Lucene search
K

HTTP Host Header Injection Detection

🗓️ 07 Oct 2015 03:19:00Reported by Jay Turla, Medz BaraoType 
metasploit
 metasploit
🔗 www.rapid7.com👁 27 Views

HTTP Host Header Injection Detection module for vulnerability detection in the host header of a serve

Related
Code
ReporterTitlePublishedViews
Family
0day.today
Vanilla Forums < 2.3 - Remote Code Execution Exploit
12 May 201700:00
zdt
Circl
CVE-2016-10073
29 May 201815:50
circl
CNVD
Vanilla Forums Password Reset Vulnerability
16 May 201700:00
cnvd
CVE
CVE-2016-10073
23 May 201703:56
cve
Cvelist
CVE-2016-10073
23 May 201703:56
cvelist
Exploit DB
Vanilla Forums &lt; 2.3 - Remote Code Execution
11 May 201700:00
exploitdb
exploitpack
Vanilla Forums 2.3 - Remote Code Execution
11 May 201700:00
exploitpack
F5 Networks
K16445454: Vanilla Forums vulnerability CVE-2016-10073
21 Feb 202318:35
f5
NVD
CVE-2016-10073
23 May 201704:29
nvd
OSV
CVE-2016-10073
23 May 201704:29
osv
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::WmapScanServer
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'HTTP Host Header Injection Detection',
      'Description' => 'Checks if the host is vulnerable to Host header injection',
      'Author'      =>
        [
          'Jay Turla', # @shipcod3
          'Medz Barao' # @godflux
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['CVE', '2016-10073'], # validate, an instance of a described attack approach from the original reference
          ['URL', 'http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html']
        ]
    ))

    register_options([
      OptString.new('PATH', [true, "The PATH to use while testing", '/']),
      OptEnum.new('METHOD', [true, 'HTTP Request Method', 'GET', ['GET', 'POST']]),
      OptString.new('TARGETHOST', [false, 'The redirector target. Default is <random>.com']),
      OptString.new('DATA', [false, 'POST data, if necessary', '']),
      OptBool.new('SHOW_EVIDENCE', [false, "Show evidences: headers or body", false])
    ])
  end

  def run_host(ip)

    web_path = normalize_uri(datastore['PATH'])
    http_method = datastore['METHOD']
    target_host = datastore['TARGETHOST'] || Rex::Text.rand_text_alpha_lower(8)+".com"

    # The 'Host' header specifies the domain name of the server (for virtual
    # hosting), and (optionally) the TCP port number on which the server is listening.

    # The 'X-Host' header specifies the originating domain name of the server
    # (for virtual hosting) and optionally the TCP port number.

    # The 'X-Forwarded-Host' header is a de-facto standard header for identifying
    # the original host requested by the client in the Host HTTP request header.

    begin

      vprint_status("Sending request #{rhost}:#{rport}#{web_path} (#{vhost})(#{http_method}) with 'Host' value '#{target_host}'")

      res = send_request_raw({
        'uri'     => web_path,
        'method'  => http_method,
        'data'    => datastore['DATA'],
        'headers' => {
          'Host'             => target_host,
          'X-Host'           => target_host,
          'X-Forwarded-Host' => target_host
        }
      })

      unless res
        vprint_error("#{rhost}:#{rport}#{web_path} (#{vhost}) did not reply to our request")
        return
      end

      if res.headers.include?(target_host)
        evidence = "headers"
        if datastore['SHOW_EVIDENCE']
          vprint_status("Headers: [#{res.headers}]")
        end
      end

      if res.body.include?(target_host)
        evidence = "body"
        if datastore['SHOW_EVIDENCE']
          vprint_status("Body: [#{res.body}]")
        end
      end

      if evidence
        print_good("#{rhost}:#{rport}#{web_path} (#{vhost})(#{res.code})(#{http_method})(evidence into #{evidence}) is vulnerable to HTTP Host header injection")

        report_vuln(
          host:  rhost,
          port:  rport,
          proto: 'tcp',
          sname: ssl ? 'https' : 'http',
          name:  self.name,
          info:  "Module used #{self.fullname}, vhost: #{vhost}, method: #{http_method}: evidence: #{evidence}",
          refs:  self.references
        )

        report_web_vuln({
          :host        => rhost,
          :port        => rport,
          :vhost       => vhost,
          :path        => web_path,
          :pname       => "Host,X-Host,X-Forwarded-Host headers",
          :risk        => 2,
          :proof       => "Evidence into #{evidence}",
          :description => "HTTP Host Header Injection Detection",
          :name        => self.fullname,
          :category    => "web",
          :method      => http_method
        })

      else
        vprint_error("#{rhost}:#{rport}#{web_path} (#{vhost}) returned #{res.code} #{res.message}")
      end

    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
    rescue ::Timeout::Error, ::Errno::EPIPE
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Nov 2019 14:09Current
0.2Low risk
Vulners AI Score0.2
CVSS 25
CVSS 37.5
EPSS0.83614
27