…, See how to get student accounts from scratch …

After understanding the idea , You may be blown away by your masters …

0x01: Look at this window first

Http://xxx.xxx.xxx.xxx/login

If you find your password, you can either retrieve it by email , Or the cell phone is retrieved ….

0x02 Up to now , Probably

1. The mobile phone verification code exploded , Premise ： Know the student number + cell-phone number + Resetting the password is to send a verification code, not to connect

2. Mailbox verification code burst , Premise ： Know the student number + mailbox + Resetting the password is to send a verification code, not to connect

The above two ideas , Mostly hanging ….

( Because I dug the hole first , Just wrote the article ,

So I know the student number in advance + cell-phone number ….)

The verification code is verified …. The road is blocked ….

0x03: See how to do information gathering

The process of collecting information , Be sure to learn the common excel To clean the data , Find our useful accounts …

Google Dafa …

After half an hour of searching , I found such an announcement , Yes, this is the announcement , Let me have a breakthrough direction … 

3、 The email user name is ： Student number @xxx.xxx.xxx.cn, The initial password is ：xxxx+ Birthday on the ID card 8 position （ Specific date ）.Xxxx.xxx..xxx.

4、 The email in the account information of the online service hall has been bound to the student's email account by default

It is not necessary to find the user's password to obtain the account , Changing the password is also a way of thinking , As long as you can log in , Then there is nothing to say …

From seeing this announcement , Our general idea has been established ….

Specific ideas ： 

Look for sensitive information --- Then reset her password by email --- Finally get the account with unified identity

continue google, Found a sensitive information leak …. Number of leaks 100 Bar or so

Here is a reminder ： Many students may change the password of unified identity authentication , But many students will never change the password of their email , Often used to use the mobile phone number to obtain the verification code and change the password …

And we changed her password Use email to change password ….

Find its mailbox , Log in, good guy , Login successful ….

0x04: Unified identity authentication ….

Then we went into unified identity authentication ….

summary ：

1. in general , The method is still the original method

2. Don't underestimate the harm of an account , Even low privileged accounts , It can also collect all its hair , Such as this …. 

3. There are many ways to change your password , But it is recommended to use the mobile phone number to change the password , Never publish the password rules , Who knows what will happen ？

4. information gathering yyds, From a master, he set up such a view ： The process of penetration testing , It's the process of collecting information to fight . Intranet is no exception ！ If you collect the account passwords of many hosts , The horizontal process becomes the process of constantly entering the account password … And the movement is very small …