实现效果

实现被动漏扫和主动漏扫,并在面板标记展示漏洞。

  • 进行被动扫描和主动扫描,如果内容中存在d4m1ts,就判定为漏洞存在。

涉及接口:

  • IScannerCheck
  • IScanIssue

实现代码

创建项目过程省略,直接从代码入手,使用旧版API开发。

package burp;

import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

public class BurpExtender implements IBurpExtender, IScannerCheck {
    // 回调对象
    private IBurpExtenderCallbacks callbacks;
    // 辅助类,一般用于辅助分析数据包结构
    private IExtensionHelpers helpers;

    // 实现 IBurpExtender 接口函数
    @Override
    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
        // 设置插件名字
        callbacks.setExtensionName("Demo");

        // callbacks到处都要用,搞成类变量
        this.callbacks = callbacks;

        // 辅助类,一般用于辅助分析数据包结构,类变量方便其他函数调用
        helpers = callbacks.getHelpers();

        // 注册 ScannerCheck ,必须要注册了burp有新消息才会通知你
        callbacks.registerScannerCheck(this);

    }

    /**
     * 被动扫描,每个请求都会自动扫一遍
     * 一般建议不要在这里面主动发起请求
     *
     * @param baseRequestResponse 应该被动扫描的基本HTTP请求/响应。
     * @return 扫描出的漏洞
     */
    @Override
    public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse) {
        // 返回的结果
        List<IScanIssue> result = new ArrayList<>();
        // 拿到当前的响应
        byte[] response = baseRequestResponse.getResponse();
        // 判断是否包含关键词
        if (new String(response).contains("d4m1ts")) {
            // 添加漏洞; CustomIssue 是我自己创建的漏洞类,实现 IScanIssue 接口即可
            result.add(new CustomIssue(
                    helpers.analyzeRequest(baseRequestResponse).getUrl(),
                    "被动扫描,漏洞名",
                    0,
                    "High",
                    "Certain",
                    "漏洞背景",
                    "修复建议背景",
                    "漏洞细节、漏洞描述",
                    "修复建议",
                    new IHttpRequestResponse[]{baseRequestResponse},
                    baseRequestResponse.getHttpService()
            ));
        }
        return result;
    }

    /**
     * 主动漏扫,需要点击Burp的 Do active scan 才会触发
     *
     * @param baseRequestResponse 应该主动扫描的基本HTTP请求/响应。
     * @param insertionPoint burp自动分析数据包后,提供的payload插入点,如有参数 a=bbb,那么bbb就是插入点
     * @return 扫描出的漏洞
     */
    @Override
    public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) {
        // 返回的结果
        List<IScanIssue> result = new ArrayList<>();
        // 设置插入点值,插入点可参考:https://portswigger.net/burp/documentation/scanner/auditing#insertion-points 中标黄的部分
        byte[] newRequest = insertionPoint.buildRequest("active_test".getBytes());
        // 发起请求
        IHttpRequestResponse newReqResp = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), newRequest);
        // 判断内容是否包含关键词
        String keyword = "d4m1ts";
        String newResp = new String(newReqResp.getResponse());
        if (newResp.contains(keyword)) {
            // 准备高亮d4m1ts
            List<int[]> responseMarkers = new ArrayList<>();
            // 先找到所有的d4m1ts的位置
            int index = newResp.indexOf(keyword);
            while (index != -1) {
                int[] position = new int[2];
                position[0] = index; // 起始位置
                position[1] = index + keyword.length(); // 结束位置
                responseMarkers.add(position);
                // 从下一个字符继续查找
                index = newResp.indexOf(keyword, index + 1);
            }
            // 再设置高亮
            IHttpRequestResponseWithMarkers responseWithMarkers = callbacks.applyMarkers(newReqResp, null, responseMarkers);
            // 添加到漏洞中
            CustomIssue customIssue = new CustomIssue(
                    helpers.analyzeRequest(baseRequestResponse).getUrl(),
                    "主动扫描,漏洞名",
                    0,
                    "High",
                    "Certain",
                    "漏洞背景",
                    "修复建议背景",
                    "漏洞细节、漏洞描述",
                    "修复建议",
                    new IHttpRequestResponse[]{baseRequestResponse, responseWithMarkers},
                    baseRequestResponse.getHttpService()
            );
            result.add(customIssue);

            // 除了返回issue结果这种方式,也可以通过callbacks来手动添加漏洞,不依赖于主被动漏扫(不建议)
            // customIssue.issueName = "callbacks主动添加漏洞";
            // callbacks.addScanIssue(customIssue);
        }
        return result;
    }

    /**
     * 重复漏洞的处理
     *
     * @param existingIssue An issue that was previously reported by this
     * Scanner check.
     * @param newIssue An issue at the same URL path that has been newly
     * reported by this Scanner check.
     * @return -1:重复的忽略 0:都添加上 1:只保留最新的
     */
    @Override
    public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) {
        // 如果漏洞名一样,就忽略重复的
        if (existingIssue.getIssueName().equals(newIssue.getIssueName()))
            return -1;
        else return 0;
    }

    /**
     * 漏洞的结构模版,所有参数都自定义
     */
    private class CustomIssue implements IScanIssue {
        private URL url;
        private String issueName;
        private int issueType;
        private String severity;
        private String confidence;
        private String issueBackground;
        private String remediationBackground;
        private String issueDetail;
        private String remediationDetail;
        private IHttpRequestResponse[] httpMessages;
        private IHttpService httpService;

        /**
         *
         * @param url 漏洞地址
         * @param issueName 漏洞名
         * @param issueType 漏洞类型?,默认0,不知道干啥的
         * @param severity 漏洞等级;"High", "Medium", "Low", "Information" "False positive" 5选1
         * @param confidence 置信度,或者说漏洞存在的信心;"Certain", "Firm" "Tentative" 3选1
         * @param issueBackground 漏洞背景,设置为null不显示
         * @param remediationBackground 修复背景,设置为null不显示
         * @param issueDetail 漏洞描述
         * @param remediationDetail 修复建议
         * @param httpMessages 漏洞请求
         * @param httpService 漏洞的httpService
         */
        public CustomIssue(URL url, String issueName, int issueType, String severity, String confidence, String issueBackground, String remediationBackground, String issueDetail, String remediationDetail, IHttpRequestResponse[] httpMessages, IHttpService httpService){
            this.url = url;
            this.issueName = issueName;
            this.issueType = issueType;
            this.severity = severity;
            this.confidence = confidence;
            this.issueBackground = issueBackground;
            this.remediationBackground = remediationBackground;
            this.issueDetail = issueDetail;
            this.remediationDetail = remediationDetail;
            this.httpMessages = httpMessages;
            this.httpService = httpService;
        }
        @Override
        public URL getUrl() {
            return url;
        }

        @Override
        public String getIssueName() {
            return issueName;
        }

        @Override
        public int getIssueType() {
            return issueType;
        }

        @Override
        public String getSeverity() {
            return severity;
        }

        @Override
        public String getConfidence() {
            return confidence;
        }

        @Override
        public String getIssueBackground() {
            return issueBackground;
        }

        @Override
        public String getRemediationBackground() {
            return remediationBackground;
        }

        @Override
        public String getIssueDetail() {
            return issueDetail;
        }

        @Override
        public String getRemediationDetail() {
            return remediationDetail;
        }

        @Override
        public IHttpRequestResponse[] getHttpMessages() {
            return httpMessages;
        }

        @Override
        public IHttpService getHttpService() {
            return httpService;
        }
    }
}

实现测试

被动扫描

image-20240921下午34152648

主动扫描下发

image-20240921下午34452054

主动扫描结果

image-20240921下午35016934

主动发送的请求,可在 Insertion point 看到漏洞参数

image-20240921下午35808978

响应结果高亮

image-20240921下午35142952

扩展总结

  • 实现 IScannerCheck 接口即可,添加漏洞的时自定义的漏洞类需要实现 IScanIssue 接口。
  • 如果要在漏洞面板中展示多个请求响应,只需要再实现自定义漏洞类时给 httpMessages 多放几个 IHttpRequestResponse 即可。
  • 除了返回issue结果这种方式,也可以通过 callbacks.addScanIssue(customIssue); 来手动添加漏洞,不依赖于主被动漏扫(不建议)。

参考

Copyright © d4m1ts 2023 all right reserved,powered by Gitbook该文章修订时间: 2024-09-28 14:12:00

results matching ""

    No results matching ""