Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

Burp Suite 插件编写初步 (Python)

wpadmin~October 14, 2018 /InfoSec

Create Burp Suite Extension (Python) | Burp Suite 插件编写初步 (Python)

Burp Suite 插件编写 (Python)

API 简要说明

1 插件入口和帮助接口类
2 UI 相关接口类
3 Burp 工具组件接口类
4 HTTP 消息处理接口类

插件入口和帮助接口类

IBurpExtender

IBurpExtender

IBurpExtenderCallbacks

IExtensionHelpers

IExtensionStateListener

IBurpExtender 接口类 是 Burp 插件的入口,所有 Burp 的插件均需要实现此接口,并且类命名为 BurpExtender。

class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory, IIntruderPayloadProcessor):
    pass

IBurpExtenderCallbacks 接口类 是 IBurpExtender 接口的实现类 与 Burp 其他各个组件 (Scanner,Intruder, Spider…), 各个通信对象 ( HttpRequestResponse, HttpService.SessionHandlingAction) 之间的纽带。

IExtensionHelpers, IExtensionStateListener 这两个接口类是插件的帮助和管理操作的接口定义。

UI 相关接口类

IContextMenuFactory

IContextMenuInvocation

ITab

ITextEditor

IMessageEditor

IMenuItemHandler

这类接口类主要是定义 Burp 插件的 UI 显示和动作的处理事件,主要是软件交互中使用。

Burp 工具组件接口类

IInterceptedProxyMessage

IIntruderAttack

IIntruderPayloadGenerator

IIntruderPayloadGeneratorFactory

IIntruderPayloadProcessor

IProxyListener

IScanIssue

IScannerCheck

IScannerInsertionPoint

IScannerInsertionPointProvider

IScannerListener

IScanQueueItem

IScopeChangeListener

这些接口类的功能非常好理解,Burp 在接口定义的命名中使用了的见名知意的规范,看到接口类的名称,基本就能猜测出来这个接口是适用于哪个工具组件。

HTTP消息处理接口类

ICookie

IHttpListener

IHttpRequestResponse

IHttpRequestResponsePersisted

IHttpRequestResponseWithMarkers

IHttpService

IRequestInfo

IParameter

IResponseInfo

这些接口的定义主要是围绕 HTTP 消息通信过程中涉及的 Cookie, Request, Response, Parameter 几大消息对象,通过对通信消息头、消息体的数据处理,来达到控制 HTTP 消息传递的目的。

Burp API 简要总结

通过对 Burp 插件 API 的功能划分,我们对 API 的接口有一个初步的认知,知道在使用某个功能时,可以去哪个接口类中寻找相应的接口定义来做自己的实现。例如,我们想显示一个 Tab 页界面,那么肯定是要实现 ITab 接口;如果需要对消息进行编辑修改,则需要实现 IMessageEditor 接口;需要使用 payload 生成器,则需要实现 IIntruderPayloadGenerator 接口。通过接口分类后再找具体的接口定义的方法,可以帮助我们在不太熟悉 Burp 插件 API 的情况下,更快地开发出自己需要的插件。

示例代码

注意事项

注意添加插件时,路径中不能有中文,不然会报异常。

示例代码

Hello world
https://github.com/PortSwigger/example-hello-world

Event listeners
https://github.com/PortSwigger/example-event-listeners

Traffic redirector
https://github.com/PortSwigger/example-traffic-redirector

Custom logger
https://github.com/PortSwigger/custom-logger

Custom editor tab
https://github.com/PortSwigger/example-custom-editor-tab

Custom scan insertion points
https://github.com/PortSwigger/example-custom-scan-insertion-points

Custom scanner checks
https://github.com/PortSwigger/example-scanner-checks

Custom session tokens
https://github.com/PortSwigger/example-custom-session-tokens

Intruder payloads
https://github.com/PortSwigger/example-intruder-payloads

用户示例

@bit4woo
这个插件的主要作用是在 HTTP 和 HTTPS 请求的 header 部分添加一个 X-Forward-For 字段,而字段中的 IP 地址是随机生成的。
用于绕过使用该字段来防护暴力破解等的场景.
https://github.com/bit4woo/Burp_Extender_random_X-Forward-For

@andr0day
一款集成 Sqlmap 到 Burp Suite 中的插件 整合两大神器
https://github.com/difcareer/sqlmap4burp

案例解析

以 Payload Generator 为例

# -*- coding: utf-8 -*-
# unix_time.py
# http://search.maven.org/remotecontent?filepath=org/python/jython-standalone/2.7-b1/jython-standalone-2.7-b1.jar

from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadGenerator
import time


class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory):

    def registerExtenderCallbacks(self, callbacks):
        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()

        # 插件名称
        callbacks.setExtensionName("Unix timestamp Intruder Generator")
        callbacks.registerIntruderPayloadGeneratorFactory(self)
        return

    # Generator 名称
    def getGeneratorName(self):
        return "Unix Timestamp"

    # 新建实例
    def createNewInstance(self, attack):
        return UnixTime(self, attack)


class UnixTime(IIntruderPayloadGenerator):
    def __init__(self, extender, attack):
        self._extender = extender
        self._helpers = extender._helpers
        self._attack = attack
        self._payloadIndex = 0
        return

    def hasMorePayloads(self):
        return self._payloadIndex < 10

    def getNextPayload(self,current_payload):
        payload = str(int(time.time()*1000))
        self._payloadIndex = self._payloadIndex + 1
        return payload

    def reset(self):
        self._payloadIndex = 0
        return   

官方 demo

# -*- coding: utf-8 -*-
from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadProcessor
from burp import IIntruderPayloadGenerator

# hard-coded payloads
# [in reality, you would use an extension for something cleverer than this]

PAYLOADS = [
    bytearray("|"),
    bytearray("<script>alert(1)</script>")
]

class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory, IIntruderPayloadProcessor):

    #
    # implement IBurpExtender
    #

    def registerExtenderCallbacks(self, callbacks):
        # obtain an extension helpers object
        self._helpers = callbacks.getHelpers()

        # set our extension name
        # 插件名称
        callbacks.setExtensionName("Super Intruder Generator")

        # register ourselves as an Intruder payload generator
        callbacks.registerIntruderPayloadGeneratorFactory(self)

        # register ourselves as an Intruder payload processor
        callbacks.registerIntruderPayloadProcessor(self)

    #
    # implement IIntruderPayloadGeneratorFactory
    #

    def getGeneratorName(self):
        return "SimpleHelloGenerator"

    def createNewInstance(self, attack):
        # return a new IIntruderPayloadGenerator to generate payloads for this attack
        return IntruderPayloadGenerator()

    #
    # implement IIntruderPayloadProcessor
    #

    def getProcessorName(self):
        return "Serialized input wrapper"

    def processPayload(self, currentPayload, originalPayload, baseValue):
        # decode the base value
        dataParameter = self._helpers.bytesToString(
                self._helpers.base64Decode(self._helpers.urlDecode(baseValue)))

        # parse the location of the input string in the decoded data
        start = dataParameter.index("input=") + 6
        if start == -1:
            return currentPayload

        prefix = dataParameter[0:start]
        end = dataParameter.index("&", start)
        if end == -1:
            end = len(dataParameter)

        suffix = dataParameter[end:len(dataParameter)]

        # rebuild the serialized data with the new payload
        dataParameter = prefix + self._helpers.bytesToString(currentPayload) + suffix
        return self._helpers.stringToBytes(
                self._helpers.urlEncode(self._helpers.base64Encode(dataParameter)))

#
# class to generate payloads from a simple list
#

class IntruderPayloadGenerator(IIntruderPayloadGenerator):
    def __init__(self):
        self._payloadIndex = 0

    def hasMorePayloads(self):
        return self._payloadIndex < len(PAYLOADS)

    def getNextPayload(self, baseValue):
        payload = PAYLOADS[self._payloadIndex]
        self._payloadIndex = self._payloadIndex + 1

        return payload

    def reset(self):
        self._payloadIndex = 0

注意事项

使用 Burp Suite Python/Ruby Extender 的注意事项

Note: Because of the way in which Jython and JRuby dynamically generate Java classes, you may encounter memory problems if you load several different Python/Ruby extensions, or if you unload and reload a Python/Ruby extension multiple times. If this happens, you will see an error like:

java.lang.OutOfMemoryError: PermGen space

You can avoid this problem by configuring Java to allocate more PermGen storage, by adding a -XX:MaxPermSize option to the command line when starting Burp. For example:

java -XX:MaxPermSize=1G -jar burp.jar

关于整合 Burp 与 sqlmap

渗透神器合体:在BurpSuite中集成Sqlmap – difcareer
http://www.freebuf.com/sectool/45239.html

第十八章 使用Burp, Sqlmap进行自动化SQL注入渗透测试
https://t0data.gitbooks.io/burpsuite/content/chapter18.html

参考资料

参考资料阅读指南

官方博客的归档,主要是在 2012 年,有很多涉及插件编写的内容
https://portswigger.net/blog/archive?y=2012

分享 | 如何抄抄改改实现自己的Burpsuite插件
wechat

Burp API python 版第一部分
http://nianhua.in/15522026314723.html

Reference

第十六章 如何编写自己的Burp Suite插件
https://t0data.gitbooks.io/burpsuite/content/chapter16.html

第十八章 使用Burp, Sqlmap进行自动化SQL注入渗透测试
https://t0data.gitbooks.io/burpsuite/content/chapter18.html

Extensibility
https://portswigger.net/burp/extender/

Burp Extender Documentation
https://portswigger.net/burp/documentation/desktop/tools/extender

Writing your first Burp Suite extension
https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension

官方博客的归档
https://portswigger.net/blog/archive

Burp Suite APIs 分类归纳
http://gv7.me/articles/2017/classification-of-burp-apis/

API
https://portswigger.net/burp/extender/api/index.html

Web Penetration Testing with Burp and the CO2 Extension – Jason Gillam, Secure Ideas, LLC January 8,2015
建议从 29:00 开始,前面都是 Burp 的基础
https://www.youtube.com/watch?v=ez9KSqlYoWU

sql injection with burpsuite co2 extension
建议从 5:00 + 开始
https://www.youtube.com/watch?v=heOMvN5GVGY

How to install an Extension in Burp Suite
https://support.portswigger.net/customer/portal/articles/1965930-how-to-install-an-extension-in-burp-suite

AWVS 测试站
http://testphp.vulnweb.com/listproducts.php?cat=1

Leave a Reply

Your email address will not be published. Required fields are marked *