String generateCollabId(int requestCode, String type) { String id = collab.generatePayload(false); idToRequestID.put(id, requestCode); idToType.put(id, type); return id+"."+collab.getCollaboratorServerLocation(); }
String getPayload() { interactionId = collaborator.generatePayload(false); return interactionId + "." + collaborator.getCollaboratorServerLocation(); } }
Correlator() { idToRequestID = new HashMap<>(); requests = new HashMap<>(); idToType = new HashMap<>(); burpIdToRequestID = new HashMap<>(); collab = Utilities.callbacks.createBurpCollaboratorClientContext(); client_ips = new HashSet<>(); try { String pollPayload = collab.generatePayload(true); Utilities.callbacks.makeHttpRequest(pollPayload, 80, false, ("GET / HTTP/1.1\r\nHost: " + pollPayload + "\r\n\r\n").getBytes()); for (IBurpCollaboratorInteraction interaction: collab.fetchCollaboratorInteractionsFor(pollPayload)) { client_ips.add(interaction.getProperty("client_ip")); } Utilities.out("Calculated your IPs: "+ client_ips.toString()); } catch (NullPointerException e) { Utilities.out("Unable to calculate client IP - collaborator may not be functional"); } catch (java.lang.IllegalArgumentException e) { Utilities.out("The Collaborator appears to be misconfigured. Please run a health check via Project Options->Misc. Also, note that Collaborator Everywhere does not support the IP-address mode."); } }
collaboratorPayloads[i] = collaboratorContext.generatePayload(true); requestResponse = requestResponse.replaceFirst(collaboratorInsertionPointString, collaboratorPayloads[i]);
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != INS_HEADER) return null; IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext(); String payload = collaboratorContext.generatePayload(true); String httpPrefixedPayload = "Proxy: http://" + payload; IRequestInfo requestInfo = helpers.analyzeRequest(baseRequestResponse); List<String> headers = requestInfo.getHeaders(); headers.removeIf(header -> header != null && header.toLowerCase().startsWith("proxy:")); headers.add(httpPrefixedPayload); byte[] request = helpers.buildHttpMessage(headers, substring(baseRequestResponse.getRequest(), requestInfo.getBodyOffset())); IHttpRequestResponse scanCheckRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), request); List<IBurpCollaboratorInteraction> collaboratorInteractions = collaboratorContext.fetchCollaboratorInteractionsFor(payload); if (collaboratorInteractions.isEmpty()) return null; List<IScanIssue> issues = new ArrayList<>(); IScanIssue issue = reportIssue(httpPrefixedPayload, scanCheckRequestResponse, collaboratorInteractions.get(0)); issues.add(issue); return issues; }
currentCollaboratorPayload = "THE_COLLABORATOR_IS_DISABLED"; } else if(command.equals("contextInsertCollaboratorPayload")) { currentCollaboratorPayload = collaboratorContext.generatePayload(true); } else { currentCollaboratorPayload = collaboratorInsertionPointString;
String collaboratorPayload = collaboratorContext.generatePayload(true); List<IScanIssue> issues = new ArrayList<>();
String payload = collaboratorContext.generatePayload(true);
@Override public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { final byte[] baseValue = helpers.stringToBytes(insertionPoint.getBaseValue()); int[] d = SimpleImageSizeReader.getImageSize(baseValue, 0, baseValue.length); if (d == null) return null; final IHttpService hs = baseRequestResponse.getHttpService(); IBurpCollaboratorClientContext ccc = callbacks.createBurpCollaboratorClientContext(); String host = ccc.generatePayload(true); IHttpRequestResponse response = callbacks.makeHttpRequest(hs, insertionPoint.buildRequest((IMAGETRAGICK_HEAD + "http://" + host + "/a.jpg" + IMAGETRAGICK_TAIL).getBytes())); List<IBurpCollaboratorInteraction> events = ccc.fetchCollaboratorInteractionsFor(host); if (!events.isEmpty()) { return ImageTragickIssue.reportOnCollaborator(response, hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), host, events); } long baseTime = measureRequest(hs, baseRequestResponse.getRequest()).getKey(); Map.Entry<Long, IHttpRequestResponse> sleepMeasurement = measureRequest(hs, insertionPoint.buildRequest(IMAGETRAGICK_PAYLOAD)); long sleepTime = sleepMeasurement.getKey(); if (Math.abs(sleepTime - baseTime - IMAGETRAGICK_SLEEP_NS) > IMAGETRAGICK_TRESHOLD_NS) return null; return ImageTragickIssue.reportOnTiming( sleepMeasurement.getValue(), hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), baseTime, sleepTime); }
String collaboratorPayload = collaboratorContext.generatePayload(true); payload = payload.replace("{payloadUrl}", collaboratorPayload); IHttpRequestResponse attackRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(),
collabId = _collabContext.generatePayload(false); if (!p.isBinary()) { try { collabId = _collabContext.generatePayload(false); payloadBytes = _helpers.stringToBytes(_helpers.base64Encode(generateCollaboratorBytePayload(p.getPayloadName(), collabId + "." + _collabContext.getCollaboratorServerLocation()))); if (payloadBytes == null) {