static String fuzzSuffix() { if(Utilities.globalSettings.getBoolean("fuzz detect")) { return "<a`'\"${{\\"; // <a } else { return ""; } }
void incrStop() { stop += config.getInt("rotation increment"); }
ConfigurableSettings() { settings = new LinkedHashMap<>(); put("Add 'fcbz' cachebuster", false); put("Add dynamic cachebuster", false); put("learn observed words", false); put("skip boring words", true); put("only report unique params", false); put("response", true); put("use basic wordlist", true); put("use bonus wordlist", false); put("use custom wordlist", false); put("custom wordlist path", "/usr/share/dict/words"); put("bruteforce", false); put("skip uncacheable", false); put("dynamic keyload", false); put("max one per host", false); put("max one per host+status", false); put("scan identified params", false); put("enable auto-mine", false); put("auto-mine headers", false); put("auto-mine cookies", false); put("auto-mine params", false); put("auto-nest params", false); put("fuzz detect", false); put("try cache poison", true); put("try method flip", false); put("try -_ bypass", false); put("thread pool size", 8); put("rotation interval", 200); put("rotation increment", 4);
String type = getType(key); panel.add(new JLabel("\n"+key+": ")); box.setSelected(getBoolean(key)); panel.add(box); configured.put(key, box); box.setText(String.valueOf(getInt(key))); panel.add(box); configured.put(key, box); JTextField box = new JTextField(getString(key)); panel.add(box); configured.put(key, box); val = ((JTextField) val).getText(); put(key, val); Utilities.callbacks.saveExtensionSetting(key, encode(val)); return new ConfigurableSettings(this);
mimetypes.addAll(Arrays.asList(Utilities.globalSettings.getString("header target mime types").split(","))); HashSet<String> statuscodes = new HashSet<>(); statuscodes.addAll(Arrays.asList(Utilities.globalSettings.getString("header target status codes").split(","))); String param_id; if (type == IParameter.PARAM_COOKIE) { if (!suitableForPerHostScans || !Utilities.globalSettings.getBoolean("scan cookies")) { continue; if (param.getName().length() > Utilities.globalSettings.getInt("max param length")) { continue;
private void launchScan(IHttpRequestResponse messageInfo) { if (!Utilities.globalSettings.getBoolean("enable auto-mine")) { return; if (!alreadyScanned.contains(broadCode)){ if (Utilities.globalSettings.getBoolean("auto-mine headers")) { taskEngine.execute(new ParamGuesser(Utilities.callbacks.saveBuffersToTempFiles(messageInfo), false, Utilities.PARAM_HEADER, this, taskEngine, Utilities.globalSettings.getInt("rotation interval"), Utilities.globalSettings)); if (Utilities.globalSettings.getBoolean("auto-mine cookies")) { taskEngine.execute(new ParamGuesser(Utilities.callbacks.saveBuffersToTempFiles(messageInfo), false, IParameter.PARAM_COOKIE, this, taskEngine, Utilities.globalSettings.getInt("rotation interval"), Utilities.globalSettings)); if (!Utilities.globalSettings.getBoolean("auto-mine params")) { return; taskEngine.execute(new ParamGuesser(Utilities.callbacks.saveBuffersToTempFiles(messageInfo), false, guessType, this, taskEngine, Utilities.globalSettings.getInt("rotation interval"), Utilities.globalSettings)); alreadyScanned.add(paramCode);
Utilities(final IBurpExtenderCallbacks incallbacks) { callbacks = incallbacks; stdout = new PrintWriter(callbacks.getStdout(), true); stderr = new PrintWriter(callbacks.getStderr(), true); helpers = callbacks.getHelpers(); globalSettings = new ConfigurableSettings(); globalSettings.printSettings(); Scanner s = new Scanner(getClass().getResourceAsStream("/functions")); while (s.hasNext()) { phpFunctions.add(s.next()); } s.close(); Scanner params = new Scanner(getClass().getResourceAsStream("/params")); while (params.hasNext()) { paramNames.add(params.next()); } params.close(); Scanner headers = new Scanner(getClass().getResourceAsStream("/boring_headers")); while (headers.hasNext()) { boringHeaders.add(headers.next().toLowerCase()); } }
if (globalSettings.getBoolean("scan path")) { params.add(new PartialParam("path", i, i)); if(globalSettings.getBoolean("scan headers")) { String[] to_poison = globalSettings.getString("target headers").split(","); while (i < end) { int line_start = i;
if (Utilities.globalSettings.getBoolean("enable auto-mine")) { tasks = new PriorityBlockingQueue<>(1000, new RandomComparator()); taskEngine = new ThreadPoolExecutor(Utilities.globalSettings.getInt("thread pool size"), Utilities.globalSettings.getInt("thread pool size"), 10, TimeUnit.MINUTES, tasks); Utilities.globalSettings.registerListener("thread pool size", value -> { Utilities.out("Updating active thread pool size to "+value); try {
private void put(String key, Object value) { settings.put(key, encode(value)); }
public Utilities(final IBurpExtenderCallbacks incallbacks) { callbacks = incallbacks; stdout = new PrintWriter(callbacks.getStdout(), true); stderr = new PrintWriter(callbacks.getStderr(), true); globalSettings = new ConfigurableSettings(); helpers = callbacks.getHelpers(); Integer[] to_throttle = {IBurpExtenderCallbacks.TOOL_TARGET, IBurpExtenderCallbacks.TOOL_SPIDER, IBurpExtenderCallbacks.TOOL_SCANNER, IBurpExtenderCallbacks.TOOL_INTRUDER, IBurpExtenderCallbacks.TOOL_SEQUENCER, IBurpExtenderCallbacks.TOOL_EXTENDER}; Collections.addAll(THROTTLED_COMPONENTS, to_throttle); }
public void run(){ Utilities.globalSettings.showSettings(); } });
@Override public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) { new Utilities(callbacks); Utilities.out("Loaded " + name + " v" + version ); SwingUtilities.invokeLater(new ConfigMenu()); Utilities.globalSettings.printSettings(); callbacks.setExtensionName(name); callbacks.registerHttpListener(new Throttler()); callbacks.registerContextMenuFactory(new OfferDistributedScan(callbacks)); } }
String type = getType(key); panel.add(new JLabel("\n"+key+": ")); box.setSelected(getBoolean(key)); panel.add(box); configured.put(key, box); box.setText(String.valueOf(getInt(key))); panel.add(box); configured.put(key, box); JTextField box = new JTextField(getString(key)); panel.add(box); configured.put(key, box); val = ((JTextField) val).getText(); put(key, val); Utilities.callbacks.saveExtensionSetting(key, encode(val)); return new ConfigurableSettings(this);
if (config.getBoolean("use custom wordlist")) { bonusParams.addSource(config.getString("custom wordlist path")); if (type == Utilities.PARAM_HEADER && config.getBoolean("use basic wordlist")) { bonusParams.addSource("/headers"); if (config.getBoolean("response")) { if (type == Utilities.PARAM_HEADER) { params.replaceAll(x -> x.toLowerCase().replaceAll("[^a-z0-9_-]", "")); params.replaceAll(x -> x.substring(0, min(x.length(), config.getInt("max param length")))); if (type != Utilities.PARAM_HEADER && config.getBoolean("use basic wordlist")) { bonusParams.addSource("/params"); if (config.getBoolean("use bonus wordlist")) { bonusParams.addSource("/functions"); if (type != Utilities.PARAM_HEADER) {
ConfigurableSettings() { settings = new LinkedHashMap<>(); put("thorough mode", false); put("confirmations", 8); put("encode everything", false); put("debug", false); put("try transformation scan", false); put("try diffing scan", true); put("diff: HPP", true); put("diff: HPP auto-followup", false); put("diff: syntax attacks", true); put("diff: value preserving attacks", true); put("diff: experimental concat attacks", false); put("diff: magic value attacks", true); put("diff: magic values", "undefined,null,empty,none,COM1,c!C123449477,aA1537368460!"); for(String key: settings.keySet()) { //Utilities.callbacks.saveExtensionSetting(key, null); // purge saved settings String value = Utilities.callbacks.loadExtensionSetting(key); if (Utilities.callbacks.loadExtensionSetting(key) != null) { putRaw(key, value); } } NumberFormat format = NumberFormat.getInstance(); onlyInt = new NumberFormatter(format); onlyInt.setValueClass(Integer.class); onlyInt.setMinimum(-1); onlyInt.setMaximum(Integer.MAX_VALUE); onlyInt.setAllowsInvalid(false); }
int thread_count = taskEngine.getCorePoolSize(); int stop = config.getInt("rotation interval"); if (queueSize < thread_count) { stop = 256; if (config.getBoolean("max one per host")) { cache_size = queueSize; boolean useKeyCache = config.getBoolean("max one per host+status"); if (config.getBoolean("skip uncacheable") && (type == IParameter.PARAM_COOKIE || type == Utilities.PARAM_HEADER)) { canSkip = true; if(config.getBoolean("max one per host")) { break;
Utilities(final IBurpExtenderCallbacks incallbacks) { callbacks = incallbacks; stdout = new PrintWriter(callbacks.getStdout(), true); stderr = new PrintWriter(callbacks.getStderr(), true); helpers = callbacks.getHelpers(); globalSettings = new ConfigurableSettings(); globalSettings.printSettings(); Scanner s = new Scanner(getClass().getResourceAsStream("/functions")); while (s.hasNext()) { phpFunctions.add(s.next()); } s.close(); Scanner params = new Scanner(getClass().getResourceAsStream("/params")); while (params.hasNext()) { paramNames.add(params.next()); } params.close(); badChars.add('%'); badChars.add('\u0000'); badChars.add('&'); badChars.add('#'); badChars.add(';'); badChars.add(' '); badChars.add('+'); }
if (Utilities.globalSettings.getBoolean("diff: HPP")) { Probe backendParameterInjection = new Probe("Backend Parameter Injection", 2, "$zq=%3c%61%60%27%22%24%7b%7b%5c&zq%3d", "|zq=%3c%61%60%27%22%24%7b%7b%5c", "!zq=%3c%61%60%27%22%24%7b%7b%5c"); backendParameterInjection.setEscapeStrings("&zq=%3c%61%60%27%22%24%7b%7b%5c", "&zq=x%3c%61%60%27%22%24%7b%7b%5c"); // "#zq=%3c%61%60%27%22%24%7b%7b%5c" ArrayList<Attack> backendParameterAttack = injector.fuzz(softBase, backendParameterInjection); results.addAll(backendParameterAttack); if (Utilities.globalSettings.getBoolean("diff: HPP auto-followup") && !backendParameterAttack.isEmpty()) { results.addAll(ParamGuesser.guessParams(baseRequestResponse, insertionPoint)); if (Utilities.globalSettings.getBoolean("diff: syntax attacks") && !Utilities.verySimilar(hardBase, crudeFuzz)) { if (!Utilities.globalSettings.getBoolean("thorough mode")) { Probe multiFuzz = new Probe("Basic fuzz", 0, "`z'z\"\\", "\\z`z'z\"\\"); multiFuzz.addEscapePair("\\`z\\'z\\\"\\\\", "\\`z''z\\\"\\\\"); if( Utilities.globalSettings.getBoolean("thorough mode") || worthTryingInjections) { ArrayList<String> potential_delimiters = new ArrayList<>(); if (Utilities.globalSettings.getBoolean("diff: value preserving attacks") && !Utilities.verySimilar(softBase, hardBase)) { if (Utilities.globalSettings.getBoolean("diff: experimental concat attacks") && Utilities.globalSettings.getBoolean("thorough mode")) { String[] potential_delimiters = {"'", "\""}; String[] concatenators = {"||", "+", " ", "."}; if (Utilities.globalSettings.getBoolean("thorough mode") && !isInPath && Utilities.mightBeIdentifier(baseValue) && !baseValue.equals("")) { Probe dotSlash = new Probe("File Path Manipulation", 3, "../", "z/", "_/", "./../"); dotSlash.setEscapeStrings("./", "././", "./././"); if (Utilities.globalSettings.getBoolean("diff: magic value attacks")) {