Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
beefproject
GitHub Repository: beefproject/beef
 Path: blob/master/core/main/rest/handlers/admin.rb
1154 views
1
#

2
# Copyright (c) 2006-2025 Wade Alcorn - [email protected]

3
# Browser Exploitation Framework (BeEF) - https://beefproject.com

4
# See the file 'doc/COPYING' for copying permission

5
#

6


7
module BeEF

8
  module Core

9
    module Rest

10
      class Admin < BeEF::Core::Router::Router

11
        config = BeEF::Core::Configuration.instance

12
        time_since_last_failed_auth = 0

13


14
        before do

15
          # @todo: this code comment is a lie. why is it here?

16
          # error 401 unless params[:token] == config.get('beef.api_token')

17
          halt 401 unless BeEF::Core::Rest.permitted_source?(request.ip)

18


19
          # halt if requests are inside beef.restrictions.api_attempt_delay

20
          if time_since_last_failed_auth != 0 && !BeEF::Core::Rest.timeout?('beef.restrictions.api_attempt_delay',

21
                                                                            time_since_last_failed_auth,

22
                                                                            ->(time) { time_since_last_failed_auth = time })

23
            halt 401

24
          end

25


26
          headers 'Content-Type' => 'application/json; charset=UTF-8',

27
                  'Pragma' => 'no-cache',

28
                  'Cache-Control' => 'no-cache',

29
                  'Expires' => '0'

30
        end

31


32
        # @note Authenticate using the config set username/password to retrieve the "token" used for subsquent calls.

33
        # Return the secret token used for subsquene tAPI calls.

34
        #

35
        # Input must be specified in JSON format

36
        #

37
        # +++ Example: +++

38
        # POST /api/admin/login HTTP/1.1

39
        # Host: 127.0.0.1:3000

40
        # Content-Type: application/json; charset=UTF-8

41
        # Content-Length: 18

42
        #

43
        # {"username":"beef", "password":"beef"}

44
        #===response (snip)===

45
        # HTTP/1.1 200 OK

46
        # Content-Type: application/json; charset=UTF-8

47
        # Content-Length: 35

48
        #

49
        # {"success":"true","token":"122323121"}

50
        #

51
        post '/login' do

52
          request.body.rewind

53
          begin

54
            data = JSON.parse request.body.read

55
            if data['username'].eql?(config.get('beef.credentials.user')) && data['password'].eql?(config.get('beef.credentials.passwd'))

56
              return {

57
                'success' => true,

58
                'token' => config.get('beef.api_token').to_s

59
              }.to_json

60
            end

61


62
            BeEF::Core::Logger.instance.register('Authentication', "User with ip #{request.ip} has failed to authenticate in the application.")

63
            time_since_last_failed_auth = Time.now

64
            halt 401

65
          rescue StandardError

66
            error 400

67
          end

68
        end

69
      end

70
    end

71
  end

72
end

73


74