自动收集burpsuite scanenr模块扫描后的结果
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了自动收集burpsuite scanenr模块扫描后的结果相关的知识,希望对你有一定的参考价值。
自动收集burpsuite scanenr模块扫描后的结果
0x00需求
在QA进行功能测试时,同时也进行安全测试,减少产品安全测试所花费的时间,将工具可以发现的安全问题,尽可能早的提出来。
0x01思路
- 找一台windows服务器,在该服务器上安装bp,bp的代理ip:本服务器ip,端口:8080
- QA测试时浏览器挂上代理(代理ip:windows服务器的ip,端口:8080)
- 编写burpsuite插件,将burpsuite scanner模块发现的漏洞存储到sqlite数据库
- QA在测试前,需要将测试的url添加到bp的scope中
- QA测试完,可以访问响应页面,查看安全测试结果
0x02burpsuite 插件
插件需要继承IScannerListener,使用其newScanIssue函数获取所有的扫描结果
package burp;
/*
- @(#)IScanIssue.java
- Copyright PortSwigger Ltd. All rights reserved.
- This code may be used to extend the functionality of Burp Suite Community Edition
- and Burp Suite Professional, provided that this usage does not violate the
- license terms for those products.
/
/ - This interface is used to retrieve details of Scanner issues. Extensions can
- obtain details of issues by registering an <code>IScannerListener</code> or
- by calling <code>IBurpExtenderCallbacks.getScanIssues()</code>. Extensions
- can also add custom Scanner issues by registering an
- <code>IScannerCheck</code> or calling
- <code>IBurpExtenderCallbacks.addScanIssue()</code>, and providing their own
- implementations of this interface. Note that issue descriptions and other
- text generated by extensions are subject to an html whitelist that allows
-
only formatting tags and simple hyperlinks.
*/
public interface IScanIssue
{/**
- This method returns the URL for which the issue was generated.
- @return The URL for which the issue was generated.
*/
java.net.URL getUrl();
/**
- This method returns the name of the issue type.
- @return The name of the issue type (e.g. "SQL injection").
*/
String getIssueName();
/**
- This method returns a numeric identifier of the issue type. See the Burp
- Scanner help documentation for a listing of all the issue types.
- @return A numeric identifier of the issue type.
*/
int getIssueType();
/**
- This method returns the issue severity level.
- @return The issue severity level. Expected values are "High", "Medium",
- "Low", "Information" or "False positive".
-
*/
String getSeverity();
/**
- This method returns the issue confidence level.
- @return The issue confidence level. Expected values are "Certain", "Firm"
- or "Tentative".
*/
String getConfidence();
/**
- This method returns a background description for this type of issue.
- @return A background description for this type of issue, or
- <code>null</code> if none applies. A limited set of HTML tags may be
- used.
*/
String getIssueBackground();
/**
- This method returns a background description of the remediation for this
- type of issue.
- @return A background description of the remediation for this type of
- issue, or <code>null</code> if none applies. A limited set of HTML tags
- may be used.
*/
String getRemediationBackground();
/**
- This method returns detailed information about this specific instance of
- the issue.
- @return Detailed information about this specific instance of the issue,
- or <code>null</code> if none applies. A limited set of HTML tags may be
- used.
*/
String getIssueDetail();
/**
- This method returns detailed information about the remediation for this
- specific instance of the issue.
- @return Detailed information about the remediation for this specific
- instance of the issue, or <code>null</code> if none applies. A limited
- set of HTML tags may be used.
*/
String getRemediationDetail();
/*
- This method returns the HTTP messages on the basis of which the issue was
- generated.
- @return The HTTP messages on the basis of which the issue was generated.
- <b>Note:</b> The items in this array should be instances of
- <code>IHttpRequestResponseWithMarkers</code> if applicable, so that
- details of the relevant portions of the request and response messages are
- available.
*/
IHttpRequestResponse[] getHttpMessages();
/*
- This method returns the HTTP service for which the issue was generated.
- @return The HTTP service for which the issue was generated.
*/
IHttpService getHttpService();
}
**如上newScanIssue可以获取到扫描的所有结果,比如:
1.java.net.URL getUrl(); 扫描的url
2.String getIssueName(); 问题类型: 如SQL injection(sql注入)
3.getSeverity(); 漏洞等级 "High", "Medium", "Low", "Information" or "False positive"
4.String getConfidence(); 确定程度 "Certain", "Firm" or "Tentative".
- String getIssueBackground(); 漏洞背景
- String getIssueDetail(); 漏洞详情
- IHttpRequestResponse[] getHttpMessages(); 漏洞证明的请求、响应包
将以上信息获取后保存到数据库中即可
完整代码:
from burp import IBurpExtender
from burp import IScannerListener
from java.io import PrintWriter
from threading import Thread
from java.lang import Class
from java.sql import DriverManager, SQLException
import time
class BurpExtender(IBurpExtender, IScannerListener):
def registerExtenderCallbacks(self, callbacks):
# keep a reference to our callbacks object
self._callbacks = callbacks
# set our extension name
callbacks.setExtensionName("scann_test")
# obtain our output stream
self._stdout = PrintWriter(callbacks.getStdout(), True)
self._helpers = callbacks.getHelpers()
# register ourselves as an
callbacks.registerScannerListener(self)
def newScanIssue(self,issue):
#self._stdout.println(issue.getConfidence()) Certain", "Firm" * or "Tentative"
#CREATE TABLE `scanner` (`id` INTEGER PRIMARY KEY,`time` varchar(100),ip varchar(50),`url` varchar(30) ,`degree` varchar(30) ,`level` varchar(100) ,`detail` text ,`issueType` varchar(200) ,`issueBackground` text,`remediationBackground` text,`remediationDetail` text,`requests` text,`response` text ,issueName varcahr(50))
if(issue.getConfidence()):
Class.forName("org.sqlite.JDBC").newInstance()
JDBC_URL = "jdbc:sqlite:%s" % ("d:/scanner.db")
dbConn = DriverManager.getConnection(JDBC_URL)
sql="insert into `scanner` (time,ip,url,degree,level,detail,issueType,issueBackground,remediationBackground,remediationDetail,requests,response,issueName) values(?,?,?,?,?,?,?,?,?,?,?,?,?);"
preStmt=dbConn.prepareStatement(sql)
current_time=time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
requests=""
response=""
for message in issue.getHttpMessages():
for i in range(len(message.getRequest())):
if(message.getRequest()[i]<255 and message.getRequest()[i]>0):
requests=requests+chr(message.getRequest()[i])
requests+="
--------------------------
"
if(len(message.getResponse())!=0):
for i in range(len(message.getResponse())):
if(message.getResponse()[i]<255 and message.getResponse()[i]>0):
response=response+chr(message.getResponse()[i])
response+="
--------------------------
"
ip=issue.getHttpService().getHost()
if(issue.getIssueDetail()):
detail=issue.getIssueDetail()
else:
detail="none"
if(issue.getIssueBackground()):
issueBackground=issue.getIssueBackground()
else:
issueBackground="none"
if(issue.getRemediationBackground()):
remediationBackground=issue.getRemediationBackground()
else:
remediationBackground="none"
if(issue.getRemediationDetail()):
remediationDetail=issue.getRemediationDetail()
else:
remediationDetail="none"
preStmt.setString(1, str(current_time))
preStmt.setString(2, str(ip))
preStmt.setString(3, str(issue.getUrl()))
preStmt.setString(4,str(issue.getConfidence()))
preStmt.setString(5,str(issue.getSeverity()))
preStmt.setString(6,str(detail))
preStmt.setString(7,str(issue.getIssueType()))
preStmt.setString(8,str(issueBackground))
preStmt.setString(9,str(remediationBackground))
preStmt.setString(10,str(remediationDetail))
preStmt.setString(11,str(requests))
preStmt.setString(12,str(response))
preStmt.setString(13,str(issue.getIssueName()))
preStmt.addBatch()
dbConn.setAutoCommit(False)
preStmt.executeBatch()
dbConn.setAutoCommit(True)
dbConn.close()
self._stdout.println("time:")
self._stdout.println(current_time)
self._stdout.print("ip")
self._stdout.println(ip)
self._stdout.println("qudingchengdu:"+issue.getConfidence())
self._stdout.print("url:")
self._stdout.println(issue.getUrl())
self._stdout.println(issue.getIssueName())
self._stdout.println("level:"+issue.getSeverity())
self._stdout.print("detail:")
if(issue.getIssueDetail()):
self._stdout.println(issue.getIssueDetail())
else:
self._stdout.println("none")
self._stdout.println("getIssueType():")
self._stdout.println(issue.getIssueType())
self._stdout.print("getIssueBackground")
if(issue.getIssueBackground()):
self._stdout.println(issue.getIssueBackground())
else:
self._stdout.println("none")
self._stdout.print("getRemediationBackground():")
if(issue.getRemediationBackground()):
self._stdout.println(issue.getRemediationBackground())
else:
self._stdout.println("none")
self._stdout.print("getRemediationDetail():")
if(issue.getRemediationDetail()):
self._stdout.println(issue.getRemediationDetail())
else:
self._stdout.println("none")
self._stdout.println("---------------------------")
0x03 burpsuite 扫描结果(在数据库中展示)
0x04 待存问题
scanner 扫描过程中过滤js,jpg等文件
将需要测试的url自动添加到scope中
以上是关于自动收集burpsuite scanenr模块扫描后的结果的主要内容,如果未能解决你的问题,请参考以下文章