实现效果
实现被动漏扫和主动漏扫,并在面板标记展示漏洞。
- 进行被动扫描和主动扫描,如果内容中存在
d4m1ts
,就判定为漏洞存在。
涉及接口:
- IScannerCheck
- IScanIssue
实现代码
创建项目过程省略,直接从代码入手,使用旧版API开发。
package burp;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
public class BurpExtender implements IBurpExtender, IScannerCheck {
// 回调对象
private IBurpExtenderCallbacks callbacks;
// 辅助类,一般用于辅助分析数据包结构
private IExtensionHelpers helpers;
// 实现 IBurpExtender 接口函数
@Override
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
// 设置插件名字
callbacks.setExtensionName("Demo");
// callbacks到处都要用,搞成类变量
this.callbacks = callbacks;
// 辅助类,一般用于辅助分析数据包结构,类变量方便其他函数调用
helpers = callbacks.getHelpers();
// 注册 ScannerCheck ,必须要注册了burp有新消息才会通知你
callbacks.registerScannerCheck(this);
}
/**
* 被动扫描,每个请求都会自动扫一遍
* 一般建议不要在这里面主动发起请求
*
* @param baseRequestResponse 应该被动扫描的基本HTTP请求/响应。
* @return 扫描出的漏洞
*/
@Override
public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse) {
// 返回的结果
List<IScanIssue> result = new ArrayList<>();
// 拿到当前的响应
byte[] response = baseRequestResponse.getResponse();
// 判断是否包含关键词
if (new String(response).contains("d4m1ts")) {
// 添加漏洞; CustomIssue 是我自己创建的漏洞类,实现 IScanIssue 接口即可
result.add(new CustomIssue(
helpers.analyzeRequest(baseRequestResponse).getUrl(),
"被动扫描,漏洞名",
0,
"High",
"Certain",
"漏洞背景",
"修复建议背景",
"漏洞细节、漏洞描述",
"修复建议",
new IHttpRequestResponse[]{baseRequestResponse},
baseRequestResponse.getHttpService()
));
}
return result;
}
/**
* 主动漏扫,需要点击Burp的 Do active scan 才会触发
*
* @param baseRequestResponse 应该主动扫描的基本HTTP请求/响应。
* @param insertionPoint burp自动分析数据包后,提供的payload插入点,如有参数 a=bbb,那么bbb就是插入点
* @return 扫描出的漏洞
*/
@Override
public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) {
// 返回的结果
List<IScanIssue> result = new ArrayList<>();
// 设置插入点值,插入点可参考:https://portswigger.net/burp/documentation/scanner/auditing#insertion-points 中标黄的部分
byte[] newRequest = insertionPoint.buildRequest("active_test".getBytes());
// 发起请求
IHttpRequestResponse newReqResp = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), newRequest);
// 判断内容是否包含关键词
String keyword = "d4m1ts";
String newResp = new String(newReqResp.getResponse());
if (newResp.contains(keyword)) {
// 准备高亮d4m1ts
List<int[]> responseMarkers = new ArrayList<>();
// 先找到所有的d4m1ts的位置
int index = newResp.indexOf(keyword);
while (index != -1) {
int[] position = new int[2];
position[0] = index; // 起始位置
position[1] = index + keyword.length(); // 结束位置
responseMarkers.add(position);
// 从下一个字符继续查找
index = newResp.indexOf(keyword, index + 1);
}
// 再设置高亮
IHttpRequestResponseWithMarkers responseWithMarkers = callbacks.applyMarkers(newReqResp, null, responseMarkers);
// 添加到漏洞中
CustomIssue customIssue = new CustomIssue(
helpers.analyzeRequest(baseRequestResponse).getUrl(),
"主动扫描,漏洞名",
0,
"High",
"Certain",
"漏洞背景",
"修复建议背景",
"漏洞细节、漏洞描述",
"修复建议",
new IHttpRequestResponse[]{baseRequestResponse, responseWithMarkers},
baseRequestResponse.getHttpService()
);
result.add(customIssue);
// 除了返回issue结果这种方式,也可以通过callbacks来手动添加漏洞,不依赖于主被动漏扫(不建议)
// customIssue.issueName = "callbacks主动添加漏洞";
// callbacks.addScanIssue(customIssue);
}
return result;
}
/**
* 重复漏洞的处理
*
* @param existingIssue An issue that was previously reported by this
* Scanner check.
* @param newIssue An issue at the same URL path that has been newly
* reported by this Scanner check.
* @return -1:重复的忽略 0:都添加上 1:只保留最新的
*/
@Override
public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) {
// 如果漏洞名一样,就忽略重复的
if (existingIssue.getIssueName().equals(newIssue.getIssueName()))
return -1;
else return 0;
}
/**
* 漏洞的结构模版,所有参数都自定义
*/
private class CustomIssue implements IScanIssue {
private URL url;
private String issueName;
private int issueType;
private String severity;
private String confidence;
private String issueBackground;
private String remediationBackground;
private String issueDetail;
private String remediationDetail;
private IHttpRequestResponse[] httpMessages;
private IHttpService httpService;
/**
*
* @param url 漏洞地址
* @param issueName 漏洞名
* @param issueType 漏洞类型?,默认0,不知道干啥的
* @param severity 漏洞等级;"High", "Medium", "Low", "Information" "False positive" 5选1
* @param confidence 置信度,或者说漏洞存在的信心;"Certain", "Firm" "Tentative" 3选1
* @param issueBackground 漏洞背景,设置为null不显示
* @param remediationBackground 修复背景,设置为null不显示
* @param issueDetail 漏洞描述
* @param remediationDetail 修复建议
* @param httpMessages 漏洞请求
* @param httpService 漏洞的httpService
*/
public CustomIssue(URL url, String issueName, int issueType, String severity, String confidence, String issueBackground, String remediationBackground, String issueDetail, String remediationDetail, IHttpRequestResponse[] httpMessages, IHttpService httpService){
this.url = url;
this.issueName = issueName;
this.issueType = issueType;
this.severity = severity;
this.confidence = confidence;
this.issueBackground = issueBackground;
this.remediationBackground = remediationBackground;
this.issueDetail = issueDetail;
this.remediationDetail = remediationDetail;
this.httpMessages = httpMessages;
this.httpService = httpService;
}
@Override
public URL getUrl() {
return url;
}
@Override
public String getIssueName() {
return issueName;
}
@Override
public int getIssueType() {
return issueType;
}
@Override
public String getSeverity() {
return severity;
}
@Override
public String getConfidence() {
return confidence;
}
@Override
public String getIssueBackground() {
return issueBackground;
}
@Override
public String getRemediationBackground() {
return remediationBackground;
}
@Override
public String getIssueDetail() {
return issueDetail;
}
@Override
public String getRemediationDetail() {
return remediationDetail;
}
@Override
public IHttpRequestResponse[] getHttpMessages() {
return httpMessages;
}
@Override
public IHttpService getHttpService() {
return httpService;
}
}
}
实现测试
被动扫描
主动扫描下发
主动扫描结果
主动发送的请求,可在 Insertion point
看到漏洞参数
响应结果高亮
扩展总结
- 实现
IScannerCheck
接口即可,添加漏洞的时自定义的漏洞类需要实现IScanIssue
接口。 - 如果要在漏洞面板中展示多个请求响应,只需要再实现自定义漏洞类时给
httpMessages
多放几个IHttpRequestResponse
即可。 - 除了返回issue结果这种方式,也可以通过
callbacks.addScanIssue(customIssue);
来手动添加漏洞,不依赖于主被动漏扫(不建议)。