@Override public byte[] getNextPayload(byte[] bytes) { byte[] payload = helpers.stringToBytes(dtds.get(payloadIndex)); payloadIndex++; return payload; }
private void setSecretKey(String value) { value = "aeb977de013ade650b97e0aa5246813591104017871a7753fe186e9634c9129b367306606878985c759ca4fddd17d955207011bb855ef01ed414398b4ac8317b"; // value = "3eb6db5a9026c547c72708438d496d942e976b252138db7e4e0ee5edd7539457d3ed0fa02ee5e7179420ce5290462018591adaf5f42adcf855da04877827def2"; this.secretToken = helpers.stringToBytes(value); try { PBEKeySpec spec = new PBEKeySpec(value.toCharArray(), salt.getBytes(), keyIterNum, keySize); SecretKeyFactory skf = SecretKeyFactory.getInstance(PBKDF2_ALGORITHM); this.secretKey = skf.generateSecret(spec).getEncoded(); } catch (NoSuchAlgorithmException e) { /* do nothing */ } catch (InvalidKeySpecException e) { /* do nothing */ } }
/******************* * Register a payload which should trigger an exception if deserialized, * along with a string that appears in the exception that would indicate a * vulnerable target. * * @param payloadStr The string that should trigger an exception when deserialized using the target library/API. * @param indicatorStr A string that appears in the exception that can be used to detect vulnerable targets. ******************/ protected void registerActiveScanExceptionPayload(String payloadStr, String indicatorStr) { _exceptionBasedPayloads.add(new ExceptionPayload(_helpers.stringToBytes(payloadStr), indicatorStr)); }
/******************* * Register a text time-based active scanner payload. * * @param payload A payload that should trigger a time delay if deserialized by the target library/API. * @param timeDelay The expected time delay ******************/ protected void registerActiveScanTimeBasedPayload(String payload, int timeDelay) { _timeBasedPayloads.add(new TimeBasedPayload(_helpers.stringToBytes(payload), timeDelay)); }
/******************* * Register a payload which should trigger an exception if deserialized, * along with a regular expression to match part of the exception in order * to detect a vulnerable target. * * @param payloadStr The string that should trigger an exception when deserialized using the target library/API. * @param indicatorPat A regular expression that can be used to match the resulting exception and detect vulnerable targets. ******************/ protected void registerActiveScanExceptionPayload(String payloadStr, Pattern indicatorPat) { _exceptionBasedPayloads.add(new ExceptionPayload(_helpers.stringToBytes(payloadStr), indicatorPat)); }
public CSRFTokenScanner(IBurpExtenderCallbacks callbacks) { this.callbacks = callbacks; this.helpers = callbacks.getHelpers(); this.htmlFormPattern = helpers.stringToBytes("<form"); }
public TokenHandler(IBurpExtenderCallbacks callbacks) { this.callbacks = callbacks; this.helpers = callbacks.getHelpers(); this.tokenBytesPattern = helpers.stringToBytes(TOKEN); }
private List<int[]> buildRequestHighlights(String payload, IHttpRequestResponse sentRequestResponse) { List<int[]> requestHighlights = new ArrayList<>(); int startOfPayload = helpers.indexOf(sentRequestResponse.getRequest(), helpers.stringToBytes(payload), true, 0, sentRequestResponse.getRequest().length); if (startOfPayload != -1) { requestHighlights.add(new int[]{startOfPayload, startOfPayload + payload.length()}); } return requestHighlights; }
/******************* * Register a payload consisting of raw bytes which should trigger an * exception if deserialized, along with a regex pattern that should match * the resulting exception to indicate a vulnerable target. * * @param payloadBytes The bytes that should trigger an exception when deserialized using the target library/API. * @param indicatorPattern A regex pattern to match the resulting exception and detect vulnerable targets. ******************/ protected void registerActiveScanExceptionPayload(byte[] payloadBytes, Pattern indicatorPattern) { _exceptionBasedPayloads.add(new ExceptionPayload(payloadBytes, indicatorPattern)); _exceptionBasedPayloads.add(new ExceptionPayload(_helpers.stringToBytes(_helpers.base64Encode(payloadBytes)), indicatorPattern)); }
public static byte[] setHeader(byte[] request, String header, String value) { int[] offsets = getHeaderOffsets(request, header); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); try { outputStream.write( Arrays.copyOfRange(request, 0, offsets[1])); outputStream.write(helpers.stringToBytes(value)); outputStream.write(Arrays.copyOfRange(request, offsets[2], request.length)); return outputStream.toByteArray(); } catch (IOException e) { throw new RuntimeException("Request creation unexpectedly failed"); } catch (NullPointerException e) { Utilities.out("header locating fail: "+header); Utilities.out("'"+helpers.bytesToString(request)+"'"); throw new RuntimeException("Can't find the header"); } }
public static byte[] setHeader(byte[] request, String header, String value) { int[] offsets = getHeaderOffsets(request, header); ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); try { outputStream.write( Arrays.copyOfRange(request, 0, offsets[1])); outputStream.write(helpers.stringToBytes(value)); outputStream.write(Arrays.copyOfRange(request, offsets[2], request.length)); return outputStream.toByteArray(); } catch (IOException e) { throw new RuntimeException("Request creation unexpectedly failed"); } catch (NullPointerException e) { Utilities.out("header locating fail: "+header); Utilities.out("'"+helpers.bytesToString(request)+"'"); throw new RuntimeException("Can't find the header"); } }
/******************* * Register a payload consisting of raw bytes which should trigger an * exception if deserialized, along with a string that appears in the * exception that would indicate a vulnerable target. * * This method also generates a base 64 encoded payload. * * @param payloadBytes The bytes that should trigger an exception when deserialized using the target library/API. * @param indicatorStr A string that appears in the exception that can be used to detect vulnerable targets. ******************/ protected void registerActiveScanExceptionPayload(byte[] payloadBytes, String indicatorStr) { _exceptionBasedPayloads.add(new ExceptionPayload(payloadBytes, indicatorStr)); _exceptionBasedPayloads.add(new ExceptionPayload(_helpers.stringToBytes(_helpers.base64Encode(payloadBytes)), indicatorStr)); }
public static byte[] fixContentLength(byte[] request) { if (countMatches(request, helpers.stringToBytes("Content-Length: ")) > 0) { int start = Utilities.getBodyStart(request); int contentLength = request.length - start; return setHeader(request, "Content-Length", Integer.toString(contentLength)); } else { return request; } }
public static byte[] fixContentLength(byte[] request) { if (countMatches(request, helpers.stringToBytes("Content-Length: ")) > 0) { int start = Utilities.getBodyStart(request); int contentLength = request.length - start; return setHeader(request, "Content-Length", Integer.toString(contentLength)); } else { return request; } }
public byte[] buildBulkRequest(ArrayList<String> params) { String merged = prepBulkParams(params); String replaceKey = "TCZqBcS13SA8QRCpW"; IParameter newParam = Utilities.helpers.buildParameter(replaceKey, "", type); byte[] built = Utilities.helpers.updateParameter(request, newParam); return Utilities.fixContentLength(Utilities.replace(built, Utilities.helpers.stringToBytes(replaceKey+"="), Utilities.helpers.stringToBytes(merged))); }
@Override public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { String hash = DigestUtils.shaHex(helpers.base64Encode(baseRequestResponse.getRequest())); log.info("SSRF_HASH: " + hash); /** * Build new injection payload with provided DNS lookup server and provided Hash */ byte[] request = insertionPoint.buildRequest(helpers.stringToBytes(DNS_LOOKUP_SERVER.replace("{{HASH}}", hash))); IHttpRequestResponse requestResponse = callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), request); requestedInsertionPoints.put(hash, requestResponse); /** * Result of request we'll try to find in DNS lookup server later */ return null; }
private HashSet<String> recordHandling(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint, String probe) { String leftAnchor = Utilities.randomString(3); String middleAnchor = "z"+Integer.toString(Utilities.rnd.nextInt(9)); String rightAnchor = "z"+Utilities.randomString(3); String payload = leftAnchor + "\\\\" + middleAnchor + probe + rightAnchor; IHttpRequestResponse attack = callbacks.makeHttpRequest( baseRequestResponse.getHttpService(), insertionPoint.buildRequest(payload.getBytes())); // Utilities.buildRequest(baseRequestResponse, insertionPoint, payload) return getTransformationResults(leftAnchor + "\\" + middleAnchor, rightAnchor, helpers.stringToBytes(helpers.bytesToString(Utilities.filterResponse(attack.getResponse())))); }
public boolean isFullDuplicate(IHttpRequestResponse messageInfo) { PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true); IResponseInfo respInfo = helpers.analyzeResponse(messageInfo.getResponse()); if (dubBloomFilter == null) return false; HashFunction m_hash = Hashing.murmur3_32(); if (helpers.bytesToString(messageInfo.getResponse()).length() > respInfo.getBodyOffset()) { String body = helpers.bytesToString(messageInfo.getResponse()).substring(respInfo.getBodyOffset()); /* full-dub detection */ String dedupHashValue = m_hash.hashBytes(helpers.stringToBytes(body)).toString(); if (dubBloomFilter.mightContain(dedupHashValue)) { return true; } dubBloomFilter.put(dedupHashValue); } return false; }
static Attack buildTransformationAttack(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint, String leftAnchor, String payload, String rightAnchor) { IHttpRequestResponse req = attemptRequest(baseRequestResponse.getHttpService(), insertionPoint.buildRequest(helpers.stringToBytes(insertionPoint.getBaseValue() + leftAnchor + payload + rightAnchor))); return new Attack(Utilities.highlightRequestResponse(req, leftAnchor, leftAnchor+payload+rightAnchor, insertionPoint), null, payload, ""); }
static Attack buildTransformationAttack(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint, String leftAnchor, String payload, String rightAnchor) { IHttpRequestResponse req = attemptRequest(baseRequestResponse.getHttpService(), insertionPoint.buildRequest(helpers.stringToBytes(insertionPoint.getBaseValue() + leftAnchor + payload + rightAnchor))); return new Attack(Utilities.highlightRequestResponse(req, leftAnchor, leftAnchor+payload+rightAnchor, insertionPoint), null, payload, ""); }