String getPayload() { interactionId = collaborator.generatePayload(false); return interactionId + "." + collaborator.getCollaboratorServerLocation(); } }
java.util.List<IBurpCollaboratorInteraction> poll() { return collab.fetchAllCollaboratorInteractions(); }
Correlator() { idToRequestID = new HashMap<>(); requests = new HashMap<>(); idToType = new HashMap<>(); burpIdToRequestID = new HashMap<>(); collab = Utilities.callbacks.createBurpCollaboratorClientContext(); client_ips = new HashSet<>(); try { String pollPayload = collab.generatePayload(true); Utilities.callbacks.makeHttpRequest(pollPayload, 80, false, ("GET / HTTP/1.1\r\nHost: " + pollPayload + "\r\n\r\n").getBytes()); for (IBurpCollaboratorInteraction interaction: collab.fetchCollaboratorInteractionsFor(pollPayload)) { client_ips.add(interaction.getProperty("client_ip")); } Utilities.out("Calculated your IPs: "+ client_ips.toString()); } catch (NullPointerException e) { Utilities.out("Unable to calculate client IP - collaborator may not be functional"); } catch (java.lang.IllegalArgumentException e) { Utilities.out("The Collaborator appears to be misconfigured. Please run a health check via Project Options->Misc. Also, note that Collaborator Everywhere does not support the IP-address mode."); } }
String collaboratorPayload = collaboratorContext.generatePayload(true); payload = payload.replace("{payloadUrl}", collaboratorPayload); IHttpRequestResponse attackRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), insertionPoint.buildRequest(helpers.stringToBytes(payload))); List<IBurpCollaboratorInteraction> collaboratorInteractions = collaboratorContext.fetchCollaboratorInteractionsFor(collaboratorPayload); List<IBurpCollaboratorInteraction> collaboratorInteractions = collaboratorContext.fetchAllCollaboratorInteractions(); if (!collaboratorInteractions.isEmpty()) { for (IBurpCollaboratorInteraction collaboratorInteraction : collaboratorInteractions) {
for(int i=0;i<collaboratorContextList.size();i++) { try { stdout.println("Polling " + collaboratorContextList.get(i).getCollaboratorServerLocation()); } catch(IllegalStateException e) { stdout.println("Can't fetch interactions while Collaborator is disabled (Burp Suite limitation)"); List<IBurpCollaboratorInteraction> allCollaboratorInteractions = collaboratorContextList.get(i).fetchAllCollaboratorInteractions();
String getLocation() { return collab.getCollaboratorServerLocation(); }
collaboratorPayloads[i] = collaboratorContext.generatePayload(true); requestResponse = requestResponse.replaceFirst(collaboratorInsertionPointString, collaboratorPayloads[i]);
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != INS_HEADER) return null; IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext(); String payload = collaboratorContext.generatePayload(true); String httpPrefixedPayload = "Proxy: http://" + payload; IRequestInfo requestInfo = helpers.analyzeRequest(baseRequestResponse); List<String> headers = requestInfo.getHeaders(); headers.removeIf(header -> header != null && header.toLowerCase().startsWith("proxy:")); headers.add(httpPrefixedPayload); byte[] request = helpers.buildHttpMessage(headers, substring(baseRequestResponse.getRequest(), requestInfo.getBodyOffset())); IHttpRequestResponse scanCheckRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), request); List<IBurpCollaboratorInteraction> collaboratorInteractions = collaboratorContext.fetchCollaboratorInteractionsFor(payload); if (collaboratorInteractions.isEmpty()) return null; List<IScanIssue> issues = new ArrayList<>(); IScanIssue issue = reportIssue(httpPrefixedPayload, scanCheckRequestResponse, collaboratorInteractions.get(0)); issues.add(issue); return issues; }
private boolean isCollaboratorLocationIpBased(IBurpCollaboratorClientContext collaboratorContext) { return collaboratorContext .getCollaboratorServerLocation() .matches("[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") || collaboratorContext .getCollaboratorServerLocation() .contains(":"); }
currentCollaboratorPayload = "THE_COLLABORATOR_IS_DISABLED"; } else if(command.equals("contextInsertCollaboratorPayload")) { currentCollaboratorPayload = collaboratorContext.generatePayload(true); } else { currentCollaboratorPayload = collaboratorInsertionPointString;
String collaboratorPayload = collaboratorContext.generatePayload(true); List<IScanIssue> issues = new ArrayList<>(); List<IBurpCollaboratorInteraction> collaboratorInteractions = collaboratorContext.fetchCollaboratorInteractionsFor(collaboratorPayload);
String generateCollabId(int requestCode, String type) { String id = collab.generatePayload(false); idToRequestID.put(id, requestCode); idToType.put(id, type); return id+"."+collab.getCollaboratorServerLocation(); }
public ArrayList<Payload> getRCEPayloads(IIntruderAttack attack) { _collabContext = _callbacks.createBurpCollaboratorClientContext(); // String host = attack.getHttpService().getHost(); String host = _collabContext.getCollaboratorServerLocation(); ArrayList<Payload> result = new ArrayList<>(); if (_timeBasedPayloads.size() > 0) result.addAll(_timeBasedPayloads); for (CollaboratorPayload payload : _collaboratorPayloads) { Payload p; if (payload.isBinary()) { p = new Payload(generateCollaboratorBytePayload(payload.getPayloadName(), host)); } else { p = new Payload(generateCollaboratorTextPayload(payload.getPayloadName(), host).getBytes()); } result.add(p); } return result; } }
/******************* * Periodically poll the Collaborator server for interactions and dispatch * them to Freddy scanner modules to handle and report issues. ******************/ public void run() { List<IBurpCollaboratorInteraction> interactions; while (!_stopFlag) { if (System.currentTimeMillis() - _lastPollTime > COLLAB_POLL_INTERVAL) { IBurpCollaboratorClientContext _collabContext = _callbacks.createBurpCollaboratorClientContext(); interactions = _collabContext.fetchAllCollaboratorInteractions(); for (IBurpCollaboratorInteraction interaction : interactions) { //Pass the interaction to loaded Freddy scanner modules until one handles it for (FreddyModuleBase _module : _modules) { if (_module.handleCollaboratorInteraction(interaction)) { break; } } } _lastPollTime = System.currentTimeMillis(); } try { Thread.sleep(THREAD_SLEEP_INTERVAL); } catch (InterruptedException e) { // Ignore sleep interruption } } } }
String payload = collaboratorContext.generatePayload(true); collaboratorContext.fetchCollaboratorInteractionsFor(payload);
collabId = _collabContext.generatePayload(false); if (!p.isBinary()) { try { payloadBytes = _helpers.stringToBytes(generateCollaboratorTextPayload(p.getPayloadName(), collabId + "." + _collabContext.getCollaboratorServerLocation())); } catch (NullPointerException npe) { dbgLog("[-] Null pointer exception in " + _targetName); payloadBytes = generateCollaboratorBytePayload(p.getPayloadName(), collabId + "." + _collabContext.getCollaboratorServerLocation()); reqMarkers = new ArrayList<>(); reqMarkers.add(insertionPoint.getPayloadOffsets(payloadBytes)); _collabRecords.add(new CollaboratorRecord(collabId, collabId + "." + _collabContext.getCollaboratorServerLocation(), baseReqRes, newReqRes, reqMarkers, true)); collabId = _collabContext.generatePayload(false); payloadBytes = _helpers.stringToBytes(_helpers.base64Encode(generateCollaboratorBytePayload(p.getPayloadName(), collabId + "." + _collabContext.getCollaboratorServerLocation()))); if (payloadBytes == null) { throw new IllegalStateException("The module " + _targetName + " is flagged as RCE-capable " + reqMarkers = new ArrayList<>(); reqMarkers.add(insertionPoint.getPayloadOffsets(payloadBytes)); _collabRecords.add(new CollaboratorRecord(collabId, collabId + "." + _collabContext.getCollaboratorServerLocation(), baseReqRes, newReqRes, reqMarkers, true));
String collaboratorRegex = "\\w{30}\\." + BurpExtender.callbacks.createBurpCollaboratorClientContext().getCollaboratorServerLocation(); if(Pattern.compile(collaboratorRegex).matcher(payload).find())
for (IBurpCollaboratorInteraction interaction : collaborator.fetchAllCollaboratorInteractions())
@Override public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { final byte[] baseValue = helpers.stringToBytes(insertionPoint.getBaseValue()); int[] d = SimpleImageSizeReader.getImageSize(baseValue, 0, baseValue.length); if (d == null) return null; final IHttpService hs = baseRequestResponse.getHttpService(); IBurpCollaboratorClientContext ccc = callbacks.createBurpCollaboratorClientContext(); String host = ccc.generatePayload(true); IHttpRequestResponse response = callbacks.makeHttpRequest(hs, insertionPoint.buildRequest((IMAGETRAGICK_HEAD + "http://" + host + "/a.jpg" + IMAGETRAGICK_TAIL).getBytes())); List<IBurpCollaboratorInteraction> events = ccc.fetchCollaboratorInteractionsFor(host); if (!events.isEmpty()) { return ImageTragickIssue.reportOnCollaborator(response, hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), host, events); } long baseTime = measureRequest(hs, baseRequestResponse.getRequest()).getKey(); Map.Entry<Long, IHttpRequestResponse> sleepMeasurement = measureRequest(hs, insertionPoint.buildRequest(IMAGETRAGICK_PAYLOAD)); long sleepTime = sleepMeasurement.getKey(); if (Math.abs(sleepTime - baseTime - IMAGETRAGICK_SLEEP_NS) > IMAGETRAGICK_TRESHOLD_NS) return null; return ImageTragickIssue.reportOnTiming( sleepMeasurement.getValue(), hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), baseTime, sleepTime); }
public void addIssue(IBurpCollaboratorInteraction interaction, IBurpCollaboratorClientContext collaboratorContext) { IHttpRequestResponse requestResponse = processedRequestResponse.get(interactionId + "." + collaboratorContext.getCollaboratorServerLocation()); collaboratorContext.getCollaboratorServerLocation() + "<br /><br />" + "The lookup was received from IP address " + interaction.getProperty("client_ip") + " at " + localTimestamp + "<br /><br />" + "DNS query (encoded in Base64)<br />" + "." + collaboratorContext.getCollaboratorServerLocation() + ".<br /><br />The request was received from IP address " + interaction.getProperty("client_ip") + " at " + localTimestamp + "<br /><br />" + "Request to collaborator (encoded in Base64)<br />" + interaction.getProperty("request") + "<br /><br />" + interaction.getProperty("interaction_id") + "." + collaboratorContext.getCollaboratorServerLocation() + ")";