1、指定参数base64加密替换功能插件:
D:\plug_in\base64encode.py

2、为何要开发这个插件?
参考:D:\plug_in\header包头数据自动替换插件\test1.py
测试禅道的一个order by注入,发现提交的参数先使用base64加密后提交,由于是高版本mysql,无显错式注入,手工盲注根本就是不可能完成的任务,于是想到开发一个burpsuite的插件来自动替换指定的url中的参数。

3、burpsuite代理神器下设置发包方式:

//sqlmap插件设置方法,这里不讨论插件的使用方法,请自行google:
--dbms="mysql" --dbs --users --threads 10 --level 3 --hex --proxy="http://127.0.0.1:8080"

//替换指定参数的效果截图:

#!/user/bin/env python
#D:\plug_in\base64encode.py
#coding=utf8
#auther:pt007@vip.sina.com

from burp import IBurpExtender
from burp import IHttpListener
# 导入 burp 接口
from burp import IProxyListener
from javax.swing import JOptionPane
import hashlib
import json
import ssl
import sys
import string,re,base64

def base64encode(m):
    payload = base64.b64encode(m.group())
    return payload

class BurpExtender(IBurpExtender,IHttpListener,IProxyListener):

    def registerExtenderCallbacks(self,callbacks):
        self._callbacks=callbacks
        self._helpers=callbacks.getHelpers()
        callbacks.setExtensionName("base64encode")
        callbacks.registerHttpListener(self)
        callbacks.registerProxyListener(self)
        return

    def processHttpMessage(self,toolFlag,messageIsRequest,messageInfo):
        #if toolFlag==4 or toolFlag == 32:#Tool_proxy与intruder
        if toolFlag == 32 or toolFlag==4: #Tool_proxy与intruder
            if messageIsRequest: #操作request
                rq=messageInfo.getRequest()
                analyzerq=self._helpers.analyzeRequest(rq)
                headers=analyzerq.getHeaders()
                body=rq[analyzerq.getBodyOffset():]
                #print headers

                print "\n------------------------------------------Original Header------------------------------------------"
                for header in headers:
                    print header
                print body.tostring()
                print type(header) #打印出类型

                print "\n------------------------------------------Replaced Header------------------------------------------"
                global data
                data=body.tostring()
                url=headers[0]
                url=re.sub(r'\{.*\}',base64encode, url)
                headers[0]=url

                httpmsg=self._helpers.buildHttpMessage(headers,data)
                messageInfo.setRequest(httpmsg)
                tmpstr=self._helpers.bytesToString(httpmsg)
                #print tmpstr.encode('utf-8')
                #print type(header)
                #取回并打印出header包
                request = messageInfo.getRequest()
                analyzedRequest = self._helpers.analyzeResponse(request)
                request_header = analyzedRequest.getHeaders()
                for header in request_header:
                    print header
                print '\n'+data

            if not messageIsRequest: #操作Response
                #Response包打印
                print "\n------------------------------------------Response------------------------------------------"
                response = messageInfo.getResponse() # get response
                analyzedResponse = self._helpers.analyzeResponse(response)
                body = response[analyzedResponse.getBodyOffset():] 
                body_string = body.tostring() # get response_body
                response_header = analyzedResponse.getHeaders()
                for header in response_header:
                    print header
                print '\n'+body_string
                print "\n-------------------------------------------Response end--------------------------------------"


    #实现了proxy功能中的Edited request:
    def processProxyMessage(self,messageIsRequest,proxyMessage):
        if messageIsRequest:
            messageInfo=proxyMessage.getMessageInfo()
            #print "[+]"+messageInfo.getHttpService().getHost()
            try:
                request = messageInfo.getRequest()
                reqInfo = self._helpers.analyzeRequest(request)
                headers = reqInfo.getHeaders()
                bodyOffset = reqInfo.getBodyOffset()
                body= request[bodyOffset:]

                data=body.tostring()
                url=headers[0]
                url=re.sub(r'\{.*\}',base64encode, url)
                headers[0]=url
                newHttpMessage = self._helpers.buildHttpMessage(headers,data)
                tmpstr=self._helpers.bytesToString(newHttpMessage)
                print "\n-------------------------------------------Edited request--------------------------------------"
                print "[tmpstr]:\n"+tmpstr.encode('utf-8')
                messageInfo.setRequest(newHttpMessage);
                print "\n-------------------------------------------Edited request end-----------------------------------"

            except Exception as e:
                print e

点击收藏 | 0 关注 | 1
  • 动动手指,沙发就是你的了!
登录 后跟帖