burpsuite插件开发系列_指定参数base64加密替换功能插件
1、指定参数base64加密替换功能插件:
D:\plug_in\base64encode.py
2、为何要开发这个插件?
参考:D:\plug_in\header包头数据自动替换插件\test1.py
测试禅道的一个order by注入,发现提交的参数先使用base64加密后提交,由于是高版本mysql,无显错式注入,手工盲注根本就是不可能完成的任务,于是想到开发一个burpsuite的插件来自动替换指定的url中的参数。
3、burpsuite代理神器下设置发包方式:
//sqlmap插件设置方法,这里不讨论插件的使用方法,请自行google:
--dbms="mysql" --dbs --users --threads 10 --level 3 --hex --proxy="http://127.0.0.1:8080"
//替换指定参数的效果截图:
#!/user/bin/env python #D:\plug_in\base64encode.py #coding=utf8 #auther:pt007@vip.sina.com from burp import IBurpExtender from burp import IHttpListener # 导入 burp 接口 from burp import IProxyListener from javax.swing import JOptionPane import hashlib import json import ssl import sys import string,re,base64 def base64encode(m): payload = base64.b64encode(m.group()) return payload class BurpExtender(IBurpExtender,IHttpListener,IProxyListener): def registerExtenderCallbacks(self,callbacks): self._callbacks=callbacks self._helpers=callbacks.getHelpers() callbacks.setExtensionName("base64encode") callbacks.registerHttpListener(self) callbacks.registerProxyListener(self) return def processHttpMessage(self,toolFlag,messageIsRequest,messageInfo): #if toolFlag==4 or toolFlag == 32:#Tool_proxy与intruder if toolFlag == 32 or toolFlag==4: #Tool_proxy与intruder if messageIsRequest: #操作request rq=messageInfo.getRequest() analyzerq=self._helpers.analyzeRequest(rq) headers=analyzerq.getHeaders() body=rq[analyzerq.getBodyOffset():] #print headers print "\n------------------------------------------Original Header------------------------------------------" for header in headers: print header print body.tostring() print type(header) #打印出类型 print "\n------------------------------------------Replaced Header------------------------------------------" global data data=body.tostring() url=headers[0] url=re.sub(r'\{.*\}',base64encode, url) headers[0]=url httpmsg=self._helpers.buildHttpMessage(headers,data) messageInfo.setRequest(httpmsg) tmpstr=self._helpers.bytesToString(httpmsg) #print tmpstr.encode('utf-8') #print type(header) #取回并打印出header包 request = messageInfo.getRequest() analyzedRequest = self._helpers.analyzeResponse(request) request_header = analyzedRequest.getHeaders() for header in request_header: print header print '\n'+data if not messageIsRequest: #操作Response #Response包打印 print "\n------------------------------------------Response------------------------------------------" response = messageInfo.getResponse() # get response analyzedResponse = self._helpers.analyzeResponse(response) body = response[analyzedResponse.getBodyOffset():] body_string = body.tostring() # get response_body response_header = analyzedResponse.getHeaders() for header in response_header: print header print '\n'+body_string print "\n-------------------------------------------Response end--------------------------------------" #实现了proxy功能中的Edited request: def processProxyMessage(self,messageIsRequest,proxyMessage): if messageIsRequest: messageInfo=proxyMessage.getMessageInfo() #print "[+]"+messageInfo.getHttpService().getHost() try: request = messageInfo.getRequest() reqInfo = self._helpers.analyzeRequest(request) headers = reqInfo.getHeaders() bodyOffset = reqInfo.getBodyOffset() body= request[bodyOffset:] data=body.tostring() url=headers[0] url=re.sub(r'\{.*\}',base64encode, url) headers[0]=url newHttpMessage = self._helpers.buildHttpMessage(headers,data) tmpstr=self._helpers.bytesToString(newHttpMessage) print "\n-------------------------------------------Edited request--------------------------------------" print "[tmpstr]:\n"+tmpstr.encode('utf-8') messageInfo.setRequest(newHttpMessage); print "\n-------------------------------------------Edited request end-----------------------------------" except Exception as e: print e
