129 lines
2.4 KiB
Ruby
129 lines
2.4 KiB
Ruby
#
|
|
# Copyright 2011 Wade Alcorn wade@bindshell.net
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
module BeEF
|
|
module Extension
|
|
module AdminUI
|
|
|
|
#
|
|
# The session for BeEF UI.
|
|
#
|
|
class Session
|
|
|
|
include Singleton
|
|
|
|
attr_reader :ip, :id, :nonce, :auth_timestamp
|
|
|
|
def initialize
|
|
set_logged_out
|
|
@auth_timestamp = Time.new
|
|
end
|
|
|
|
#
|
|
# set the session logged in
|
|
#
|
|
def set_logged_in(ip)
|
|
@id = BeEF::Core::Crypto::secure_token
|
|
@nonce = BeEF::Core::Crypto::secure_token
|
|
@ip = ip
|
|
end
|
|
|
|
#
|
|
# set the session logged out
|
|
#
|
|
def set_logged_out
|
|
@id = nil
|
|
@nonce = nil
|
|
@ip = nil
|
|
end
|
|
|
|
#
|
|
# set teh auth_timestamp
|
|
#
|
|
def set_auth_timestamp(time)
|
|
@auth_timestamp = time
|
|
end
|
|
|
|
#
|
|
# return the session id
|
|
#
|
|
def get_id
|
|
@id
|
|
end
|
|
|
|
#
|
|
# return the nonce
|
|
#
|
|
def get_nonce
|
|
@nonce
|
|
end
|
|
|
|
#
|
|
# return the auth_timestamp
|
|
#
|
|
def get_auth_timestamp
|
|
@auth_timestamp
|
|
end
|
|
|
|
#
|
|
# Check if nonce valid
|
|
#
|
|
def valid_nonce?(request)
|
|
|
|
# check if a valid session
|
|
return false if not valid_session?(request)
|
|
return false if @nonce.nil?
|
|
return false if not request.post?
|
|
|
|
# get nonce from request
|
|
request_nonce = request['nonce']
|
|
return false if request_nonce.nil?
|
|
|
|
# verify nonce
|
|
request_nonce.eql? @nonce
|
|
|
|
end
|
|
|
|
#
|
|
# Check if a session valid
|
|
#
|
|
def valid_session?(request)
|
|
|
|
# check if a valid session exists
|
|
return false if @id.nil?
|
|
return false if @ip.nil?
|
|
|
|
# check ip address matches
|
|
return false if not @ip.to_s.eql? request.ip
|
|
|
|
# get session cookie name from config
|
|
session_cookie_name = BeEF::Core::Configuration.instance.get('beef.http.session_cookie_name')
|
|
|
|
# check session id matches
|
|
request.cookies.each{|cookie|
|
|
return true if (cookie[0].to_s.eql? session_cookie_name) and (cookie[1].eql? @id)
|
|
}
|
|
request
|
|
|
|
# not a valid session
|
|
false
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
end
|
|
end
|