来源

关联漏洞

描述

This script exploits a stored XSS vulnerability (CVE-2024-42009) in Roundcube Webmail version 1.6.7. It injects a malicious payload into the webmail system, which, when triggered, exfiltrates email content from the victim’s inbox.

介绍

# XSS Exploit for Roundcube Webmail 1.6.7 (CVE-2024-42009)

## Description
This script exploits a stored XSS vulnerability (CVE-2024-42009) in Roundcube Webmail version 1.6.7. It injects a malicious payload into the webmail system, which, when triggered, exfiltrates email content from the victim’s inbox.

## Features
- Uses a Python HTTP listener to capture and decode stolen email content.
- Sends an XSS payload via a contact form.
- Extracts and prints the captured email body.

## Usage
1. **Start the listener:**
   ```bash
   python3 exploit.py
   ```
2. **Configure your attack settings in `exploit.py`**
   - Set `TARGET_URL` to the target Roundcube instance.
   - Replace `YOUR_IP:4444` with your actual listener IP and port.
3. **Monitor captured email content in real time.**

## Reference
A good reference for understanding the impact of this vulnerability can be found in this blog post:  
[Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail](https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/)

## Disclaimer
This exploit is for educational and authorized penetration testing purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal. I am not the person who discovered CVE-2024-42009. This exploit was created using information from various blogs with small help from DeepSeek.

## Requirements
- Python 3.x
- `requests`, `beautifulsoup4` libraries (install with `pip install requests beautifulsoup4`)

## License
This project is for educational use only. Use it responsibly.

文件快照

 [4.0K]  /data/pocs/0a95cd60c5391ff6b701172ad86c3644e0e48d10
├── [2.3K]  exploit.py
└── [1.6K]  README.md

0 directories, 2 files

备注