public void checkCollaboratorChanges() { if(isCollaboratorChanged()) { initializeCurrentCollaboratorVariables(); if(!(currentCollaboratorType.equals("none"))) { stdout.println("Collaborator location changed! Adding a new collaborator context to the polling thread!"); collaboratorContext = callbacks.createBurpCollaboratorClientContext(); interactionServer.addNewCollaboratorContext(collaboratorContext); } else { collaboratorContext = null; stdout.println("Collaborator disabled!"); } } }
/******************* * Periodically poll the Collaborator server for interactions and dispatch * them to Freddy scanner modules to handle and report issues. ******************/ public void run() { List<IBurpCollaboratorInteraction> interactions; while (!_stopFlag) { if (System.currentTimeMillis() - _lastPollTime > COLLAB_POLL_INTERVAL) { IBurpCollaboratorClientContext _collabContext = _callbacks.createBurpCollaboratorClientContext(); interactions = _collabContext.fetchAllCollaboratorInteractions(); for (IBurpCollaboratorInteraction interaction : interactions) { //Pass the interaction to loaded Freddy scanner modules until one handles it for (FreddyModuleBase _module : _modules) { if (_module.handleCollaboratorInteraction(interaction)) { break; } } } _lastPollTime = System.currentTimeMillis(); } try { Thread.sleep(THREAD_SLEEP_INTERVAL); } catch (InterruptedException e) { // Ignore sleep interruption } } } }
Correlator() { idToRequestID = new HashMap<>(); requests = new HashMap<>(); idToType = new HashMap<>(); burpIdToRequestID = new HashMap<>(); collab = Utilities.callbacks.createBurpCollaboratorClientContext(); client_ips = new HashSet<>(); try { String pollPayload = collab.generatePayload(true); Utilities.callbacks.makeHttpRequest(pollPayload, 80, false, ("GET / HTTP/1.1\r\nHost: " + pollPayload + "\r\n\r\n").getBytes()); for (IBurpCollaboratorInteraction interaction: collab.fetchCollaboratorInteractionsFor(pollPayload)) { client_ips.add(interaction.getProperty("client_ip")); } Utilities.out("Calculated your IPs: "+ client_ips.toString()); } catch (NullPointerException e) { Utilities.out("Unable to calculate client IP - collaborator may not be functional"); } catch (java.lang.IllegalArgumentException e) { Utilities.out("The Collaborator appears to be misconfigured. Please run a health check via Project Options->Misc. Also, note that Collaborator Everywhere does not support the IP-address mode."); } }
public ArrayList<Payload> getRCEPayloads(IIntruderAttack attack) { _collabContext = _callbacks.createBurpCollaboratorClientContext(); // String host = attack.getHttpService().getHost(); String host = _collabContext.getCollaboratorServerLocation(); ArrayList<Payload> result = new ArrayList<>(); if (_timeBasedPayloads.size() > 0) result.addAll(_timeBasedPayloads); for (CollaboratorPayload payload : _collaboratorPayloads) { Payload p; if (payload.isBinary()) { p = new Payload(generateCollaboratorBytePayload(payload.getPayloadName(), host)); } else { p = new Payload(generateCollaboratorTextPayload(payload.getPayloadName(), host).getBytes()); } result.add(p); } return result; } }
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != INS_HEADER) return null; IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext(); String payload = collaboratorContext.generatePayload(true); String httpPrefixedPayload = "Proxy: http://" + payload; IRequestInfo requestInfo = helpers.analyzeRequest(baseRequestResponse); List<String> headers = requestInfo.getHeaders(); headers.removeIf(header -> header != null && header.toLowerCase().startsWith("proxy:")); headers.add(httpPrefixedPayload); byte[] request = helpers.buildHttpMessage(headers, substring(baseRequestResponse.getRequest(), requestInfo.getBodyOffset())); IHttpRequestResponse scanCheckRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), request); List<IBurpCollaboratorInteraction> collaboratorInteractions = collaboratorContext.fetchCollaboratorInteractionsFor(payload); if (collaboratorInteractions.isEmpty()) return null; List<IScanIssue> issues = new ArrayList<>(); IScanIssue issue = reportIssue(httpPrefixedPayload, scanCheckRequestResponse, collaboratorInteractions.get(0)); issues.add(issue); return issues; }
collaboratorContext = callbacks.createBurpCollaboratorClientContext(); } else { collaboratorContext = null;
else flags.add(url.toString()); IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext(); String collaboratorPayload = collaboratorContext.generatePayload(true); List<IScanIssue> issues = new ArrayList<>();
collaborator = BurpExtender.callbacks.createBurpCollaboratorClientContext();
String collaboratorRegex = "\\w{30}\\." + BurpExtender.callbacks.createBurpCollaboratorClientContext().getCollaboratorServerLocation(); if(Pattern.compile(collaboratorRegex).matcher(payload).find())
@Override public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { final byte[] baseValue = helpers.stringToBytes(insertionPoint.getBaseValue()); int[] d = SimpleImageSizeReader.getImageSize(baseValue, 0, baseValue.length); if (d == null) return null; final IHttpService hs = baseRequestResponse.getHttpService(); IBurpCollaboratorClientContext ccc = callbacks.createBurpCollaboratorClientContext(); String host = ccc.generatePayload(true); IHttpRequestResponse response = callbacks.makeHttpRequest(hs, insertionPoint.buildRequest((IMAGETRAGICK_HEAD + "http://" + host + "/a.jpg" + IMAGETRAGICK_TAIL).getBytes())); List<IBurpCollaboratorInteraction> events = ccc.fetchCollaboratorInteractionsFor(host); if (!events.isEmpty()) { return ImageTragickIssue.reportOnCollaborator(response, hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), host, events); } long baseTime = measureRequest(hs, baseRequestResponse.getRequest()).getKey(); Map.Entry<Long, IHttpRequestResponse> sleepMeasurement = measureRequest(hs, insertionPoint.buildRequest(IMAGETRAGICK_PAYLOAD)); long sleepTime = sleepMeasurement.getKey(); if (Math.abs(sleepTime - baseTime - IMAGETRAGICK_SLEEP_NS) > IMAGETRAGICK_TRESHOLD_NS) return null; return ImageTragickIssue.reportOnTiming( sleepMeasurement.getValue(), hrrToUrl(baseRequestResponse), insertionPoint.getInsertionPointName(), baseTime, sleepTime); }
if (resp == null | req == null) return null; IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext();
_collabContext = _callbacks.createBurpCollaboratorClientContext(); for (CollaboratorPayload p : _collaboratorPayloads) { collabId = _collabContext.generatePayload(false);