From 0bfda88a46e9aed103554c217c3f8e35f8d40014 Mon Sep 17 00:00:00 2001 From: "wade@bindshell.net" Date: Sun, 14 Nov 2010 15:51:57 +0000 Subject: [PATCH] eval removed git-svn-id: https://beef.googlecode.com/svn/trunk@521 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9 --- lib/filter.rb | 8 +++ lib/loader.rb | 3 +- lib/server/httpcontroller.rb | 70 +++++++++---------------- lib/ui/authentication/authentication.rb | 7 +-- lib/ui/logs/logs.rb | 4 +- lib/ui/modules/modules.rb | 18 +++---- lib/ui/panel/panel.rb | 3 +- lib/ui/requester/requester.rb | 8 +-- lib/ui/zombies/zombies.rb | 12 ++--- 9 files changed, 61 insertions(+), 72 deletions(-) diff --git a/lib/filter.rb b/lib/filter.rb index 43a851ffc..b413c561b 100644 --- a/lib/filter.rb +++ b/lib/filter.rb @@ -2,6 +2,14 @@ module BeEF module Filter + # check if the string is a valid path from a HTTP request + def self.is_valid_path_info?(str) + return false if str.nil? + return false if not str.is_a? String + return false if BeEF::Filter.has_non_printable_char?(str) + true + end + # check if the string is not empty and not nil def self.is_non_empty_string?(str) return false if str.nil? diff --git a/lib/loader.rb b/lib/loader.rb index 919c02cb0..b8ad32904 100644 --- a/lib/loader.rb +++ b/lib/loader.rb @@ -12,6 +12,7 @@ require 'singleton' require 'ipaddr' require 'base64' require 'xmlrpc/client' +require 'erubis' require 'lib/patches/webrick/httprequest' require 'lib/patches/webrick/cookie' @@ -20,6 +21,7 @@ require 'lib/patches/webrick/httpresponse' require 'lib/patches/webrick/httpservlet/filehandler.rb' require 'lib/constants' +require 'lib/filter' require 'lib/model/user' require 'lib/model/commandmodule' @@ -33,7 +35,6 @@ require 'lib/model/http' require 'lib/model/browserdetails' require 'lib/crypto' -require 'lib/filter' require 'lib/configuration' diff --git a/lib/server/httpcontroller.rb b/lib/server/httpcontroller.rb index e6631cef7..b3e45d94f 100644 --- a/lib/server/httpcontroller.rb +++ b/lib/server/httpcontroller.rb @@ -1,21 +1,18 @@ -require 'erubis' - module BeEF # - # + # Handle HTTP requests and call the relevant functions in the derived classes # class HttpController attr_accessor :headers, :status, :body, :paths, :currentuser, :params C = BeEF::Models::Command - E = BeEF::Models::CommandModule + CM = BeEF::Models::CommandModule Z = BeEF::Models::Zombie # - # Class constructor. Takes data from the child class and populates - # itself with it. + # Class constructor. Takes data from the child class and populates itself with it. # def initialize(data = {}) @erubis = nil @@ -31,7 +28,7 @@ module BeEF end # - # + # Handle HTTP requests and call the relevant functions in the derived classes # def run(request, response) @request = request @@ -41,30 +38,27 @@ module BeEF # test if session is unauth'd and whether the auth functionality is requested if not @session.valid_session?(@request) and not self.class.eql?(BeEF::UI::Authentication) - - # request is unauthenicated so redirect to auth page - @body = page_redirect(auth_url) + @body = page_redirect(auth_url) # redirect to auth page return - end - # search for matching path and get the function to call - function = get_path_function(request.path_info) + # get the mapped function (if it exists) from the derived class + path = request.path_info + raise WEBrick::HTTPStatus::BadRequest, "path is invalid" if not Filter::is_valid_path_info?(path) + function = @paths[path] || @paths[path + '/'] # check hash for '' and '/' raise WEBrick::HTTPStatus::BadRequest, "path does not exist" if function.nil? + + # call the relevant mapped function + function.call - eval "self.#{function}" - - # use template - class_s = self.class.to_s.sub('BeEF::UI::', '').downcase - - template_ui = "#{$root_dir}/lib/ui/#{class_s}/#{function}.html" - @eruby = Erubis::FastEruby.new(File.read(template_ui)) if File.exists? template_ui - - template_module = "#{$root_dir}/modules/plugins/#{class_s}/#{function}.html" - @eruby = Erubis::FastEruby.new(File.read(template_module)) if File.exists? template_module - - @body = @eruby.result(binding()) if not @eruby.nil? + # build the template filename and apply it - if the file exists + function_name = function.name # used for filename + class_s = self.class.to_s.sub('BeEF::UI::', '').downcase # used for directory name + template_ui = "#{$root_dir}/lib/ui/#{class_s}/#{function_name}.html" + @eruby = Erubis::FastEruby.new(File.read(template_ui)) if File.exists? template_ui # load the template file + @body = @eruby.result(binding()) if not @eruby.nil? # apply template and set the response + # set content type if @headers['Content-Type'].nil? @headers['Content-Type']='text/html; charset=UTF-8' # default content and charset type for all pages @headers['Content-Type']='application/json; charset=UTF-8' if request.path =~ /.json$/ @@ -72,35 +66,19 @@ module BeEF end - # - # get the function mapped to path_info - # - def get_path_function(path_info) - - return nil if @paths.nil? - - # search the paths - @paths.each{ |function, path| - return function if path.eql? path_info - return function if path.eql? path_info + '/' - } - - nil - end - - # Forges a redirect page + # Constructs a redirect page def page_redirect(location) "" + script_redirect(location) + "" end - # Forges a redirect script + # Constructs a redirect script def script_redirect(location) "" end - # Forges a html script tag + # Constructs a html script tag def script_tag(filename) "" end - # Forges a html stylesheet tag + # Constructs a html stylesheet tag def stylesheet_tag(filename) "" end - # Forges a hidden html nonce tag + # Constructs a hidden html nonce tag def nonce_tag @session = BeEF::UI::Session.instance "" diff --git a/lib/ui/authentication/authentication.rb b/lib/ui/authentication/authentication.rb index 9112a1124..f3789b216 100644 --- a/lib/ui/authentication/authentication.rb +++ b/lib/ui/authentication/authentication.rb @@ -12,9 +12,9 @@ class Authentication < BeEF::HttpController def initialize super({ 'paths' => { - 'index' => '/', - 'login' => '/login', - 'logout' => '/logout' + '/' => method(:index), + '/login' => method(:login), + '/logout' => method(:logout) } }) @@ -30,6 +30,7 @@ class Authentication < BeEF::HttpController # Function managing the login # def login + username = @params['username-cfrm'] || '' password = @params['password-cfrm'] || '' config = BeEF::Configuration.instance diff --git a/lib/ui/logs/logs.rb b/lib/ui/logs/logs.rb index d58f89a59..1ed873161 100644 --- a/lib/ui/logs/logs.rb +++ b/lib/ui/logs/logs.rb @@ -6,8 +6,8 @@ class Logs < BeEF::HttpController def initialize super({ 'paths' => { - 'select_all_logs' => '/all.json', - 'select_zombie_logs' => '/zombie.json' + '/all.json' => method(:select_all_logs), + '/zombie.json' => method(:select_zombie_logs) } }) end diff --git a/lib/ui/modules/modules.rb b/lib/ui/modules/modules.rb index ccbdc31d8..861200cb9 100644 --- a/lib/ui/modules/modules.rb +++ b/lib/ui/modules/modules.rb @@ -11,15 +11,15 @@ class Modules < BeEF::HttpController def initialize super({ 'paths' => { - 'select_all_command_modules' => '/select/commandmodules/all.json', - 'select_command_modules_tree' => '/select/commandmodules/tree.json', - 'select_command_module' => '/select/commandmodule.json', - 'select_command' => '/select/command.json', - 'select_command_results' => '/select/command_results.json', - 'select_zombie_summary' => '/select/zombie_summary.json', - 'select_command_module_commands' => '/commandmodule/commands.json', - 'attach_command_module' => '/commandmodule/new', - 'reexecute_command_module' => '/commandmodule/reexecute' + '/select/commandmodules/all.json' => method(:select_all_command_modules), + '/select/commandmodules/tree.json' => method(:select_command_modules_tree), + '/select/commandmodule.json' => method(:select_command_module), + '/select/command.json' => method(:select_command), + '/select/command_results.json' => method(:select_command_results), + '/select/zombie_summary.json' => method(:select_zombie_summary), + '/commandmodule/commands.json' => method(:select_command_module_commands), + '/commandmodule/new' => method(:attach_command_module), + '/commandmodule/reexecute' => method(:reexecute_command_module) } }) diff --git a/lib/ui/panel/panel.rb b/lib/ui/panel/panel.rb index 376ea60d8..0147b716b 100644 --- a/lib/ui/panel/panel.rb +++ b/lib/ui/panel/panel.rb @@ -9,13 +9,14 @@ class Panel < BeEF::HttpController def initialize super({ 'paths' => { - 'index' => '/' + '/' => method(:index) } }) end # def index + # should be rendered with Erubis::FastEruby @body = 'a' end diff --git a/lib/ui/requester/requester.rb b/lib/ui/requester/requester.rb index 8e9343a72..154392704 100644 --- a/lib/ui/requester/requester.rb +++ b/lib/ui/requester/requester.rb @@ -6,15 +6,15 @@ module UI # class Requester < BeEF::HttpController - # Variable representing the Http db model. + # Variable representing the Http DB model. H = BeEF::Models::Http def initialize super({ 'paths' => { - 'send_request' => '/send', - 'get_zombie_history' => '/history.json', - 'get_zombie_response' => '/response.json', + '/send' => method(:send_request), + '/history.json' => method(:get_zombie_history), + '/response.json' => method(:get_zombie_response) } }) end diff --git a/lib/ui/zombies/zombies.rb b/lib/ui/zombies/zombies.rb index 86c254089..00a255b73 100644 --- a/lib/ui/zombies/zombies.rb +++ b/lib/ui/zombies/zombies.rb @@ -9,13 +9,13 @@ class Zombies < BeEF::HttpController def initialize super({ 'paths' => { - 'select_all' => '/select/all/complete.json', - 'select_online' => '/select/online/complete.json', - 'select_offline' => '/select/offline/complete.json', + '/select/all/complete.json' => method(:select_all), + '/select/online/complete.json' => method(:select_online), + '/select/offline/complete.json' => method(:select_offline), - 'select_online_simple' => '/select/online/simple.json', - 'select_all_simple' => '/select/all/simple.json', - 'select_offline_simple' => '/select/offline/simple.json' + '/select/online/simple.json' => method(:select_online_simple), + '/select/all/simple.json' => method(:select_all_simple), + '/select/offline/simple.json' => method(:select_offline_simple) } }) end