Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

About YzmCMS V5.3- 'Host' Header Injection #28

Open
dpalbd opened this issue Sep 22, 2019 · 0 comments
Open

About YzmCMS V5.3- 'Host' Header Injection #28

dpalbd opened this issue Sep 22, 2019 · 0 comments

Comments

@dpalbd
Copy link

dpalbd commented Sep 22, 2019

Host header injection vulnerability found on YzmCMS V5.3, Using this attack, a malicious user can poison the web cache or arbitrary user re-direction.

PoC:
Test Environment: Windows 7 SP1(64bit)
XAMPP: 7.3.9
YzmCMS V5.3 Access Path: 192.168.30.169/yzmcms/

root@kali:~# curl http://192.168.30.169/yzmcms/member/ -H "Host: www.google.com"

<title>YzmCMS提示信息</title> <style type="text/css"> *{padding:0;margin:0;} body{background:#fff;color:#000;font-family:"Microsoft Yahei","Hiragino Sans GB","Helvetica Neue",Helvetica,tahoma,arial,"WenQuanYi Micro Hei",Verdana,sans-serif;} #msg{border:1px solid #5eb95e;width:500px;position:absolute;top:44%;left:50%;margin:-87px 0 0 -250px;padding:1px;line-height:30px;text-align:center;font-size:16px;background:#fff;} #msgtit{height:35px;line-height:35px;color:#fff;background:#5eb95e;} #msgbody{margin:20px 0;text-align:center} #info{margin-bottom:10px;} #msgbody p{font-size:14px;} #msgbody p a{font-size:14px;color:#333;text-decoration:none;} #msgbody p a:hover{color:#5a98de;} </style>
提示信息
请先登录!

本页面将在1秒后跳转...

root@kali:~#

image

Or if we capture this in burp:

GET /yzmcms/member/ HTTP/1.1
Host: 192.168.30.169
image

Next change the "Host" to www.google.com and "Go" for web request:
image

Then follow redirection
image

This will be re-directed to www.google.com with 404 responds.
Capture the responds and open the browser will show following:
image

This is detected & email to you on 18-Sep-2019, but no responds. So provide information in here. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant