private Map.Entry<Long, IHttpRequestResponse> measureRequest(IHttpService httpService, byte[] request) { final long startTime = System.nanoTime(); IHttpRequestResponse response = callbacks.makeHttpRequest(httpService, request); return new AbstractMap.SimpleImmutableEntry<Long, IHttpRequestResponse>( System.nanoTime() - startTime, response); }
private IHttpRequestResponse makeRequest(IHttpService s, byte[] req) { IHttpRequestResponse rr = null; try { rr = callbacks.makeHttpRequest(s, req); } catch (Exception e) { logError(e.toString() +": Error while requesting from " + s.getHost()); } return rr; }
static void runMacro(MacrosMarshaller.Macro macro, ReplicatorPanel replicatorPanel) throws Exception { // TBD: this will trigger the session rule, then cause an unwanted request to /replicator-login IExtensionHelpers helpers = BurpExtender.callbacks.getHelpers(); URL url = macro.getURL(); IHttpService httpService = helpers.buildHttpService(url.getHost(), url.getPort(), url.getProtocol()); List<String> headers = Arrays.asList("GET /replicator-login HTTP/1.0", "Host: " + url.getHost()); byte[] request = helpers.buildHttpMessage(headers, new byte[0]); IHttpRequestResponse response = BurpExtender.callbacks.makeHttpRequest(httpService, request); } }
private void check() throws IOException { log.info("Trying check SSRF hashes"); if (requestedInsertionPoints.isEmpty()) { return; } /** * Make request for DNS logs */ URL url = new URL(DNS_LOOKUP_SERVER_LOGS); byte[] response = callbacks.makeHttpRequest(url.getHost(), 80, false, helpers.buildHttpRequest(url)); String dnsResponseString = helpers.bytesToString(response); /** * Remove all insertion points * and add Issue to scanner for insertion points which contains in DNS Logs */ requestedInsertionPoints.entrySet().removeIf(entry -> { boolean contains = dnsResponseString.contains(entry.getKey()); if (contains) { log.warn("SSRF Found: " + entry.getKey()); callbacks.addScanIssue(new SSRFScanIssue(callbacks, entry.getKey(), entry.getValue())); return true; } return false; }); }
public imageDownloader(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers, IHttpService httpService,byte[] request) { IHttpRequestResponse message = callbacks.makeHttpRequest(httpService,request); IResponseInfo response = helpers.analyzeResponse(message.getResponse()); List<String> headers = response.getHeaders(); for(String header:headers) { if(header.toLowerCase().startsWith("content-type:")) { fileType= header.substring(header.indexOf("/")+1, header.indexOf(";")); } } int bodyOffset = response.getBodyOffset(); int length = message.getResponse().length; byte[] byte_body = Arrays.copyOfRange(message.getResponse(), bodyOffset, length-1); byte_image = byte_body; }
private String weblogicAdminBruteforcer(URL url, IBurpExtenderCallbacks callbacks, IHttpRequestResponse baseRequestResponse) { // Weak password List<Map.Entry<String, String>> credentials = new ArrayList<>(); credentials.add(new AbstractMap.SimpleEntry<>("weblogic", "weblogic")); credentials.add(new AbstractMap.SimpleEntry<>("weblogic", "weblogic1")); credentials.add(new AbstractMap.SimpleEntry<>("weblogic", "welcome1")); String body; IExtensionHelpers helpers = callbacks.getHelpers(); List<String> headers = new ArrayList<>(); headers.add("POST /console/j_security_check HTTP/1.1"); headers.add("Host: " + url.getHost() + ":" + url.getPort()); headers.add("Content-Type: application/x-www-form-urlencoded"); headers.add("Cookie: ADMINCONSOLESESSION=pTsBVcsdVx2g20mxPJyyPDvqTwQmQDtw7R541DGJGGXD2qh4rDBJ!1211788216"); for (Map.Entry<String, String> credential : credentials) { String user = credential.getKey(); String pwd = credential.getValue(); body = "userName=" + user + "&password=" + pwd + "&submit=+Login+"; byte[] loginMessage = helpers.buildHttpMessage(headers, body.getBytes()); IHttpRequestResponse resp = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), loginMessage); // look for matches of our active check grep string in the response body byte[] httpResponse = resp.getResponse(); IResponseInfo weblogicInfo = helpers.analyzeResponse(httpResponse); String locationHeader = HTTPParser.getResponseHeaderValue(weblogicInfo, "Location"); if ((locationHeader != null) && (locationHeader.contains("/index.jsp"))) { return String.format("%s:%s", user, pwd); } } return null; }
private void runRequest(IHttpRequestResponse req) { try { byte[] rawRequest = req.getRequest(); IRequestInfo reqInfo = burpCallback.getHelpers().analyzeRequest(rawRequest); // header of request should be a string List<String> headers = reqInfo.getHeaders(); for(int h=0; h<headers.size(); h++){ if(headers.get(h).toLowerCase().startsWith(headerName)){ headers.set(h, newHeader); break; } } byte message[] = burpCallback.getHelpers().buildHttpMessage(headers, Arrays.copyOfRange(rawRequest, reqInfo.getBodyOffset(), rawRequest.length)); IHttpRequestResponse resp = burpCallback.makeHttpRequest(req.getHttpService(), message); addResponse(req, resp); } catch (Throwable e) { PrintWriter writer = new PrintWriter(burpCallback.getStderr()); writer.write(e.getMessage()); writer.write("\n"); e.printStackTrace(writer); } }
@Override public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { String hash = DigestUtils.shaHex(helpers.base64Encode(baseRequestResponse.getRequest())); log.info("SSRF_HASH: " + hash); /** * Build new injection payload with provided DNS lookup server and provided Hash */ byte[] request = insertionPoint.buildRequest(helpers.stringToBytes(DNS_LOOKUP_SERVER.replace("{{HASH}}", hash))); IHttpRequestResponse requestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), request); requestedInsertionPoints.put(hash, requestResponse); /** * Result of request we'll try to find in DNS lookup server later */ return null; }
Correlator() { idToRequestID = new HashMap<>(); requests = new HashMap<>(); idToType = new HashMap<>(); burpIdToRequestID = new HashMap<>(); collab = Utilities.callbacks.createBurpCollaboratorClientContext(); client_ips = new HashSet<>(); try { String pollPayload = collab.generatePayload(true); Utilities.callbacks.makeHttpRequest(pollPayload, 80, false, ("GET / HTTP/1.1\r\nHost: " + pollPayload + "\r\n\r\n").getBytes()); for (IBurpCollaboratorInteraction interaction: collab.fetchCollaboratorInteractionsFor(pollPayload)) { client_ips.add(interaction.getProperty("client_ip")); } Utilities.out("Calculated your IPs: "+ client_ips.toString()); } catch (NullPointerException e) { Utilities.out("Unable to calculate client IP - collaborator may not be functional"); } catch (java.lang.IllegalArgumentException e) { Utilities.out("The Collaborator appears to be misconfigured. Please run a health check via Project Options->Misc. Also, note that Collaborator Everywhere does not support the IP-address mode."); } }
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); if (resp == null | req == null) return null; URL url = helpers.analyzeRequest(baseRequestResponse).getUrl(); IHttpService httpService = baseRequestResponse.getHttpService(); List<IScanIssue> issues = new ArrayList<>(); if (!flags.contains(url.getProtocol() + url.getHost())) { IScanIssue res = scanRootDirectory(baseRequestResponse, insertionPoint); if (res != null) issues.add(res); flags.add(url.getProtocol() + url.getHost()); } String uuid = UUID.randomUUID().toString().replaceAll("-", ""); IHttpRequestResponse checkUUID = this.callbacks.makeHttpRequest(httpService, insertionPoint.buildRequest(this.helpers.stringToBytes(uuid))); if (checkUUID == null || checkUUID.getResponse() == null) return null; String respHeaders = String.join("\n", this.helpers.analyzeResponse(checkUUID.getResponse()).getHeaders()); if (respHeaders.contains(uuid)) { for (String payload : CRLFSplitters) { String finalPayload = uuid.substring(0, 5) + payload + CRLFHeader + uuid.substring(6); IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, insertionPoint.buildRequest(this.helpers.stringToBytes(finalPayload))); IScanIssue res = analyzeResponse(attack, insertionPoint, finalPayload); if (res != null) issues.add(res); } } if (issues.size() > 0) return issues; return null; }
@Override protected Object doInBackground() throws Exception { statusListener.setProgress(0); statusListener.setStatus("Making request..."); IHttpRequestResponse message = callbacks.makeHttpRequest(service, requestBytes); byte[] responseBytes = message.getResponse(); if (responseBytes != null) { statusListener.setStatus("Done."); responseBox.setText(new String(responseBytes)); }else { statusListener.setStatus("Request failed to complete."); } statusListener.done(null); return null; }
private HashSet<String> recordHandling(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint, String probe) { String leftAnchor = Utilities.randomString(3); String middleAnchor = "z"+Integer.toString(Utilities.rnd.nextInt(9)); String rightAnchor = "z"+Utilities.randomString(3); String payload = leftAnchor + "\\\\" + middleAnchor + probe + rightAnchor; IHttpRequestResponse attack = callbacks.makeHttpRequest( baseRequestResponse.getHttpService(), insertionPoint.buildRequest(payload.getBytes())); // Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) return getTransformationResults(leftAnchor + "\\" + middleAnchor, rightAnchor, helpers.stringToBytes(helpers.bytesToString(Utilities.filterResponse(attack.getResponse())))); }
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != INS_HEADER) return null; IBurpCollaboratorClientContext collaboratorContext = callbacks.createBurpCollaboratorClientContext(); String payload = collaboratorContext.generatePayload(true); String httpPrefixedPayload = "Proxy: http://" + payload; IRequestInfo requestInfo = helpers.analyzeRequest(baseRequestResponse); List<String> headers = requestInfo.getHeaders(); headers.removeIf(header -> header != null && header.toLowerCase().startsWith("proxy:")); headers.add(httpPrefixedPayload); byte[] request = helpers.buildHttpMessage(headers, substring(baseRequestResponse.getRequest(), requestInfo.getBodyOffset())); IHttpRequestResponse scanCheckRequestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), request); List<IBurpCollaboratorInteraction> collaboratorInteractions = collaboratorContext.fetchCollaboratorInteractionsFor(payload); if (collaboratorInteractions.isEmpty()) return null; List<IScanIssue> issues = new ArrayList<>(); IScanIssue issue = reportIssue(httpPrefixedPayload, scanCheckRequestResponse, collaboratorInteractions.get(0)); issues.add(issue); return issues; }
public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); if (resp == null | req == null) return null; URL url = helpers.analyzeRequest(baseRequestResponse).getUrl(); if (flags.contains(url.toString())) return null; else flags.add(url.toString()); List<IScanIssue> issues = new ArrayList<>(); IHttpService httpService = baseRequestResponse.getHttpService(); List<String> headers = req.getHeaders(); for (String i : Payloads) { String finalPayload = req.getMethod() + " " + url.getPath() + i + " HTTP/1.1"; headers.set(0, finalPayload); byte[] body = helpers.stringToBytes(helpers.bytesToString(baseRequestResponse.getRequest()).substring(req.getBodyOffset())); byte[] modifiedReq = helpers.buildHttpMessage(headers, body); IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, modifiedReq); IScanIssue res = analyzeResponse(attack); if (res != null) issues.add(res); } if (issues.size() > 0) return issues; return issues; }
@Override protected Object doInBackground() throws Exception { URL url = new URL(VERSION_URI + "?v=" + currentVersion.getVersionString() + "&t=" + (automatic ? "a" : "m") + // reports if automated or manual update "&b=" + (CO2Config.isLoadedFromBappStore(AboutTab.this.callbacks) ? "y" : "n") // loaded from a bappstore version? ); byte[] request = callbacks.getHelpers().buildHttpRequest(url); byte[] response = callbacks.makeHttpRequest("burpco2.com", 80, false, request); IResponseInfo responseInfo = callbacks.getHelpers().analyzeResponse(response); if (responseInfo.getStatusCode() == 200) { String body = new String(response).substring(responseInfo.getBodyOffset()).trim(); String[] versionText = body.split(","); Version[] versions = new Version[versionText.length]; for (int i = 0; i < versions.length; i++) { versions[i] = new Version(versionText[i]); } return versions; } else { return null; } }
static IHttpRequestResponse attemptRequest(IHttpService service, byte[] req) { if(unloaded.get()) { Utilities.out("Extension unloaded - aborting attack"); throw new RuntimeException("Extension unloaded"); } IHttpRequestResponse result = null; for(int attempt=1; attempt<3; attempt++) { try { result = callbacks.makeHttpRequest(service, req); } catch(RuntimeException e) { Utilities.log(e.toString()); Utilities.log("Critical request error, retrying..."); continue; } if (result.getResponse() == null) { Utilities.log("Request failed, retrying..."); //requestResponse.setResponse(new byte[0]); } else { break; } } if (result.getResponse() == null) { Utilities.log("Request failed multiple times, giving up"); } return result; }
@Override public List<IScanIssue> doScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { if (insertionPoint.getInsertionPointType() != IScannerInsertionPoint.INS_PARAM_URL) return null; IResponseInfo resp = helpers.analyzeResponse(baseRequestResponse.getResponse()); IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); if (resp == null | req == null) return null; List<IScanIssue> issues = new ArrayList<>(); IHttpService httpService = baseRequestResponse.getHttpService(); for (String payload : Payloads) { IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, insertionPoint.buildRequest(this.helpers.stringToBytes(payload))); IScanIssue res = analyzeResponse(attack); if (res != null) issues.add(res); } if (issues.size() > 0) return issues; return issues; }
static IHttpRequestResponse attemptRequest(IHttpService service, byte[] req) { if(unloaded.get()) { Utilities.out("Extension unloaded - aborting attack"); throw new RuntimeException("Extension unloaded"); } IHttpRequestResponse result = null; for(int attempt=1; attempt<3; attempt++) { try { result = callbacks.makeHttpRequest(service, req); } catch(RuntimeException e) { Utilities.log(e.toString()); Utilities.log("Critical request error, retrying..."); continue; } if (result.getResponse() == null) { Utilities.log("Request failed, retrying..."); //requestResponse.setResponse(new byte[0]); } else { break; } } if (result.getResponse() == null) { Utilities.log("Request failed multiple times, giving up"); } return result; }
public IScanIssue scanRootDirectory(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { IRequestInfo req = helpers.analyzeRequest(baseRequestResponse.getRequest()); IHttpService httpService = baseRequestResponse.getHttpService(); String uuid = UUID.randomUUID().toString().replaceAll("-", ""); String uuidPayload = req.getMethod() + " /" + uuid + " HTTP/1.1"; List<String> reqHeaders = req.getHeaders(); reqHeaders.set(0, uuidPayload); byte[] body = helpers.stringToBytes(helpers.bytesToString(baseRequestResponse.getRequest()).substring(req.getBodyOffset())); byte[] modifiedReq = helpers.buildHttpMessage(reqHeaders, body); IHttpRequestResponse checkUUID = this.callbacks.makeHttpRequest(httpService, modifiedReq); if (checkUUID == null || checkUUID.getResponse() == null) return null; String respHeaders = String.join("\n", this.helpers.analyzeResponse(checkUUID.getResponse()).getHeaders()); if (respHeaders.contains(uuid)) { for (String payload : CRLFSplitters) { String finalPayload = uuid.substring(0, 5) + payload + CRLFHeader + uuid.substring(6); String finalRequestUriBuilder = req.getMethod() + " /" + finalPayload + " HTTP/1.1"; reqHeaders.set(0, finalRequestUriBuilder); body = helpers.stringToBytes(helpers.bytesToString(baseRequestResponse.getRequest()).substring(req.getBodyOffset())); modifiedReq = helpers.buildHttpMessage(reqHeaders, body); IHttpRequestResponse attack = this.callbacks.makeHttpRequest(httpService, modifiedReq); IScanIssue res = analyzeResponse(attack, insertionPoint, finalPayload); if (res != null) return res; } } return null; }
@Override protected Object doInBackground() throws Exception { byte[] baselineRequest = model.getBaselineRequest(); List<SessionTestCase> testCases = model.getSessionTestCases(); int row = 0; publish(0); for(SessionTestCase testCase:testCases){ byte[] testRequest = testCase.generateTestRequest(baselineRequest, callbacks); publish("Testcase "+testCase.getName()); long startTime = System.currentTimeMillis(); IHttpRequestResponse message = callbacks.makeHttpRequest(model.getService(), testRequest); testCase.setResponseTime((int) (System.currentTimeMillis() - startTime)); IResponseInfo responseInfo = callbacks.getHelpers().analyzeResponse(message.getResponse()); testCase.analyzeResults(responseInfo, message.getResponse()); TableModelEvent ev = new TableModelEvent(model, row); model.fireTableChanged(ev); row = row + 1; publish(100 * row / testCases.size()); } publish("Done"); return null; }