XSS(クロスサイトスクリプティング)を実験する為にBeEFの環境を立ち上げる

XSSを実験する為に、Browser Exploitation FrameworkのBeEFを入れてブラウザで立ち上げを確認するところまでを書き残しておきます

beefproject.com

github.com

XSSについてはトレンドマイクロのページをみるとなんとなくわかります。

クロスサイトスクリプティング(XSS) | トレンドマイクロ

環境

$ rbenv versions                                                                                                                                0:46:45
  system
  2.2.2
  2.2.3
  2.3.0
* 2.3.1 (set by /Users/momota/.rbenv/version)
  2.4.0
  2.4.2

install and build

$ wget https://raw.githubusercontent.com/beefproject/beef/a6a7536e/install-beef
$ sudo bash ./install-beef

....

$ cd beef
$ sudo bundle install

...

$ sudo ./beef                                                                                                                     0:32:08  ☁  master ☂ ✖ ⚡ ✭
Password:
[ 0:32:17][!] Warning: System language $LANG does not appear to be UTF-8 compatible.
[ 0:32:17][*] Browser Exploitation Framework (BeEF) 0.4.7.0-alpha
[ 0:32:17]    |   Twit: @beefproject
[ 0:32:17]    |   Site: http://beefproject.com
[ 0:32:17]    |   Blog: http://blog.beefproject.com
[ 0:32:17]    |_  Wiki: https://github.com/beefproject/beef/wiki
[ 0:32:17][*] Project Creator: Wade Alcorn (@WadeAlcorn)
[ 0:32:17][*] BeEF is loading. Wait a few seconds...
[ 0:32:22][*] 8 extensions enabled.
[ 0:32:22][*] 0 modules enabled.
[ 0:32:22][*] 3 network interfaces were detected.
[ 0:32:22][+] running on network interface: 127.0.0.1
[ 0:32:22]    |   Hook URL: http://127.0.0.1:3000/hook.js
[ 0:32:22]    |_  UI URL:   http://127.0.0.1:3000/ui/panel
[ 0:32:22][+] running on network interface: 192.168.2.102
[ 0:32:22]    |   Hook URL: http://192.168.2.102:3000/hook.js
[ 0:32:22]    |_  UI URL:   http://192.168.2.102:3000/ui/panel
[ 0:32:22][+] running on network interface: 192.168.56.1
[ 0:32:22]    |   Hook URL: http://192.168.56.1:3000/hook.js
[ 0:32:22]    |_  UI URL:   http://192.168.56.1:3000/ui/panel
[ 0:32:22][!] Warning: Default username and weak password in use!
[ 0:32:22]    |_  New password for this instance:*****
[ 0:32:22][*] RESTful API key:hogehoge
[ 0:32:22][*] HTTP Proxy: http://127.0.0.1:6789
[ 0:32:22][*] BeEF server started (press control+c to stop)

この状態で http://127.0.0.1:3000/ui/authentication へアクセスすると以下の画面がでます。 usernameは beef で、passwordはcliに表示されている*****の部分です

f:id:momota10:20171226004918p:plain

f:id:momota10:20171226005153p:plain