1、指定參數base64加密替換功能插件:
D:\plug_in\base64encode.py
2、為何要開發這個插件?
參考:D:\plug_in\header包頭數據自動替換插件\test1.py
測試禪道的一個order by注入,發現提交的參數先使用base64加密后提交,由於是高版本mysql,無顯錯式注入,手工盲注根本就是不可能完成的任務,於是想到開發一個burpsuite的插件來自動替換指定的url中的參數。
3、burpsuite代理神器下設置發包方式:
//sqlmap插件設置方法,這里不討論插件的使用方法,請自行google:
--dbms="mysql" --dbs --users --threads 10 --level 3 --hex --proxy="http://127.0.0.1:8080"
//替換指定參數的效果截圖:
#!/user/bin/env python #D:\plug_in\base64encode.py #coding=utf8 #auther:pt007@vip.sina.com from burp import IBurpExtender from burp import IHttpListener # 導入 burp 接口 from burp import IProxyListener from javax.swing import JOptionPane import hashlib import json import ssl import sys import string,re,base64 def base64encode(m): payload = base64.b64encode(m.group()) return payload class BurpExtender(IBurpExtender,IHttpListener,IProxyListener): def registerExtenderCallbacks(self,callbacks): self._callbacks=callbacks self._helpers=callbacks.getHelpers() callbacks.setExtensionName("base64encode") callbacks.registerHttpListener(self) callbacks.registerProxyListener(self) return def processHttpMessage(self,toolFlag,messageIsRequest,messageInfo): #if toolFlag==4 or toolFlag == 32:#Tool_proxy與intruder if toolFlag == 32 or toolFlag==4: #Tool_proxy與intruder if messageIsRequest: #操作request rq=messageInfo.getRequest() analyzerq=self._helpers.analyzeRequest(rq) headers=analyzerq.getHeaders() body=rq[analyzerq.getBodyOffset():] #print headers print "\n------------------------------------------Original Header------------------------------------------" for header in headers: print header print body.tostring() print type(header) #打印出類型 print "\n------------------------------------------Replaced Header------------------------------------------" global data data=body.tostring() url=headers[0] url=re.sub(r'\{.*\}',base64encode, url) headers[0]=url httpmsg=self._helpers.buildHttpMessage(headers,data) messageInfo.setRequest(httpmsg) tmpstr=self._helpers.bytesToString(httpmsg) #print tmpstr.encode('utf-8') #print type(header) #取回並打印出header包 request = messageInfo.getRequest() analyzedRequest = self._helpers.analyzeResponse(request) request_header = analyzedRequest.getHeaders() for header in request_header: print header print '\n'+data if not messageIsRequest: #操作Response #Response包打印 print "\n------------------------------------------Response------------------------------------------" response = messageInfo.getResponse() # get response analyzedResponse = self._helpers.analyzeResponse(response) body = response[analyzedResponse.getBodyOffset():] body_string = body.tostring() # get response_body response_header = analyzedResponse.getHeaders() for header in response_header: print header print '\n'+body_string print "\n-------------------------------------------Response end--------------------------------------" #實現了proxy功能中的Edited request: def processProxyMessage(self,messageIsRequest,proxyMessage): if messageIsRequest: messageInfo=proxyMessage.getMessageInfo() #print "[+]"+messageInfo.getHttpService().getHost() try: request = messageInfo.getRequest() reqInfo = self._helpers.analyzeRequest(request) headers = reqInfo.getHeaders() bodyOffset = reqInfo.getBodyOffset() body= request[bodyOffset:] data=body.tostring() url=headers[0] url=re.sub(r'\{.*\}',base64encode, url) headers[0]=url newHttpMessage = self._helpers.buildHttpMessage(headers,data) tmpstr=self._helpers.bytesToString(newHttpMessage) print "\n-------------------------------------------Edited request--------------------------------------" print "[tmpstr]:\n"+tmpstr.encode('utf-8') messageInfo.setRequest(newHttpMessage); print "\n-------------------------------------------Edited request end-----------------------------------" except Exception as e: print e