Create Burp Suite Extension (Python) | Burp Suite 插件编写初步 (Python)
Contents
Burp Suite 插件编写 (Python)
API 简要说明
1 插件入口和帮助接口类
2 UI 相关接口类
3 Burp 工具组件接口类
4 HTTP 消息处理接口类
插件入口和帮助接口类
IBurpExtender
IBurpExtender
IBurpExtenderCallbacks
IExtensionHelpers
IExtensionStateListener
IBurpExtender 接口类 是 Burp 插件的入口,所有 Burp 的插件均需要实现此接口,并且类命名为 BurpExtender。
class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory, IIntruderPayloadProcessor):
pass
IBurpExtenderCallbacks 接口类 是 IBurpExtender 接口的实现类 与 Burp 其他各个组件 (Scanner,Intruder, Spider…), 各个通信对象 ( HttpRequestResponse, HttpService.SessionHandlingAction) 之间的纽带。
IExtensionHelpers, IExtensionStateListener 这两个接口类是插件的帮助和管理操作的接口定义。
UI 相关接口类
IContextMenuFactory
IContextMenuInvocation
ITab
ITextEditor
IMessageEditor
IMenuItemHandler
这类接口类主要是定义 Burp 插件的 UI 显示和动作的处理事件,主要是软件交互中使用。
Burp 工具组件接口类
IInterceptedProxyMessage
IIntruderAttack
IIntruderPayloadGenerator
IIntruderPayloadGeneratorFactory
IIntruderPayloadProcessor
IProxyListener
IScanIssue
IScannerCheck
IScannerInsertionPoint
IScannerInsertionPointProvider
IScannerListener
IScanQueueItem
IScopeChangeListener
这些接口类的功能非常好理解,Burp 在接口定义的命名中使用了的见名知意的规范,看到接口类的名称,基本就能猜测出来这个接口是适用于哪个工具组件。
HTTP消息处理接口类
ICookie
IHttpListener
IHttpRequestResponse
IHttpRequestResponsePersisted
IHttpRequestResponseWithMarkers
IHttpService
IRequestInfo
IParameter
IResponseInfo
这些接口的定义主要是围绕 HTTP 消息通信过程中涉及的 Cookie, Request, Response, Parameter 几大消息对象,通过对通信消息头、消息体的数据处理,来达到控制 HTTP 消息传递的目的。
Burp API 简要总结
通过对 Burp 插件 API 的功能划分,我们对 API 的接口有一个初步的认知,知道在使用某个功能时,可以去哪个接口类中寻找相应的接口定义来做自己的实现。例如,我们想显示一个 Tab 页界面,那么肯定是要实现 ITab 接口;如果需要对消息进行编辑修改,则需要实现 IMessageEditor 接口;需要使用 payload 生成器,则需要实现 IIntruderPayloadGenerator 接口。通过接口分类后再找具体的接口定义的方法,可以帮助我们在不太熟悉 Burp 插件 API 的情况下,更快地开发出自己需要的插件。
示例代码
注意事项
注意添加插件时,路径中不能有中文,不然会报异常。
示例代码
Hello world
https://github.com/PortSwigger/example-hello-world
Event listeners
https://github.com/PortSwigger/example-event-listeners
Traffic redirector
https://github.com/PortSwigger/example-traffic-redirector
Custom logger
https://github.com/PortSwigger/custom-logger
Custom editor tab
https://github.com/PortSwigger/example-custom-editor-tab
Custom scan insertion points
https://github.com/PortSwigger/example-custom-scan-insertion-points
Custom scanner checks
https://github.com/PortSwigger/example-scanner-checks
Custom session tokens
https://github.com/PortSwigger/example-custom-session-tokens
Intruder payloads
https://github.com/PortSwigger/example-intruder-payloads
用户示例
@bit4woo
这个插件的主要作用是在 HTTP 和 HTTPS 请求的 header 部分添加一个 X-Forward-For 字段,而字段中的 IP 地址是随机生成的。
用于绕过使用该字段来防护暴力破解等的场景.
https://github.com/bit4woo/Burp_Extender_random_X-Forward-For
@andr0day
一款集成 Sqlmap 到 Burp Suite 中的插件 整合两大神器
https://github.com/difcareer/sqlmap4burp
案例解析
以 Payload Generator 为例
# -*- coding: utf-8 -*-
# unix_time.py
# http://search.maven.org/remotecontent?filepath=org/python/jython-standalone/2.7-b1/jython-standalone-2.7-b1.jar
from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadGenerator
import time
class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
# 插件名称
callbacks.setExtensionName("Unix timestamp Intruder Generator")
callbacks.registerIntruderPayloadGeneratorFactory(self)
return
# Generator 名称
def getGeneratorName(self):
return "Unix Timestamp"
# 新建实例
def createNewInstance(self, attack):
return UnixTime(self, attack)
class UnixTime(IIntruderPayloadGenerator):
def __init__(self, extender, attack):
self._extender = extender
self._helpers = extender._helpers
self._attack = attack
self._payloadIndex = 0
return
def hasMorePayloads(self):
return self._payloadIndex < 10
def getNextPayload(self,current_payload):
payload = str(int(time.time()*1000))
self._payloadIndex = self._payloadIndex + 1
return payload
def reset(self):
self._payloadIndex = 0
return
官方 demo
# -*- coding: utf-8 -*-
from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadProcessor
from burp import IIntruderPayloadGenerator
# hard-coded payloads
# [in reality, you would use an extension for something cleverer than this]
PAYLOADS = [
bytearray("|"),
bytearray("<script>alert(1)</script>")
]
class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory, IIntruderPayloadProcessor):
#
# implement IBurpExtender
#
def registerExtenderCallbacks(self, callbacks):
# obtain an extension helpers object
self._helpers = callbacks.getHelpers()
# set our extension name
# 插件名称
callbacks.setExtensionName("Super Intruder Generator")
# register ourselves as an Intruder payload generator
callbacks.registerIntruderPayloadGeneratorFactory(self)
# register ourselves as an Intruder payload processor
callbacks.registerIntruderPayloadProcessor(self)
#
# implement IIntruderPayloadGeneratorFactory
#
def getGeneratorName(self):
return "SimpleHelloGenerator"
def createNewInstance(self, attack):
# return a new IIntruderPayloadGenerator to generate payloads for this attack
return IntruderPayloadGenerator()
#
# implement IIntruderPayloadProcessor
#
def getProcessorName(self):
return "Serialized input wrapper"
def processPayload(self, currentPayload, originalPayload, baseValue):
# decode the base value
dataParameter = self._helpers.bytesToString(
self._helpers.base64Decode(self._helpers.urlDecode(baseValue)))
# parse the location of the input string in the decoded data
start = dataParameter.index("input=") + 6
if start == -1:
return currentPayload
prefix = dataParameter[0:start]
end = dataParameter.index("&", start)
if end == -1:
end = len(dataParameter)
suffix = dataParameter[end:len(dataParameter)]
# rebuild the serialized data with the new payload
dataParameter = prefix + self._helpers.bytesToString(currentPayload) + suffix
return self._helpers.stringToBytes(
self._helpers.urlEncode(self._helpers.base64Encode(dataParameter)))
#
# class to generate payloads from a simple list
#
class IntruderPayloadGenerator(IIntruderPayloadGenerator):
def __init__(self):
self._payloadIndex = 0
def hasMorePayloads(self):
return self._payloadIndex < len(PAYLOADS)
def getNextPayload(self, baseValue):
payload = PAYLOADS[self._payloadIndex]
self._payloadIndex = self._payloadIndex + 1
return payload
def reset(self):
self._payloadIndex = 0
注意事项
使用 Burp Suite Python/Ruby Extender 的注意事项
Note: Because of the way in which Jython and JRuby dynamically generate Java classes, you may encounter memory problems if you load several different Python/Ruby extensions, or if you unload and reload a Python/Ruby extension multiple times. If this happens, you will see an error like:
java.lang.OutOfMemoryError: PermGen space
You can avoid this problem by configuring Java to allocate more PermGen storage, by adding a -XX:MaxPermSize option to the command line when starting Burp. For example:
java -XX:MaxPermSize=1G -jar burp.jar
关于整合 Burp 与 sqlmap
渗透神器合体:在BurpSuite中集成Sqlmap – difcareer
http://www.freebuf.com/sectool/45239.html
第十八章 使用Burp, Sqlmap进行自动化SQL注入渗透测试
https://t0data.gitbooks.io/burpsuite/content/chapter18.html
参考资料
参考资料阅读指南
官方博客的归档,主要是在 2012 年,有很多涉及插件编写的内容
https://portswigger.net/blog/archive?y=2012
分享 | 如何抄抄改改实现自己的Burpsuite插件
wechat
Burp API python 版第一部分
http://nianhua.in/15522026314723.html
Reference
第十六章 如何编写自己的Burp Suite插件
https://t0data.gitbooks.io/burpsuite/content/chapter16.html
第十八章 使用Burp, Sqlmap进行自动化SQL注入渗透测试
https://t0data.gitbooks.io/burpsuite/content/chapter18.html
Extensibility
https://portswigger.net/burp/extender/
Burp Extender Documentation
https://portswigger.net/burp/documentation/desktop/tools/extender
Writing your first Burp Suite extension
https://portswigger.net/burp/extender/writing-your-first-burp-suite-extension
官方博客的归档
https://portswigger.net/blog/archive
Burp Suite APIs 分类归纳
http://gv7.me/articles/2017/classification-of-burp-apis/
API
https://portswigger.net/burp/extender/api/index.html
Web Penetration Testing with Burp and the CO2 Extension – Jason Gillam, Secure Ideas, LLC January 8,2015
建议从 29:00 开始,前面都是 Burp 的基础
https://www.youtube.com/watch?v=ez9KSqlYoWU
sql injection with burpsuite co2 extension
建议从 5:00 + 开始
https://www.youtube.com/watch?v=heOMvN5GVGY
How to install an Extension in Burp Suite
https://support.portswigger.net/customer/portal/articles/1965930-how-to-install-an-extension-in-burp-suite
AWVS 测试站
http://testphp.vulnweb.com/listproducts.php?cat=1
Leave a Reply