IHttpRequestResponse buildRequest(String payload, boolean needCacheBuster) { byte[] request = insertionPoint.buildRequest(payload.getBytes()); if (needCacheBuster) { IParameter cacheBuster = burp.Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); request = burp.Utilities.helpers.addParameter(request, cacheBuster); } IHttpRequestResponse requestResponse = burp.Utilities.attemptRequest(service, request); //Utilities.out("Payload: "+payload+"|"+baseRequestResponse.getHttpService().getHost()); return requestResponse;// Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) }
@Override public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != IScannerInsertionPoint.INS_PARAM_URL) return null; if (!callbackNames.contains(insertionPoint.getInsertionPointName())) return null; baseRequestResponse.getResponse(), resp.getBodyOffset(), resp.getBodyOffset() + BODY_SAMPLE_LEN ))); if (!bodySample.contains(insertionPoint.getBaseValue())) return null; String payload = insertionPoint.getBaseValue() + vector + UUID.randomUUID().toString().substring(0, 8); IHttpRequestResponse payloadedResponse = callbacks.makeHttpRequest( baseRequestResponse.getHttpService(), insertionPoint.buildRequest(helpers.stringToBytes(payload)) );
private IParameter getParameterFromInsertionPoint(IScannerInsertionPoint insertionPoint, byte[] request) { IParameter baseParam = null; int basePayloadStart = insertionPoint.getPayloadOffsets("x".getBytes())[0]; List<IParameter> params = helpers.analyzeRequest(request).getParameters(); for (IParameter param : params) { if (param.getValueStart() == basePayloadStart && insertionPoint.getBaseValue().equals(param.getValue())) { baseParam = param; break; } } return baseParam; }
static boolean isInPath(IScannerInsertionPoint insertionPoint) { byte type = insertionPoint.getInsertionPointType(); boolean isInPath = (type == IScannerInsertionPoint.INS_URL_PATH_FILENAME || type == IScannerInsertionPoint.INS_URL_PATH_FOLDER); if (!isInPath && type == IScannerInsertionPoint.INS_USER_PROVIDED) { final String injectionCanary = "zxcvcxz"; String path = Utilities.getPathFromRequest(insertionPoint.buildRequest(injectionCanary.getBytes())); if (path.contains(injectionCanary)) { if (path.contains("?")) { if (path.indexOf(injectionCanary) < path.indexOf("?")) { isInPath = true; } } else { isInPath = true; } } } return isInPath; }
static Attack buildTransformationAttack(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint, String leftAnchor, String payload, String rightAnchor) { IHttpRequestResponse req = attemptRequest(baseRequestResponse.getHttpService(), insertionPoint.buildRequest(helpers.stringToBytes(insertionPoint.getBaseValue() + leftAnchor + payload + rightAnchor))); return new Attack(Utilities.highlightRequestResponse(req, leftAnchor, leftAnchor+payload+rightAnchor, insertionPoint), null, payload, ""); }
@Override public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { final byte[] baseValue = helpers.stringToBytes(insertionPoint.getBaseValue()); int[] d = SimpleImageSizeReader.getImageSize(baseValue, 0, baseValue.length); if (d == null) return null; final IHttpService hs = baseRequestResponse.getHttpService(); IBurpCollaboratorClientContext ccc = callbacks.createBurpCollaboratorClientContext(); String host = ccc.generatePayload(true); IHttpRequestResponse response = callbacks.makeHttpRequest(hs, insertionPoint.buildRequest((IMAGETRAGICK_HEAD + "http://" + host + "/a.jpg" + IMAGETRAGICK_TAIL).getBytes())); List<IBurpCollaboratorInteraction> events = ccc.fetchCollaboratorInteractionsFor(host); if (!events.isEmpty()) { return ImageTragickIssue.reportOnCollaborator(response, hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), host, events); } long baseTime = measureRequest(hs, baseRequestResponse.getRequest()).getKey(); Map.Entry<Long, IHttpRequestResponse> sleepMeasurement = measureRequest(hs, insertionPoint.buildRequest(IMAGETRAGICK_PAYLOAD)); long sleepTime = sleepMeasurement.getKey(); if (Math.abs(sleepTime - baseTime - IMAGETRAGICK_SLEEP_NS) > IMAGETRAGICK_TRESHOLD_NS) return null; return ImageTragickIssue.reportOnTiming( sleepMeasurement.getValue(), hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), baseTime, sleepTime); }
newReqRes = _callbacks.makeHttpRequest(baseReqRes.getHttpService(), insertionPoint.buildRequest(payloadBytes)); if (newReqRes.getResponse() != null) { responseStr = _helpers.bytesToString(newReqRes.getResponse()); currentMarkers = p.findIndicator(responseStr); if (currentMarkers != null && currentMarkers.size() > 0) { reqMarkers.add(insertionPoint.getPayloadOffsets(payloadBytes)); issues.add(createActiveScanExceptionBasedIssue(baseReqRes, newReqRes, reqMarkers, currentMarkers)); break; reqMarkers = new ArrayList<>(); requestStartTime = System.currentTimeMillis(); _callbacks.makeHttpRequest(baseReqRes.getHttpService(), insertionPoint.buildRequest(_helpers.stringToBytes(insertionPoint.getBaseValue()))); baseRequestTime = System.currentTimeMillis() - requestStartTime; for (TimeBasedPayload p : _timeBasedPayloads) { payloadBytes = p.getPayloadBytes(); requestStartTime = System.currentTimeMillis(); newReqRes = _callbacks.makeHttpRequest(baseReqRes.getHttpService(), insertionPoint.buildRequest(payloadBytes)); requestTime = System.currentTimeMillis() - requestStartTime; if (newReqRes.getResponse() != null && requestTime > (baseRequestTime + p.getTimeDelay())) { reqMarkers.add(insertionPoint.getPayloadOffsets(payloadBytes)); issues.add(createActiveScanTimeBasedIssue(baseReqRes, newReqRes, reqMarkers, baseRequestTime, requestTime)); break; newReqRes = _callbacks.makeHttpRequest(baseReqRes.getHttpService(), insertionPoint.buildRequest(payloadBytes)); reqMarkers = new ArrayList<>(); reqMarkers.add(insertionPoint.getPayloadOffsets(payloadBytes)); _collabRecords.add(new CollaboratorRecord(collabId, collabId + "." + _collabContext.getCollaboratorServerLocation(), baseReqRes, newReqRes, reqMarkers, true)); newReqRes = _callbacks.makeHttpRequest(baseReqRes.getHttpService(), insertionPoint.buildRequest(payloadBytes));
Boolean isSSL = (protocol.equals("https")); stderr.println(insertionPoint.getInsertionPointName()); byte[] checkRequest = insertionPoint.buildRequest(INJ);
Utilities.doActiveScan(Utilities.attemptRequest(injector.getService(), valueInsertionPoint.buildRequest(baseValue.getBytes())), valueInsertionPoint.getPayloadOffsets(baseValue.getBytes()));
IScanIssue findReflectionIssues(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { String baseValue = insertionPoint.getBaseValue(); Attack softBase = new Attack(baseRequestResponse); if (Utilities.mightBeOrderBy(insertionPoint.getInsertionPointName(), baseValue)) { Probe comment = new Probe("Comment injection", 3, "/'z*/**/", "/*/*/z'*/", "/*z'/"); comment.setEscapeStrings("/*'z*/", "/**z'*/","/*//z'//*/");
private Attack buildAttackFromProbe(Probe probe, String payload) { boolean randomAnchor = probe.getRandomAnchor(); byte prefix = probe.getPrefix(); String anchor = ""; if (randomAnchor) { anchor = Utilities.generateCanary(); } //else { // payload = payload.replace("z", Utilities.generateCanary()); //} String base_payload = payload; if (prefix == Probe.PREPEND) { payload += insertionPoint.getBaseValue(); } else if (prefix == Probe.APPEND) { payload = insertionPoint.getBaseValue() + anchor + payload; } else if (prefix == Probe.REPLACE) { // payload = payload; } else { Utilities.err("Unknown payload position"); } IHttpRequestResponse req = buildRequest(payload, probe.useCacheBuster()); if(randomAnchor) { req = Utilities.highlightRequestResponse(req, anchor, anchor, insertionPoint); } return new Attack(req, probe, base_payload, anchor); }
List requestMarkers = new ArrayList(1); List responseMarkers = new ArrayList(1); requestMarkers.add(insertionPoint.getPayloadOffsets(this.helpers.stringToBytes(finalPayload))); responseMarkers.add(new int[]{body.indexOf(CRLFHeader), body.indexOf(CRLFHeader) + CRLFHeader.length()}); String attackDetails = "Vulnerability detected at <b>" + insertionPoint.getInsertionPointName() + "</b>, " + "payload was set to <b>" + this.helpers.urlEncode(finalPayload) + "</b><br/>" + "Found response: " + crlfMatcher.group(); List requestMarkers = new ArrayList(1); List responseMarkers = new ArrayList(1); requestMarkers.add(insertionPoint.getPayloadOffsets(this.helpers.stringToBytes(finalPayload))); responseMarkers.add(new int[]{body.indexOf(CRLFHeader), body.indexOf(CRLFHeader) + CRLFHeader.length()}); String attackDetails = "Vulnerability detected at <b>" + insertionPoint.getInsertionPointName() + "</b>, " + "payload was set to <b>" + this.helpers.urlEncode(finalPayload) + "</b><br/>" + "Found response: " + crMatcher.group();
static IHttpRequestResponse highlightRequestResponse(IHttpRequestResponse attack, String responseHighlight, String requestHighlight, IScannerInsertionPoint insertionPoint) { List<int[]> requestMarkers = new ArrayList<>(1); if (requestHighlight != null && requestHighlight.length() > 2) { requestMarkers.add(insertionPoint.getPayloadOffsets(requestHighlight.getBytes())); } List<int[]> responseMarkers = new ArrayList<>(1); if (responseHighlight != null) { responseMarkers = getMatches(attack.getResponse(), responseHighlight.getBytes(), -1); } attack = callbacks.applyMarkers(attack, requestMarkers, responseMarkers); return attack; }
return (new InputTransformation(interesting, boring, basicAttack.getFirstRequest(), helpers.analyzeRequest(baseRequestResponse).getUrl(), insertionPoint.getInsertionPointName()));
private boolean isRelevantInsertionPoint(IScannerInsertionPoint insertionPoint) { return insertionPoint.getInsertionPointType() == IScannerInsertionPoint.INS_HEADER; }
static Attack buildTransformationAttack(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint, String leftAnchor, String payload, String rightAnchor) { IHttpRequestResponse req = attemptRequest(baseRequestResponse.getHttpService(), insertionPoint.buildRequest(helpers.stringToBytes(insertionPoint.getBaseValue() + leftAnchor + payload + rightAnchor))); return new Attack(Utilities.highlightRequestResponse(req, leftAnchor, leftAnchor+payload+rightAnchor, insertionPoint), null, payload, ""); }
if (!"Referer".equals(insertionPoint.getInsertionPointName())) { return issues; byte[] checkRequest = insertionPoint.buildRequest(INJ_TEST);
@Override public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != IScannerInsertionPoint.INS_PARAM_URL) return null; IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); if (resp == null | req == null) return null; List<IScanIssue> issues = new ArrayList<>(); IHttpService httpService = baseRequestResponse.getHttpService(); for (String payload : Payloads) { IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, insertionPoint.buildRequest(this.helpers.stringToBytes(payload))); IScanIssue res = analyzeResponse(attack); if (res != null) issues.add(res); } if (issues.size() > 0) return issues; return issues; }
private Attack buildAttackFromProbe(Probe probe, String payload) { boolean randomAnchor = probe.getRandomAnchor(); byte prefix = probe.getPrefix(); String anchor = ""; if (randomAnchor) { anchor = Utilities.generateCanary(); } //else { // payload = payload.replace("z", Utilities.generateCanary()); //} String base_payload = payload; if (prefix == Probe.PREPEND) { payload += insertionPoint.getBaseValue(); } else if (prefix == Probe.APPEND) { payload = insertionPoint.getBaseValue() + anchor + payload; } else if (prefix == Probe.REPLACE) { // payload = payload; } else { Utilities.err("Unknown payload position"); } IHttpRequestResponse req = buildRequest(payload, probe.useCacheBuster()); if(randomAnchor) { req = Utilities.highlightRequestResponse(req, anchor, anchor, insertionPoint); } return new Attack(req, probe, base_payload, anchor); }
static IHttpRequestResponse highlightRequestResponse(IHttpRequestResponse attack, String responseHighlight, String requestHighlight, IScannerInsertionPoint insertionPoint) { List<int[]> requestMarkers = new ArrayList<>(1); if (requestHighlight != null && requestHighlight.length() > 2) { requestMarkers.add(insertionPoint.getPayloadOffsets(requestHighlight.getBytes())); } List<int[]> responseMarkers = new ArrayList<>(1); if (responseHighlight != null) { responseMarkers = getMatches(attack.getResponse(), responseHighlight.getBytes(), -1); } attack = callbacks.applyMarkers(attack, requestMarkers, responseMarkers); return attack; }