Burp模糊测试

# 放入burpsuite运行时不能出现中文

from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadGenerator

from java.util import List, ArrayList

import random


class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory):

    def registerExtenderCallbacks(self, callbacks):

        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()

        # 注册BurpExtencer类
        callbacks.registerIntruderPayloadGeneratorFactory(self)

        return

    # 返回载荷生成器的名称
    def getGeneratorName(self):
        return "BHP Payload Generator"

    # 接收攻击相关参数,返回IIntruderPayloadGenerator实例
    def createNewInstance(self, attack):
        return BHPFuzzer(self, attack)


class BHPFuzzer(IIntruderPayloadGenerator):

    def __init__(self, extender, attack):

        self._extender = extender
        self._helpers = extender._helpers
        self._attack = attack
        self.max_payloads = 1000
        self.num_payloads = 0

        return

    def hasMorePayloads(self):

        if self.num_payloads == self.max_payloads:
            return False
        else:
            return True

    def getNextPayload(self, current_payload):

        # 转成字符串
        payload = "".join(chr(x) for x in current_payload)

        # 调用简单变形器对POST请求进行模糊测试
        payload = self.mutate_payload(payload)

        # 增加FUZZ次数
        self.num_payloads += 1

        return payload

    def reset(self):

        self.num_payloads = 0

        return

    def mutate_payload(self, original_payload):

        picker = random.randint(1, 3)

        offset = random.randint(0, len(original_payload) - 1)
        payload = original_payload[ :offset ]

        if picker == 1:
            payload += "'"

        if picker == 2:
            payload += "<script>alert('BHP!');</script>"

        if picker == 3:

            chunk_length = random.randint(len(payload[ offset: ]), len(payload) - 1)
            repeater = random.randint(1, 10)

            for i in range(repeater):
                payload += original_payload[ offset:offset + chunk_length ]

        payload += original_payload[ offset: ]

        return payload

在burp中利用Bing服务

申请Bing API过程中需要绑定的信用卡均没有,暂时无法进行试验

利用网站内容生成密码字典

from burp import IBurpExtender
from burp import IContextMenuFactory

from javax.swing import JMenuItem
from java.util import List, ArrayList
from java.net import URL

import re
from datetime import datetime
from HTMLParser import HTMLParser


class TagStripper(HTMLParser):

    def __init__(self):

        HTMLParser.__init__(self)
        self.page_text = []

    # handle_data将页面文本内容存储到变量中
    def handle_data(self, data):

        self.page_text.append(data)

    # handle_comment将开发者的注释添加到字典
    def handle_comment(self, data):

        self.handle_data(data)

    # strip将HTML代码填充到HTMLParser基类,返回结果页面的文本内容
    def strip(self, html):

        self.feed(html)
        return "".join(self.page_text)


class BurpExtender(IBurpExtender, IContextMenuFactory):

    def registerExtenderCallbacks(self, callbacks):

        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()
        self.context = None
        self.hosts = set()

        self.wordlist = {"password"}

        # 建立拓展工具
        callbacks.setExtensionName("BHP Wordlist")
        callbacks.registerContextMenuFactory(self)

        return

    def createMenuItems(self, context_menu):

        self.context = context_menu
        menu_list = ArrayList()
        menu_list.add(JMenuItem("Create Wordlist", actionPerformed=self.wordlist_menu))

        return menu_list

    # wordlist_menu处理点击菜单事件
    def wordlist_menu(self, event):

        # 抓取用户点击的细节
        http_traffic = self.context.getSelectedMessages()

        for traffic in http_traffic:

            http_service = traffic.getHttpService()
            host = http_service.getHost()

            # 存储目标响应主机名字
            self.hosts.add(host)

            http_response = traffic.getResponse()

            if http_response:
                # get_words去掉响应信息的HTTP头
                self.get_words(http_response)

        self.display_wordlist()
        return

    def get_words(self, http_response):

        headers, body = http_response.tostring().split('\r\n\r\n', 1)

        # 忽略下一个响应
        if headers.lower().find("content-type: text") == -1:
            return

        # 获取标签中的文本
        tag_stripper = TagStripper()
        page_text = tag_stripper.strip(body)

        # 匹配第一个是字母的,后面跟着的是两个以上的字母,数字或下划线
        words = re.findall("[a-zA-Z]\w{2,}", page_text)

        for word in words:

            # 过滤出字符串
            if len(word) <= 12:
                self.wordlist.add(word.lower())

        return

    # 再后面添加更多的猜测
    def mangle(self, word):
        year = datetime.now().year
        suffixes = ["", "1", "!", year]
        mangled = []

        for password in (word, word.capitalize()):
            for suffix in suffixes:
                mangled.append("%s%s" % (password, suffix))

        return mangled

    def display_wordlist(self):

        print("#!comment: BHP Wordlist for site(s) %s" % ", ".join(self.hosts))

        for word in sorted(self.wordlist):

            for password in self.mangle(word):
                print(password)

        return