Python黑客编程之Bp模糊测试插件

描述

  • 编写一个burpsuite的模糊测试插件,对拦截到的http载荷进行变异测试

分析

  • 用python写bp插件的话,需要安装一个Jython环境——一个用java编写的python2实现
  • 接口部分代码由Jython提供,我们只需要编写payload变异部分的实现

代码

  • burp插件类:固定写法,getGeneratorName返回插件名,createNewInstance返回一个载荷生成器
class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory):
    def registerExtenderCallbacks(self, callbacks):
        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()

        callbacks.registerIntruderPayloadGeneratorFactory(self)
        return

    def getGeneratorName(self):
        return "BHP Payload Generator"

    def createNewInstance(self, attack):
        return BHPFuzzer(self, attack)
  • 载荷生成器类:hasMorePayloads用来判断什么时候截止,getNextPayload获取原始载荷,返回新生成的载荷,reset在Intruder进入下一个载荷位置时调用,mutate_payload实现具体的变异
class BHPFuzzer(IIntruderPayloadGenerator):
    def __init__(self, extender, attack):
        self._extender = extender
        self._helpers = extender._helpers
        self._attack = attack
        self.max_payloads = 100
        self.num_iterations = 0
        return

    def hasMorePayloads(self):
        if self.num_iterations >=self.max_payloads:
            return False
        else:
            return True

    def getNextPayload(self, current_payload):
        payload = "".join(chr(x) for x in current_payload)
        payload = self.mutate_payload(payload)
        self.num_iterations += 1
        return payload

    def reset(self):
        self.num_iterations = 0
        return

    def mutate_payload(self, original_payload):
        payload_len = len(original_payload)
        m = random.randint(0, payload_len-1)
        n = random.randint(0, payload_len-1)
        payload_list = list(original_payload)
        payload_list[m] = original_payload[n]
        payload_list[n] = original_payload[m]
        new_payload = "".join(payload_list)
        return new_payload
  • 完整代码
from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadGenerator
from java.util import List, ArrayList
import random

class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory):
    def registerExtenderCallbacks(self, callbacks):
        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()

        callbacks.registerIntruderPayloadGeneratorFactory(self)
        return

    def getGeneratorName(self):
        return "BHP Payload Generator"

    def createNewInstance(self, attack):
        return BHPFuzzer(self, attack)

class BHPFuzzer(IIntruderPayloadGenerator):
    def __init__(self, extender, attack):
        self._extender = extender
        self._helpers = extender._helpers
        self._attack = attack
        self.max_payloads = 100
        self.num_iterations = 0
        return

    def hasMorePayloads(self):
        if self.num_iterations >=self.max_payloads:
            return False
        else:
            return True

    def getNextPayload(self, current_payload):
        payload = "".join(chr(x) for x in current_payload)
        payload = self.mutate_payload(payload)
        self.num_iterations += 1
        return payload

    def reset(self):
        self.num_iterations = 0
        return

    def mutate_payload(self, original_payload):
        payload_len = len(original_payload)
        m = random.randint(0, payload_len-1)
        n = random.randint(0, payload_len-1)
        payload_list = list(original_payload)
        payload_list[m] = original_payload[n]
        payload_list[n] = original_payload[m]
        new_payload = "".join(payload_list)
        return new_payload

结果

  • bp加载自定义的插件
  • bp拦截wordpress登录请求,并发送到Intruder,选择好payload位置
  • 启动攻击,成功抓到特殊长度的响应,登录成功
posted @ 2023-02-12 11:14  z5onk0  阅读(99)  评论(0编辑  收藏  举报