指定参数base64加密替换功能插件
1、指定参数base64加密替换功能插件:
D:\plug_in\base64encode.py
2、为何要开发这个插件?
参考:D:\plug_in\header包头数据自动替换插件\test1.py
测试禅道的一个order by注入,发现提交的参数先使用base64加密后提交,由于是高版本mysql,无显错式注入,手工盲注根本就是不可能完成的任务,于是想到开发一个burpsuite的插件来自动替换指定的url中的参数。
3、burpsuite代理神器下设置发包方式:
//sqlmap插件设置方法,这里不讨论插件的使用方法,请自行google:
--dbms="mysql" --dbs --users --threads 10 --level 3 --hex --proxy="http://127.0.0.1:8080"
//替换指定参数的效果截图:
#!/user/bin/env python
#D:\plug_in\base64encode.py
#coding=utf8
#auther:pt007@vip.sina.com
from burp import IBurpExtender
from burp import IHttpListener
# 导入 burp 接口
from burp import IProxyListener
from javax.swing import JOptionPane
import hashlib
import json
import ssl
import sys
import string,re,base64
def base64encode(m):
payload = base64.b64encode(m.group())
return payload
class BurpExtender(IBurpExtender,IHttpListener,IProxyListener):
def registerExtenderCallbacks(self,callbacks):
self._callbacks=callbacks
self._helpers=callbacks.getHelpers()
callbacks.setExtensionName("base64encode")
callbacks.registerHttpListener(self)
callbacks.registerProxyListener(self)
return
def processHttpMessage(self,toolFlag,messageIsRequest,messageInfo):
#if toolFlag==4 or toolFlag == 32:#Tool_proxy与intruder
if toolFlag == 32 or toolFlag==4: #Tool_proxy与intruder
if messageIsRequest: #操作request
rq=messageInfo.getRequest()
analyzerq=self._helpers.analyzeRequest(rq)
headers=analyzerq.getHeaders()
body=rq[analyzerq.getBodyOffset():]
#print headers
print "\n------------------------------------------Original Header------------------------------------------"
for header in headers:
print header
print body.tostring()
print type(header) #打印出类型
print "\n------------------------------------------Replaced Header------------------------------------------"
global data
data=body.tostring()
url=headers[0]
url=re.sub(r'\{.*\}',base64encode, url)
headers[0]=url
httpmsg=self._helpers.buildHttpMessage(headers,data)
messageInfo.setRequest(httpmsg)
tmpstr=self._helpers.bytesToString(httpmsg)
#print tmpstr.encode('utf-8')
#print type(header)
#取回并打印出header包
request = messageInfo.getRequest()
analyzedRequest = self._helpers.analyzeResponse(request)
request_header = analyzedRequest.getHeaders()
for header in request_header:
print header
print '\n'+data
if not messageIsRequest: #操作Response
#Response包打印
print "\n------------------------------------------Response------------------------------------------"
response = messageInfo.getResponse() # get response
analyzedResponse = self._helpers.analyzeResponse(response)
body = response[analyzedResponse.getBodyOffset():]
body_string = body.tostring() # get response_body
response_header = analyzedResponse.getHeaders()
for header in response_header:
print header
print '\n'+body_string
print "\n-------------------------------------------Response end--------------------------------------"
#实现了proxy功能中的Edited request:
def processProxyMessage(self,messageIsRequest,proxyMessage):
if messageIsRequest:
messageInfo=proxyMessage.getMessageInfo()
#print "[+]"+messageInfo.getHttpService().getHost()
try:
request = messageInfo.getRequest()
reqInfo = self._helpers.analyzeRequest(request)
headers = reqInfo.getHeaders()
bodyOffset = reqInfo.getBodyOffset()
body= request[bodyOffset:]
data=body.tostring()
url=headers[0]
url=re.sub(r'\{.*\}',base64encode, url)
headers[0]=url
newHttpMessage = self._helpers.buildHttpMessage(headers,data)
tmpstr=self._helpers.bytesToString(newHttpMessage)
print "\n-------------------------------------------Edited request--------------------------------------"
print "[tmpstr]:\n"+tmpstr.encode('utf-8')
messageInfo.setRequest(newHttpMessage);
print "\n-------------------------------------------Edited request end-----------------------------------"
except Exception as e:
print e
转载
分享
0 条评论
可输入 255 字
发布投稿
