SQL injection in Roundcube search/search_params

This repository contains a chained XSS and SQL injection exploit targeting a webmail application (likely Roundcube or similar). The main Python script (exploit_chain_xss_sqli.py) acts as both a C2 server and a tool to send a crafted email containing a base64-encoded JavaScript payload. When the victim opens the email, the payload loads an external JavaScript file (x-fetch-sqli.js) from the attacker's server. This script performs a SQL injection attack via the webmail interface, manipulates session variables, and ultimately exfiltrates sensitive session data (such as session IDs and variables) back to the attacker's C2 server. The repository is structured with a Python server and a JavaScript payload, demonstrating a full attack chain from initial delivery to data exfiltration. The exploit requires the attacker to control an SMTP account and a C2 server, and the target must be vulnerable to both XSS and SQL injection in the webmail interface.

This repository provides a working exploit for Roundcube webmail vulnerabilities CVE-2021-44026 (SQL injection) and CVE-2020-35730 (XSS). The exploit consists of a Python script (exploit.py) that acts as both an email sender and a Flask-based C2 server, and a JavaScript payload (static/fetcher.js) that is delivered to the victim via a crafted email. The attack chain is as follows: (1) The attacker runs exploit.py, which sends a malicious email to the target user. (2) When the target opens the email in a vulnerable Roundcube instance, the embedded XSS payload executes, loading fetcher.js from the attacker's server. (3) fetcher.js performs a SQL injection to extract session variables and emails, then exfiltrates this data as a vCard to the attacker's /store endpoint. The repository is well-structured, with clear separation between the exploit logic (Python) and the client-side payload (JavaScript). The exploit is operational and demonstrates a full attack chain, including exfiltration of sensitive data from the target.