From bf2309df4bbf074e4f5c0d8308d46736052d9e65 Mon Sep 17 00:00:00 2001 From: f0ng <422342338@qq.com> Date: Mon, 2 May 2022 14:35:06 +0800 Subject: [PATCH] Update BurpExtender.java --- src/burp/BurpExtender.java | 174 +++++++++++++++++++++++++++++++------ 1 file changed, 147 insertions(+), 27 deletions(-) diff --git a/src/burp/BurpExtender.java b/src/burp/BurpExtender.java index 83e7c4f..981b62c 100644 --- a/src/burp/BurpExtender.java +++ b/src/burp/BurpExtender.java @@ -117,6 +117,14 @@ public class BurpExtender extends AbstractTableModel implements IBurpExtender, I public String logxn_dnslog_token; + //List list = new ArrayList(); + + public List toHosts = new ArrayList(); // 轮询查询的host列表 + + public List toHosts_vuln = new ArrayList(); // 有漏洞的host列表,不再查找列表内 + + public boolean ispolling; + private Boolean logxn ; private Boolean burpdns; @@ -1129,6 +1137,7 @@ public List doPassiveScan(IHttpRequestResponse baseRequestResponse) String[] white_lists = BurpExtender.this.whitelists_area.getText().split("\n"); String[] headers_lists = BurpExtender.this.customheaders_area.getText().split("\n"); File f; + this.ispolling = true; // 轮询默认为开启 int param_i = 0; String privatednsResponseurl = ""; String os = System.getProperty("os.name"); @@ -1253,7 +1262,7 @@ public List doPassiveScan(IHttpRequestResponse baseRequestResponse) // todo header头里的host匹配 - if (host.equals("log.xn--9tr.com")) // 白名单设置 + if (host.equals("log.xn--9tr.com.80") || host.equals("log.xn--9tr.com") ) // 白名单设置 return null; if ( white_lists.length > 0 && !white_lists[0].equals("")) { // 判断白名单不为空 @@ -1836,11 +1845,11 @@ else if ( ij == 3 && this.isipincreasing) { // 正常uri 加入payload的请求 String respCookie = response2.body().string(); // dnslog的响应体 - if (respCookie.contains(words_vuln) && respCookie.contains(random_str + (ij - 1) + "." + this.logxn_dnslog.trim())) { + if (respCookie.toLowerCase().contains(words_vuln.toLowerCase()) && respCookie.toLowerCase().contains((random_str + (ij - 1) + "." + this.logxn_dnslog.trim()).toLowerCase())) { String param_vuln = ""; for (int param_vuln_i = param_i;param_vuln_i >= 0; param_vuln_i -- ){ - if (respCookie.contains("\"" + param_vuln_i + "." + firstheaders[0].trim().toLowerCase() ) ){ + if (respCookie.toLowerCase().contains("\"" + param_vuln_i + "." + firstheaders[0].trim().toLowerCase() ) ){ param_vuln = param_vuln + "param " + param_vuln_i + " is vulned "; } } @@ -1858,6 +1867,10 @@ else if ( ij == 3 && this.isipincreasing) { // 正常uri 加入payload的请求 "log4j2 RCE" + param_vuln, "High" )); + if ( !toHosts_vuln.contains(host.toLowerCase()) )// 如果不包含host,那么就添加进入toHosts数组 + toHosts_vuln.add(host.toLowerCase()); // tohosts_vuln列表里添加host + + this.ispolling = false; // 关闭轮询开关 return issues; } } @@ -1894,13 +1907,13 @@ else if ( ij == 3 && this.isipincreasing) { // 正常uri 加入payload的请求 try { assert response2 != null; String respCookie = Objects.requireNonNull(response2.body()).string(); // dnslog的响应体 -// stdout.println(respCookie); - if (respCookie.contains(words_vuln) && respCookie.contains( random_str + (ij - 1) + "." + this.logxn_dnslog.trim()) ) { + if (respCookie.toLowerCase().contains(words_vuln.toLowerCase()) && respCookie.toLowerCase().contains( (random_str + (ij - 1) + "." + this.logxn_dnslog.trim()).toLowerCase()) ) { String param_vuln = ""; for (int param_vuln_i = param_i;param_vuln_i >= 0; param_vuln_i -- ){ - if (respCookie.contains("\"" +param_vuln_i + "." + firstheaders[0].trim().toLowerCase() ) ){ + if (respCookie.toLowerCase().contains("\"" +param_vuln_i + "." + firstheaders[0].trim().toLowerCase() ) ){ param_vuln = param_vuln + "param " + param_vuln_i + " is vulned "; + System.out.println(param_vuln); } } synchronized (this.Udatas) { @@ -1917,6 +1930,10 @@ else if ( ij == 3 && this.isipincreasing) { // 正常uri 加入payload的请求 "log4j2 RCE" + param_vuln, "High" )); + if ( !toHosts_vuln.contains(host.toLowerCase()) )// 如果不包含host,那么就添加进入toHosts_vuln数组 + toHosts_vuln.add(host.toLowerCase()); // tohosts_vuln列表里添加host + + this.ispolling = false; // 关闭轮询开关 return issues; } } @@ -1951,17 +1968,13 @@ else if ( ij == 3 && this.isipincreasing) { // 正常uri 加入payload的请求 Response response2 = null; try { response2 = call.execute(); - } catch (IOException e) { - e.printStackTrace(); - } - try { assert response2 != null; String respCookie = Objects.requireNonNull(response2.body()).string(); // dnslog的响应体 - if (respCookie.contains(words_vuln) && respCookie.contains(random_str + (ij - 1) + "." + this.logxn_dnslog.trim()) ) { + if (respCookie.toLowerCase().contains(words_vuln.toLowerCase()) && respCookie.toLowerCase().contains((random_str + (ij - 1) + "." + this.logxn_dnslog.trim()).toLowerCase()) ) { String param_vuln = ""; for (int param_vuln_i = param_i;param_vuln_i >= 0; param_vuln_i -- ){ - if (respCookie.contains("\"" +param_vuln_i + "." + firstheaders[0].trim().toLowerCase() ) ){ + if (respCookie.toLowerCase().contains("\"" +param_vuln_i + "." + firstheaders[0].trim().toLowerCase() ) ){ param_vuln = param_vuln + "param " + param_vuln_i + " is vulned "; } } @@ -1978,6 +1991,10 @@ else if ( ij == 3 && this.isipincreasing) { // 正常uri 加入payload的请求 "log4j2 RCE " + param_vuln, "High" )); + if ( !toHosts_vuln.contains(host.toLowerCase()) )// 如果不包含host,那么就添加进入toHosts数组 + toHosts_vuln.add(host.toLowerCase()); // tohosts_vuln列表里添加host + + this.ispolling = false; // 关闭轮询开关 return issues; } } @@ -1985,16 +2002,110 @@ else if ( ij == 3 && this.isipincreasing) { // 正常uri 加入payload的请求 e.printStackTrace(); } } + } + // 轮询查询 + if (this.ceyeio && this.ispolling) { + if ( !toHosts.contains(host) )// 如果不包含host,那么就添加进入toHosts数组 + toHosts.add(host); + OkHttpClient client = new OkHttpClient(); + String indexUrl = "http://api.ceye.io/v1/records?token=" + this.ceyetoken.trim() + "&type=dns&filter="; + Request loginReq = new Request.Builder() + .url(indexUrl) + .get() + .build(); + try { + Robot r = new Robot(); + r.delay(2500); + } catch (AWTException e) { + e.printStackTrace(); + } + Call call = client.newCall(loginReq); + Response response2 = null; + try { + response2 = call.execute(); + assert response2 != null; + String respCookie = Objects.requireNonNull(response2.body()).string(); // dnslog的响应体 + for(int i = 0; i createMenuItems ( IContextMenuInvocation invocation ) { } catch (IOException ee) {} + //String random_str2 = RandomStringUtils.randomAlphanumeric(3); //生成指定长度的字母和数字的随机组合字符串 + byte[] request = iHttpRequestResponse.getRequest(); IRequestInfo analyzedIRequestInfo = this.helpers.analyzeRequest(request); @@ -2443,7 +2556,7 @@ else if( request_header_content_type.contains("multipart/form-data") ){ body = body.replace("$","%24"); // 对请求体的{、}、$、/进行编码 } - System.out.println("2445:" + body); + //System.out.println("2445:" + body); request_header.set(0,firstheaders[0] + " " + firstheaders[1] + " " + firstheaders[2]); @@ -2620,7 +2733,7 @@ else if(j == 0) { for (int iji = 0 ;iji < jndi_lists.size(); iji ++ ) { // 根据bypass的个数生成随机字符串 random_lists.add(RandomStringUtils.randomAlphanumeric(3)); } - System.out.println("2621:" + body); + //System.out.println("2621:" + body); int ij_total = 0; for (int iii = 0 ;iii < jndi_lists.size(); iii++ ) { int ij = 1; @@ -2694,8 +2807,8 @@ else if(j == 0) { String finalUri = uri; String finalPrivatednsResponseurl = privatednsResponseurl; String finalBody = body; - System.out.println("2696" + finalBody); - System.out.println(ij); + //System.out.println("2696" + finalBody); + //System.out.println(ij); byte[] request_bodys; byte[] newRequest = new byte[0]; @@ -2707,7 +2820,7 @@ else if(j == 0) { newRequest = BurpExtender.this.helpers.buildHttpMessage(request_header_single, request_bodys); } else if (ij == 3 ) { - System.out.println("2707" + finalBody); + //System.out.println("2707" + finalBody); request_bodys = finalBody.getBytes(); //String to byte[] 原始请求体 newRequest = BurpExtender.this.helpers.buildHttpMessage(request_header_single, request_bodys); } else if (ij == 1 ) { @@ -2734,7 +2847,7 @@ else if(j == 0) { int finalParam_i = param_i; String finalHost = host; int finalIj = ij; -// String finalRandom_str = random_str2; + String finalRandom_str = random_lists.get(iii); int finalIii = iii; byte[] finalNewRequest = newRequest; new Thread() { // 由于createmenuitem不能进行创建buildHttpMessage,所以另起一个线程进行探测 @@ -2772,11 +2885,11 @@ public void run() { assert response2 != null; String respCookie = Objects.requireNonNull(response2.body()).string(); // dnslog的响应体 - if (respCookie.contains(words_vuln) && respCookie.contains( random_str + (finalIj - 1) + "." + finalIii + "." + logxn_dnslog.trim()) ) { + if (respCookie.toLowerCase().contains(words_vuln.toLowerCase()) && respCookie.toLowerCase().contains( (finalRandom_str + "." + (finalIj - 1) + "." + finalIii + "." + logxn_dnslog.trim()).toLowerCase()) ) { // 0.17.2更新参数点显示 String param_vuln = ""; for (int param_vuln_i = finalParam_i - 1; param_vuln_i >= 0; param_vuln_i--) { - if (respCookie.contains("\"" + param_vuln_i + "." + firstheaders[0].trim().toLowerCase())) { + if (respCookie.toLowerCase().contains("\"" + param_vuln_i + "." + firstheaders[0].trim().toLowerCase())) { param_vuln = param_vuln + "param " + param_vuln_i + " is vulned "; } } @@ -2832,11 +2945,11 @@ public void run() { String respCookie = Objects.requireNonNull(response2.body()).string(); // dnslog的响应体 // stdout.println(respCookie); String param_vuln = ""; - if (respCookie.contains(words_vuln) && respCookie.contains(random_str + (finalIj - 1) + "." + finalIii + "." + logxn_dnslog.trim())) { + if (respCookie.toLowerCase().contains(words_vuln.toLowerCase()) && respCookie.toLowerCase().contains((finalRandom_str + "." + (finalIj - 1) + "." + finalIii + "." + logxn_dnslog.trim()).toLowerCase())) { // 0.17.2更新参数点显示 for (int param_vuln_i = finalParam_i - 1; param_vuln_i >= 0; param_vuln_i--) { // stdout.println(param_vuln_i); - if (respCookie.contains("\"" + param_vuln_i + "." + firstheaders[0].trim().toLowerCase())) { + if (respCookie.toLowerCase().contains( "\"" + param_vuln_i + "." + firstheaders[0].trim().toLowerCase() ) ) { param_vuln = param_vuln + "param " + param_vuln_i + " is vulned "; } } @@ -2861,10 +2974,12 @@ public void run() { ee.printStackTrace(); } } - + //System.out.println("2870"); + //System.out.println(BurpExtender.this.privatedns); if (BurpExtender.this.privatedns && !BurpExtender.this.isip) { // privatedns 的dnslog记录 String words_vuln = firstheaders[0].trim().toLowerCase() + "." + finalHost.trim() + finalUri.trim(); + if (words_vuln.length() > 20) words_vuln = words_vuln.substring(words_vuln.length() - 20); OkHttpClient client = new OkHttpClient(); @@ -2891,11 +3006,16 @@ public void run() { assert response2 != null; String respCookie = Objects.requireNonNull(response2.body()).string(); // dnslog的响应体 String param_vuln = ""; - if (respCookie.contains(words_vuln) && respCookie.contains(random_str + (finalIj - 1) + "." + finalIii + "." + logxn_dnslog.trim())) { + //System.out.println("2900"); + //System.out.println(respCookie); + //System.out.println(words_vuln); + //System.out.println(finalRandom_str + "." + (finalIj - 1) + "." + finalIii + "." ); + //System.out.println(respCookie.contains(finalRandom_str + "." + (finalIj - 1) + "." + finalIii + "." )); + if (respCookie.toLowerCase().contains(words_vuln.toLowerCase()) && respCookie.toLowerCase().contains((finalRandom_str + "." + (finalIj - 1) + "." + finalIii + ".").toLowerCase() )) { // 0.17.2更新参数点显示 for (int param_vuln_i = finalParam_i - 1; param_vuln_i >= 0; param_vuln_i--) { // stdout.println(param_vuln_i); - if (respCookie.contains("\"" + param_vuln_i + "." + firstheaders[0].trim().toLowerCase())) { + if (respCookie.toLowerCase().contains("\"" + param_vuln_i + "." + firstheaders[0].trim().toLowerCase())) { param_vuln = param_vuln + "param " + param_vuln_i + " is vulned "; } }