《Python黑帽子:黑客与渗透测试编程之道》读书笔记:扩展burp代理
Posted 思源湖的鱼
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了《Python黑帽子:黑客与渗透测试编程之道》读书笔记:扩展burp代理相关的知识,希望对你有一定的参考价值。
前言
《Python黑帽子:黑客与渗透测试编程之道》的读书笔记,会包括书中源码,并自己将其中一些改写成Python3版本。书是比较老了,anyway,还是本很好的书
本篇是第6章扩展burp代理,包括利用劫持的HTTP请求作为fuzz的原始链接,与Bing结合搜索子域名或旁站
1、burp的fuzz脚本
使用burp的扩展工具,创建一个简单的fuzz工具
#!/usr/bin/env python
#-*- coding:utf8 -*-
# 导入三个类,其中IBurpExtender类是编写扩展工具必须的类,后两个是Intruder的,我们就是要扩展它
from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadGenerator
from java.util import List, ArrayList
import random
#定义自己的BurpExtender类,继承和扩展IBurpExtender和IIntruderPayloadGeneratorFactory类
class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
#用registerIntruderPayloadGeneratorFactory函数注册BurpExtender类,这样Intruder才能生成攻击载荷
callbacks.registerIntruderPayloadGeneratorFactory(self)
return
#返回载荷生成器的名称
def getGeneratorName(self):
return "BHP Payload Generator"
# 接受攻击相关参数,返回IIntruderPayloadGenerator类型的实例,作者将他命名为BHPFuzzer
def createNewInstance(self, attack):
return BHPFuzzer(self, attack)
# 定义BHPFuzzer类,扩展了IIntruderPayloadGenerator类
# 增加了max_payload(最大的payload), num_iterations(迭代次数)两个变量,用于控制模糊测试的次数
class BHPFuzzer(IIntruderPayloadGenerator):
def __init__(self, extender, attack):
self._extender = extender
self._helpers = extender._helpers
self._attack = attack
self.max_payload = 1000
self.num_iterations = 0
return
# 通过比较判断迭代是否达到上限
def hasMorePayloads(self):
if self.num_iterations == self.max_payload:
return False
else:
return True
# 接受原始的HTTP负载,current_payload是数组,转化成字符串,传递给模糊测试函数mutate_payload
def getNextPayload(self, current_payload):
# 转换成字符串
payload = "".join(chr(x) for x in current_payload)
# 调用简单的变形器对POST请求进行模糊测试
payload = self.mutate_payload(payload)
# 增加FUZZ的次数
self.num_iterations += 1
return payload
# 重置
def reset(self):
self.num_iterations = 0
return
def mutate_payload(self, original_payload):
# 仅生成随机数或者调用一个外部脚本
picker = random.randint(1,3)
# 再载荷中选取一个随机的偏移量去变形
offset = random.randint(0, len(original_payload)-1)
payload = original_payload[:offset]
# 在随机偏移位置插入SQL注入尝试
if picker == 1:
payload += "'"
# 插入跨站尝试
if picker == 2:
payload += "<script>alert('xss');</script>"
# 随机重复原始载荷
if picker == 3:
chunk_length = random.randint(len(payload[offset:]), len(payload)-1)
repeater = random.randint(1,10)
for i in range(repeater):
payload += original_payload[offset:offset+chunk_length]
# 添加载荷中剩余的字节
payload += original_payload[offset:]
return payload
2、burp中利用Bing服务
使用Bing的API程序化提交查询,搜索子域名和旁站
#!/usr/bin/env python
#-*- coding:utf8 -*-
from burp import IBurpExtender
from burp import IContextMenuFactory
from javax.swing import JMenuItem
from java.util import List, ArrayList
from java.net import URL
import socket
import urllib
import json
import re
import base64
bing_api_key = "你的密钥" #这里是Bing API秘钥
# 这个类部署了基本的接口
class BurpExtender(IBurpExtender, IContextMenuFactory):
def registerExtenderCallbacks(self,callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
self.context = None
# 我们建立起扩展工具
callbacks.setExtensionName("Use Bing")
callbacks.registerContextMenuFactory(self)
return
# 创建菜单并处理点击事件,就是actionPerformed那里,点击调用bing_menu函数
def createMenuItems(self, context_menu):
self.context = context_menu
menu_list = ArrayList()
menu_list.add(JMenuItem("Send to Bing", actionPerformed=self.bing_menu))
return menu_list
def bing_menu(self, event):
# 获取用户点击的详细信息
http_traffic = self.context.getSelectedMessages()
print "%d requests highlighted" % len(http_traffic)
# 获取ip或主机名(域名)
for traffic in http_traffic:
http_service = traffic.getHttpService()
host = http_service.getHost()
print "User selected host: %s" % host
self.bing_search(host)
return
def bing_search(self, host):
# 检查参数是否为ip地址或主机名(域名)------使用正则
is_ip = re.match("[0-9]+(?:\\.[0-9]+){3}", host)
# 若为ip
if is_ip:
ip_address = host
domain = False
else:
ip_address = socket.gethostbyname(host)
domain = True
# 查寻同一ip是否存在不同虚拟机
bing_query_string ="'ip:%s'" % ip_address
self.bing_query(bing_query_string)
# 若为域名则执行二次搜索,搜索子域名
if domain:
bing_query_string = "'domain:%s'" % host
self.bing_query(bing_query_string)
def bing_query(self, bing_query_string):
print "Performing Bing search: %s" % bing_query_string
# 编码我们的查询(如 urllib.quote('ab c')--> 'ab%20c')
quoted_query = urllib.quote(bing_query_string)
http_request = "GET https://api.datamarket.azure.com/Bing/Search/Web?$format=json&$top=20&Query=%s HTTP/1.1\\r\\n" % quoted_query
http_request += "Host: api.datamarket.azure.com\\r\\n"
http_request += "Connection: close\\r\\n"
# 对API密钥使用base64编码
http_request += "Authorization: Basic %s\\r\\n" % base64.b64encode(":%s" % bing_api_key)
http_request += "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/47.0.2526.80 Safari/537.36\\r\\n\\r\\n"
json_body = self._callbacks.makeHttpRequest("api.datamarket.azure.com", 443, True, http_request).tostring()
# 去掉HTTP响应头,只取正文
json_body = json_body.split("\\r\\n\\r\\n", 1)[1]
#print json_body
try:
# 传递给json解析器
r = json.loads(json_body)
# 输出查询到的网站的相关信息
if len(r["d"]["results"]):
for site in r["d"]["results"]:
print "*" * 100
print site['Title']
print site['Url']
print site['Description']
print "*" * 100
j_url = URL(site['Url'])
# 如果网站不在brup的目标列表中,就添加进去
if not self._callbacks.isInScope(j_url):
print "Adding to Burp scope"
self._callbacks.includeInScope(j_url)
except:
print "No results from Bing"
pass
return
3、利用网站内容生成密码字典
#!/usr/bin/env python
#-*- coding:utf8 -*-
from burp import IBurpExtender
from burp import IContextMenuFactory
from javax.swing import JMenuItem
from java.util import List, ArrayList
from java.net import URL
import re
from datetime import datetime
from HTMLParser import HTMLParser
#去掉HTTP响应包的HTML标签
class TagStripper(HTMLParser):
def __init__(self):
HTMLParser.__init__(self)
self.page_text = []
# 遇到两个标签之间的数据时调用
def handle_data(self, data):
self.page_text.append(data)
# 遇到注释时调用
def handle_comment(self, data):
self.handle_data(data)
def strip(self,html):
# 会调用上面的两个函数
self.feed(html)
return "".join(self.page_text)
class BurpExtender(IBurpExtender, IContextMenuFactory):
def registerExtenderCallbacks(self,callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
self.context = None
self.hosts = set()
# 按部就班,先设定一个非常常见的密码,因为是字典,不能重复最好,所以用集合
self.wordlist = set(["password"])
# 建立起我们的扩展工具
callbacks.setExtensionName("Build Wordlist")
callbacks.registerContextMenuFactory(self)
return
# 添加菜单
def createMenuItems(self, context_menu):
self.context = context_menu
menu_list = ArrayList()
menu_list.add(JMenuItem("Bulid Wordlist", actionPerformed=self.wordlist_menu))
return menu_list
def wordlist_menu(self, event):
# 抓取用户点击细节
http_traffic = self.context.getSelectedMessages()
# 获取ip或主机名(域名)
for traffic in http_traffic:
http_service = traffic.getHttpService()
host = http_service.getHost()
self.hosts.add(host)
# 获取网站的返回信息
http_response = traffic.getResponse()
# 若有回应就调用get_word
if http_response:
self.get_words(http_response)
self.display_wordlist()
return
def get_words(self, http_response):
headers, body = http_response.tostring().split("\\r\\n\\r\\n", 1)
# 忽略下一个请求
if headers.lower().find("content-type: text") == -1:
return
# 获取标签中的文本
tag_stripper = TagStripper()
page_text = tag_stripper.strip(body)
# 匹配第一个是字母的,后面跟着的是两个以上的字母,数字或下划线/
words = re.findall("[a-zA-Z]\\w{2,}", page_text)
# 感觉这里的长度有点短啊,作者是12,我改成15了
for word in words:
# 过滤长字符串
if len(word) <= 15:
self.wordlist.add(word.lower())
return
# 再后面添加更多的猜测
def mangle(self, word):
year = datetime.now().year
suffixes = ["", "1", "!", year]
mangled = []
for password in (word, word.capitalize()):
for suffix in suffixes:
mangled.append("%s%s" % (password, suffix))
return mangled
def display_wordlist(self):
print "#!comment: BHP Wordlist for site(s) %s" % ", ".join(self.hosts)
for word in sorted(self.wordlist):
for password in self.mangle(word):
print password
return
结语
burp的扩展脚本
以上是关于《Python黑帽子:黑客与渗透测试编程之道》读书笔记:扩展burp代理的主要内容,如果未能解决你的问题,请参考以下文章
《Python黑帽子:黑客与渗透测试编程之道》读书笔记:Windows提权
《Python黑帽子:黑客与渗透测试编程之道》读书笔记:Windows提权
《Python黑帽子:黑客与渗透测试编程之道》读书笔记:扩展burp代理
《Python黑帽子:黑客与渗透测试编程之道》读书笔记:扩展burp代理