burp插件

发表于 | 分类于 | 本文总阅读量
字数统计 1k 字 | 阅读时长 5 分钟

burp支持python,java,ruby插件的扩展,我们可以用这个做自己喜欢用的工具。

在burp上使用python代码需要使用 Jython(一个用java编写的python解释器)JAR独立文件。

在 extender 任务栏标签中,有python environment 选择Jython包。

Burp模糊测试

在渗透过程中会有非常多的参数,在手工进行模糊测试时候需要花费很长的时间,我们可以利用burp的插件进行简单的模糊测试。

这个例子,我们利用intruder进行扩展。

IIntruderPayloadGeneratorFactory 允许我们使用Intrude框架

IIntruderPayloadGenerator 则是payload控制的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadGenerator

from java.util import List, ArrayList


import random

class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory):
    def registerExtenderCallbacks(self, callbacks):
        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()
        
        callbacks.registerIntruderPayloadGeneratorFactory(self)
        
        return
        
    def getGeneratorName(self):
        return "BHP payload Generator"
        
    def createNewInstance(self, attack):
        return BHPFuzzer(self, attack)
        
class BHPFuzzer(IIntruderPayloadGenerator):
    def __init__(self, extender, attack):
        self._extender = extender
        self._helpers = extender._helpers
        self._attack = attack
        self._max_payloads = 10
        self.num_iterations = 0
        
        return
        
    def hasMorePayloads(self):
        if self.num_iterations == self._max_payloads:
            return False
        else:
            return True
            
    def getNextPayload(self, current_payload):
        payload = "".join(chr(x) for x in current_payload)
        payload = self.mutate_payload(payload)
        
        self.num_iterations += 1
        
        return payload
    def reset(self):
        self.num_iterations = 0
        return
        
    def mutate_payload(self, original_payload):
        picker = random.randint(1,3)
        offset = random.randint(0, len(original_payload)-1)
        
        if picker == 1:
            payload += "'"
        if picker == 2:
            payload += "<script>alert('BHP!');</script>"
        if picker == 3:
            chunk_length = random.randint(len(payload[offset:]), len(payload)-1)
            reppeater = random.randint(1,10)
            
            for i in range(reppeater):
                payload += original_payload[offset:offset+chunk_length]
        payload += original_payload[offset:]
        
        return payload

在Burp中利用Bing服务

利用Bing API程序化接口提交查询(注: 现在接口可能不能使用了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
from burp import IBurpExtender
from burp import IContextMenuFactory

from java.swing import JMenuItem
from java.util import List, ArrayList
from java.net import URL

import socket
import urllib
import json
import re
import base64


bing_api_key = ""

class BurpExtender(IBurpExtender, IContextMenuFactory):
    def registerExtenderCallbacks(self, callbacks):
        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()
        self.context = None
        
        callbacks.setExtensionName("BHP Bing")
        callbacks.registerContextMenuFactory(self)
        
        return
        
    def createMenuItems(self, context_menu):
        self.context = context_menu
        menu_list = ArrayList()
        menu_list.add(JMenuItem("Send to Bing", actionPerformed =self.bing_menu))
        return menu_list
        
    def bing_menu(self, event):
        http_traffic = self.context.getSelectedMessages()
        
        print "%d requests highlighted" % len(http_traffic)
        
        for traffic in http_traffic:
            http_service = traffic.getHttpService()
            host         = http_service.getHost()
            
            print "User selected host: %s" % host
            self.bing_search(host)
        return
        
    def bing_search(self, host):
        is_ip = re.match("[0-9]+(?:\.[0-9]+){3}", host)
        
        if is_ip:
            ip_address = host
            domain = False
        else:
            ip_address = socket.gethostbyname
            domain = True
            
        bing_query_string = "'ip: %s'" % ip_address
        self.bing_query(bing_query_string)
        
        if domain:
            bing_query_string = "'domain:%s'" % host
            self.bing_query(bing_query_string)
        
    def bing_query(self, bing_query_string):
        print "Perfoming Bing search: %s" % bing_query_string
        
        quoted_query = urllib.quote(bing_query_string)
        http_request = ""
        http_request += "Host: api.datamarket.azure.com\r\n"
        http_request += "Connection: close\r\n"
        http_request += "Authorization: Basic %s\r\n" % base64.b64encode(":%s" & bing_api_key)
        http_request += "User-Agent: Blackhat Python\r\n\r\n"
        
        json_body = json_body.split("\r\n\r\n",1)[1]
        
        try:
            r = json.loads(json_body)
        
            if len(r["d"]["results"]):
                for site in r["d"]["results"]:
                    print "*" * 100
                    print site['Title']
                    print site['Url']
                    
                    print site['Description']
                    
                    print "*" * 100
                    
                    j_url = URL(site['Url'])
                 if not self._callbacks.isInScope(j_url):
                    print "Adding to Burp scope"
                    self._callbacks.includeInScope(j_url)
        except:
            print "No results from Bing"
            pass
        
        return

IContextMenuFactory 这个类允许我们在鼠标右键单击Burp中的请求时提供上下文菜单。

一般情况Bing的API密钥需要用Base64进行编码,同时使用HTTP基础认证方式调用API。之后我们讲HTTP请求提交到微软的服务器上,当响应返回时,我们可以得到全部的响应包括HTTP头部,因此我们需要将HTTP响应头分离,并把剩余部分传递给JSON解析器。

利用网站内容生成密码字典

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
from burp import IBurpExtender
from burp import IContextMenuFactory

from javax.swing import JMenuItem
from java.util import List, ArrayList
from java.net import URL

import re

from datetime import datetime
from HTMLParser import HTMLParser

class TagStripper(HTMLParser):
    def __init__(self):
        HTMLParser.__init__(self)
        self.page_text = []
        
    def handle_data(self, data):
        self.page_text.append(data)
    def handle_comment(self, data):
        self.handle_data(data)
        
    def strip(self, html):
        self.feed(html)
        return " ".join(self.page_text)
        
class BurpExtender(IBurpExtender, IContextMenuFactory):
    def registerExtenderCallbacks(self, callbacks):
        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()
        self.context = None
        self.host = set()
        
        self.wordlist = set(["password"])
        
        callbacks.setExtensionName("BHP Wordlist")
        callbacks.registerContextMenuFactory(self)
        
        return
        
    def createMenuItems(self, context_menu):
        self.context = context_menu
        menu_list = ArrayList()
        menu_list.add(JMenuItem("Create Wordlist", actionPerformed = self.wordlist_menu))
        
        return menu_list
        
    def wordlist_menu(self, event):
        http_traffic = self.context.getSelectedMessages()
        
        for traffic in http_traffic:
            http_service = traffic.getHttpService()
            host = http_service.getHost()
            
            self.hosts.add(host)
            http_response = traffic.getResponse()
            
            if http_response:
                self.get_words(http_response)
                
        self.display_wordlist()
        return
        
    def get_words(self, http_response):
        headers, body = http_response.tostring().split('\r\n\r\n', 1)
        if headers.lower().find('context-type: text') == -1:
            return
        tag_stripper = TagStripper()
        page_text = tag_stripper.strip(body)
        
        words = re.findall("[a-zA-Z]\w{2,}", page_text)
        
        for word in words:
            if len(word) <= 12:
                self.wordlist.add(word.lower())
    return
    
    def mangle(self, word):
        year = datetime.now().year
        suffixes = ['', '1', '!', year]
        mangled = []
        
        for password in (word, word.capitalize()):
            for suffix in suffixes:
                mangled.append("%s%s" % (password, suffix))
        return mangled
        
    def display_wordlist(self):
        print "#!comment: BHP Wordlist for sites %s" % ", ".join(self, hosts)
        
        for word in sorted(self.wordlist):
            for password in self.mangle(word):
                print password
                
        return
-----本文结束感谢您的阅读-----
warcup wechat
欢迎扫描二维码关注我的公众号~~~
喜 欢 这 篇 文 章 吗 ?