目录

前言1、burp的fuzz脚本2、burp中利用Bing服务3、利用网站内容生成密码字典结语

前言

《Python黑帽子：黑客与渗透测试编程之道》的读书笔记，会包括书中源码，并自己将其中一些改写成Python3版本。书是比较老了，anyway，还是本很好的书

本篇是第6章扩展burp代理，包括利用劫持的HTTP请求作为fuzz的原始链接，与Bing结合搜索子域名或旁站

1、burp的fuzz脚本

使用burp的扩展工具，创建一个简单的fuzz工具

#!/usr/bin/env python#-*- coding:utf8 -*-# 导入三个类，其中IBurpExtender类是编写扩展工具必须的类，后两个是Intruder的，我们就是要扩展它from burp import IBurpExtenderfrom burp import IIntruderPayloadGeneratorFactoryfrom burp import IIntruderPayloadGeneratorfrom java.util import List, ArrayListimport random#定义自己的BurpExtender类，继承和扩展IBurpExtender和IIntruderPayloadGeneratorFactory类class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory):def registerExtenderCallbacks(self, callbacks):self._callbacks = callbacksself._helpers = callbacks.getHelpers()#用registerIntruderPayloadGeneratorFactory函数注册BurpExtender类，这样Intruder才能生成攻击载荷callbacks.registerIntruderPayloadGeneratorFactory(self)return#返回载荷生成器的名称def getGeneratorName(self):return "BHP Payload Generator"# 接受攻击相关参数，返回IIntruderPayloadGenerator类型的实例，作者将他命名为BHPFuzzerdef createNewInstance(self, attack):return BHPFuzzer(self, attack)# 定义BHPFuzzer类，扩展了IIntruderPayloadGenerator类# 增加了max_payload(最大的payload), num_iterations(迭代次数)两个变量，用于控制模糊测试的次数class BHPFuzzer(IIntruderPayloadGenerator):def __init__(self, extender, attack):self._extender = extenderself._helpers = extender._helpersself._attack = attackself.max_payload = 1000self.num_iterations = 0return# 通过比较判断迭代是否达到上限def hasMorePayloads(self):if self.num_iterations == self.max_payload:return Falseelse:return True# 接受原始的HTTP负载，current_payload是数组，转化成字符串，传递给模糊测试函数mutate_payloaddef getNextPayload(self, current_payload):# 转换成字符串payload = "".join(chr(x) for x in current_payload)# 调用简单的变形器对POST请求进行模糊测试payload = self.mutate_payload(payload)# 增加FUZZ的次数self.num_iterations += 1return payload# 重置def reset(self):self.num_iterations = 0returndef mutate_payload(self, original_payload):# 仅生成随机数或者调用一个外部脚本picker = random.randint(1,3)# 再载荷中选取一个随机的偏移量去变形offset = random.randint(0, len(original_payload)-1)payload = original_payload[:offset]# 在随机偏移位置插入SQL注入尝试if picker == 1:payload += "'"# 插入跨站尝试if picker == 2:payload += "<script>alert('xss');</script>"# 随机重复原始载荷if picker == 3:chunk_length = random.randint(len(payload[offset:]), len(payload)-1)repeater = random.randint(1,10)for i in range(repeater):payload += original_payload[offset:offset+chunk_length]# 添加载荷中剩余的字节payload += original_payload[offset:]return payload

2、burp中利用Bing服务

使用Bing的API程序化提交查询，搜索子域名和旁站

#!/usr/bin/env python#-*- coding:utf8 -*-from burp import IBurpExtenderfrom burp import IContextMenuFactoryfrom javax.swing import JMenuItemfrom java.util import List, ArrayListfrom import URLimport socketimport urllibimport jsonimport reimport base64bing_api_key = "你的密钥" #这里是Bing API秘钥# 这个类部署了基本的接口class BurpExtender(IBurpExtender, IContextMenuFactory):def registerExtenderCallbacks(self,callbacks):self._callbacks = callbacksself._helpers = callbacks.getHelpers()self.context = None# 我们建立起扩展工具callbacks.setExtensionName("Use Bing")callbacks.registerContextMenuFactory(self)return# 创建菜单并处理点击事件，就是actionPerformed那里，点击调用bing_menu函数def createMenuItems(self, context_menu):self.context = context_menumenu_list = ArrayList()menu_list.add(JMenuItem("Send to Bing", actionPerformed=self.bing_menu))return menu_listdef bing_menu(self, event):# 获取用户点击的详细信息http_traffic = self.context.getSelectedMessages()print "%d requests highlighted" % len(http_traffic)# 获取ip或主机名(域名)for traffic in http_traffic:http_service = traffic.getHttpService()host = http_service.getHost()print "User selected host: %s" % hostself.bing_search(host)returndef bing_search(self, host):# 检查参数是否为ip地址或主机名(域名)------使用正则is_ip = re.match("[0-9]+(?:\.[0-9]+){3}", host)# 若为ipif is_ip:ip_address = hostdomain = Falseelse:ip_address = socket.gethostbyname(host)domain = True# 查寻同一ip是否存在不同虚拟机bing_query_string ="'ip:%s'" % ip_addressself.bing_query(bing_query_string)# 若为域名则执行二次搜索，搜索子域名if domain:bing_query_string = "'domain:%s'" % hostself.bing_query(bing_query_string)def bing_query(self, bing_query_string):print "Performing Bing search: %s" % bing_query_string# 编码我们的查询(如urllib.quote('ab c')－－＞'ab%20c')quoted_query = urllib.quote(bing_query_string)http_request = "GET https://api./Bing/Search/Web?$format=json&$top=20&Query=%s HTTP/1.1\r\n" % quoted_queryhttp_request += "Host: api.\r\n"http_request += "Connection: close\r\n"# 对API密钥使用base64编码http_request += "Authorization: Basic %s\r\n" % base64.b64encode(":%s" % bing_api_key)http_request += "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36\r\n\r\n"json_body = self._callbacks.makeHttpRequest("api.", 443, True, http_request).tostring()# 去掉HTTP响应头，只取正文json_body = json_body.split("\r\n\r\n", 1)[1]#print json_bodytry:# 传递给json解析器r = json.loads(json_body)# 输出查询到的网站的相关信息if len(r["d"]["results"]):for site in r["d"]["results"]:print "*" * 100print site['Title']print site['Url']print site['Description']print "*" * 100j_url = URL(site['Url'])# 如果网站不在brup的目标列表中，就添加进去if not self._callbacks.isInScope(j_url):print "Adding to Burp scope"self._callbacks.includeInScope(j_url)except:print "No results from Bing"passreturn

3、利用网站内容生成密码字典

#!/usr/bin/env python#-*- coding:utf8 -*-from burp import IBurpExtenderfrom burp import IContextMenuFactoryfrom javax.swing import JMenuItemfrom java.util import List, ArrayListfrom import URLimport refrom datetime import datetimefrom HTMLParser import HTMLParser#去掉HTTP响应包的HTML标签class TagStripper(HTMLParser):def __init__(self):HTMLParser.__init__(self)self.page_text = []# 遇到两个标签之间的数据时调用def handle_data(self, data):self.page_text.append(data)# 遇到注释时调用def handle_comment(self, data):self.handle_data(data)def strip(self,html):# 会调用上面的两个函数self.feed(html)return "".join(self.page_text)class BurpExtender(IBurpExtender, IContextMenuFactory):def registerExtenderCallbacks(self,callbacks):self._callbacks = callbacksself._helpers = callbacks.getHelpers()self.context = Noneself.hosts = set()# 按部就班,先设定一个非常常见的密码，因为是字典，不能重复最好，所以用集合self.wordlist = set(["password"])# 建立起我们的扩展工具callbacks.setExtensionName("Build Wordlist")callbacks.registerContextMenuFactory(self)return# 添加菜单def createMenuItems(self, context_menu):self.context = context_menumenu_list = ArrayList()menu_list.add(JMenuItem("Bulid Wordlist", actionPerformed=self.wordlist_menu))return menu_listdef wordlist_menu(self, event):# 抓取用户点击细节http_traffic = self.context.getSelectedMessages()# 获取ip或主机名(域名)for traffic in http_traffic:http_service = traffic.getHttpService()host = http_service.getHost()self.hosts.add(host)# 获取网站的返回信息http_response = traffic.getResponse()# 若有回应就调用get_wordif http_response:self.get_words(http_response)self.display_wordlist()returndef get_words(self, http_response):headers, body = http_response.tostring().split("\r\n\r\n", 1)# 忽略下一个请求if headers.lower().find("content-type: text") == -1:return# 获取标签中的文本tag_stripper = TagStripper()page_text = tag_stripper.strip(body)# 匹配第一个是字母的，后面跟着的是两个以上的字母，数字或下划线／words = re.findall("[a-zA-Z]\w{2,}", page_text)# 感觉这里的长度有点短啊,作者是12，我改成15了for word in words:# 过滤长字符串if len(word) <= 15:self.wordlist.add(word.lower())return# 再后面添加更多的猜测def mangle(self, word):year = datetime.now().yearsuffixes = ["", "1", "!", year]mangled = []for password in (word, word.capitalize()):for suffix in suffixes:mangled.append("%s%s" % (password, suffix))return mangleddef display_wordlist(self):print "#!comment: BHP Wordlist for site(s) %s" % ", ".join(self.hosts)for word in sorted(self.wordlist):for password in self.mangle(word):print passwordreturn

结语

burp的扩展脚本