Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

(Fixes issue 467) rewrote from scratch the XssRays handler, refactored JS and Ruby code, improved the whole thing.

Browse Source 
git-svn-id: https://beef.googlecode.com/svn/trunk@1361 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
This commit is contained in:
antisnatchor
2011-10-12 14:56:50 +00:00
parent 974c23916d
commit e22332e1f8
6 changed files with 84 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
extensions/xssrays/api.rb
View File

@@ -24,7 +24,7 @@ module Xssrays
# We register the http handler for the requester.
# This http handler will retrieve the http responses for all requests
def self.mount_handler(beef_server)
beef_server.mount('/xssrays', false, BeEF::Extension::Xssrays::Handler)
beef_server.mount('/xssrays', true, BeEF::Extension::Xssrays::Handler)
end
end

7
extensions/xssrays/api/scan.rb
View File

@@ -23,12 +23,11 @@ module BeEF
include BeEF::Core::Handlers::Modules::BeEFJS
#
# Add the xssrays mian JS file to the victim DOM if there is a not started scan entry in the db.
# Add the xssrays main JS file to the victim DOM if there is a not-yet-started scan entry in the db.
#
def start_scan(hb, body)
@body = body
hb = BeEF::Core::Models::HookedBrowser.first(:id => hb.id)
#TODO: we should get the xssrays_scan table with more accuracy, if for some reasons we requested
#TODO: 2 scans on the same hooked browsers, "first" could not get the right result we want
@@ -43,8 +42,8 @@ module BeEF
# build the beefjs xssrays component
build_missing_beefjs_components 'beef.net.xssrays'
# the URI of the HTTP controller where rays should come back if the vulnerability is verified
beefurl = "#{BeEF::Core::Server.instance.url}/ui/xssrays/rays"
# the URI of the XssRays handler where rays should come back if the vulnerability is verified
beefurl = BeEF::Core::Server.instance.url
cross_domain = xs.cross_domain
timeout = xs.clean_timeout
debug = BeEF::Core::Configuration.instance.get("beef.extension.xssrays.js_console_logs")

5
extensions/xssrays/config.yaml
View File

@@ -20,5 +20,6 @@ beef:
name: 'XSSRays'
authors: ["antisnatchor"]
clean_timeout: 5000
cross_domain: false
js_console_logs: true
cross_domain: true
# set js_console_logs to false when using BeEF in production (also because IE browser doesn't support the console object)
js_console_logs: false

103
extensions/xssrays/handler.rb
View File

@@ -14,51 +14,76 @@
# limitations under the License.
#
module BeEF
module Extension
module Xssrays
module Extension
module Xssrays
class Handler < WEBrick::HTTPServlet::AbstractServlet
attr_reader :guard
XS = BeEF::Core::Models::Xssraysscan
XD = BeEF::Core::Models::Xssraysdetail
HB = BeEF::Core::Models::HookedBrowser
class Handler < WEBrick::HTTPServlet::AbstractServlet
#
# Class constructor
#
def initialize(data)
# we set up a mutex
@guard = Mutex.new
@data = data
setup()
end
def setup()
XS = BeEF::Core::Models::Xssraysscan
XD = BeEF::Core::Models::Xssraysdetail
HB = BeEF::Core::Models::HookedBrowser
# validates the hook token
beef_hook = @data['beefhook'] || nil
raise WEBrick::HTTPStatus::BadRequest, "beefhook is null" if beef_hook.nil?
# validates the scan id
scan_id = @data['cid'] || nil
raise WEBrick::HTTPStatus::BadRequest, "Scan id (cid) is null" if scan_id.nil?
def do_GET(request, response)
@request = request
# validates that a hooked browser with the beef_hook token exists in the db
hooked_browser = HB.first(:session => beef_hook) || nil
raise WEBrick::HTTPStatus::BadRequest, "Invalid beefhook id: the hooked browser cannot be found in the database" if hooked_browser.nil?
# update the XssRays scan table, marking the scan as finished
xssrays_scan = BeEF::Core::Models::Xssraysscan.first(:id => scan_id)
# verify if the request contains the hook token
# raise an exception if it's null or not found in the DB
beef_hook = get_param(@request.query, 'hbsess') || nil
raise WEBrick::HTTPStatus::BadRequest,
"[XSSRAYS] Invalid beefhook id: the hooked browser cannot be found in the database" if beef_hook.nil? || HB.first(:session => beef_hook) == nil
if(xssrays_scan != nil)
xssrays_scan.update(:is_finished => true, :scan_finish => Time.now)
print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] finished at [#{xssrays_scan.scan_finish}]")
rays_scan_id = get_param(@request.query, 'raysid') || nil
raise WEBrick::HTTPStatus::BadRequest, "[XSSRAYS] Raysid is null" if rays_scan_id.nil?
if (get_param(@request.query, 'action') == 'ray')
# we received a ray
parse_rays(rays_scan_id)
else
if (get_param(@request.query, 'action') == 'finish')
# we received a notification for finishing the scan
finalize_scan(rays_scan_id)
else
#invalid action
raise WEBrick::HTTPStatus::BadRequest, "[XSSRAYS] Invalid action"
end
end
end
# parse incoming rays: rays are verified XSS, as the attack vector is calling back BeEF when executed.
def parse_rays(rays_scan_id)
xssrays_scan = XS.first(:id => rays_scan_id)
hooked_browser = HB.first(:session => get_param(@request.query, 'hbsess'))
if (xssrays_scan != nil)
xssrays_detail = XD.new(
:hooked_browser_id => hooked_browser.id,
:vector_name => get_param(@request.query, 'n'),
:vector_method => get_param(@request.query, 'm'),
:vector_poc => get_param(@request.query, 'p'),
:xssraysscan_id => xssrays_scan.id
)
xssrays_detail.save
end
print_info("[XSSRAYS] Received ray from HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
print_debug("[XSSRAYS] Ray info: \n #{@request.query}")
end
# finalize the XssRays scan marking the scan as finished in the db
def finalize_scan(rays_scan_id)
xssrays_scan = BeEF::Core::Models::Xssraysscan.first(:id => rays_scan_id)
if (xssrays_scan != nil)
xssrays_scan.update(:is_finished => true, :scan_finish => Time.now)
print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] finished at [#{xssrays_scan.scan_finish}]")
end
end
#assist function for getting parameter from hash
def get_param(query, key)
return nil if query[key].nil?
query[key]
end
end
end
end
end
end
end