Burpsuite API 文件 python & java
阿新 • • 發佈:2018-11-27
https://www.cloud.tencent.com/developer/article/1166490
自己想寫個外掛,找了一下午愣是沒找到python稍微詳細點的文件
直接看別人的程式碼借鑑,又是感覺這裡或者那裡迷迷糊糊的
跟朋友打了幾把LOL,又找了一圈,發現這篇還挺良心的,記錄一下,以防止後使用
0x01 BurpSuite API中常見的類
IBurpExtender
該類中有個registerExtenderCallbacks方法,該方法在外掛被載入後會被呼叫,在所有擴充套件外掛中必須實現這個介面。
java的呼叫方法:
void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) Parameters: callbacks - An IBurpExtenderCallbacks object.
python的呼叫方法,python需要對這個方法傳入的引數進行處理,處理的是為了更加方便的呼叫基本介面的方法,這裡就列出了一些方法,其他的可以參考IBurpExtenderCallbacks的內容。
def registerExtenderCallbacks(self, callbacks):
# keep a reference to our callbacks object (Burp Extensibility Feature)
self._callbacks = callbacks
# obtain an extension helpers object (Burp Extensibility Feature)
# http://portswigger.net/burp/extender/api/burp/IExtensionHelpers.html
self._helpers = callbacks.getHelpers()
# set our extension name that will display in Extender Tab
self._callbacks.setExtensionName("find JSON callback")
# register ourselves as an HTTP listener
callbacks.registerHttpListener(self)IHttpListener
該類是用來註冊HTTP監聽器,然後對獲取到的請求或響應包進行處理,有個processHttpMessage的方法用於對請求和響應的資料包進行自定義操作,該方法在傳送請求之前和接收響應之後會被呼叫。
java的呼叫方法:
void processHttpMessage(int toolFlag,
boolean messageIsRequest,
IHttpRequestResponse messageInfo)
Parameters:
toolFlag - A flag indicating the Burp tool that issued the request. Burp tool flags are defined in the IBurpExtenderCallbacks interface.
messageIsRequest - Flags whether the method is being invoked for a request or response.
messageInfo - Details of the request / response to be processed. Extensions can call the setter methods on this object to update the current message and so modify Burp's behavior.python的呼叫方法:
def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
# determine what tool we would like to pass though our extension:
if toolFlag == 64 or toolFlag == 16 or toolFlag == 8 or toolFlag == 4: #if tool is Proxy Tab or repeater
# determine if request or response:
if not messageIsRequest:#only handle responses
#獲取響應包的資料
response = messageInfo.getResponse()
analyzedResponse = self._helpers.analyzeResponse(response) # returns IResponseInfo
response_headers = analyzedResponse.getHeaders()
response_bodys = response[analyzedResponse.getBodyOffset():].tostring()
#獲取請求包的資料
resquest = messageInfo.getRequest()
analyzedRequest = self._helpers.analyzeResponse(resquest)
request_header = analyzedRequest.getHeaders()
request_bodys = resquest[analyzedResponse.getBodyOffset():].tostring()
......
IHttpRequestResponse
該介面用來獲取HTTP中請求和響應的HTTP資訊,如果是響應包的HTTP資訊,需要在請求被髮送後才能獲取到。
該介面有getComment(),getHighlight(),getHttpService(),getRequest(),getResponse(),setComment(java.lang.String comment),setHighlight(java.lang.String color),setHttpService(IHttpService httpService),setRequest(byte[] message),setResponse(byte[] message) 這些方法。可以直接在官方介面文件中檢視。
其中getHttpService()方法會返回IHttpService的物件。如果需要獲取協議,主機,埠資訊的,就需要對IHttpService物件裡相應的方法進行呼叫。
java的呼叫方法:
IHttpService getHttpService() This method is used to retrieve the HTTP service for this request / response. Returns: An IHttpService object containing details of the HTTP service.
python的呼叫方法:
#獲取服務資訊
httpService = messageInfo.getHttpService()
port = httpService.getPort()
host = httpService.getHost()
IHttpService
該介面用來獲取可以被髮送的請求包的詳細內容,有getHost(),getPort(),getProtocol這個三個方法。
java的呼叫方法:
java.lang.String getHost() This method returns the hostname or IP address for the service. Returns: The hostname or IP address for the service. int getPort() This method returns the port number for the service. Returns: The port number for the service. java.lang.String getProtocol() This method returns the protocol for the service. Returns: The protocol for the service. Expected values are "http" or "https".
python的呼叫方法:
#獲取服務資訊
httpService = messageInfo.getHttpService()
port = httpService.getPort()
host = httpService.getHost()
IResponseInfo
該介面是用來獲取響應包的詳細內容的,通過IExtensionHelpers.analyzeResponse()的方法呼叫該物件中的方法。
該介面有getBodyOffset(),getCookies(),getHeaders(),getInferredMimeType(),getStatedMimeType(),getStatusCode()的方法。
java的呼叫方法:
java.util.List<java.lang.String> getHeaders() This method is used to obtain the HTTP headers contained in the response. Returns: The HTTP headers contained in the response. int getBodyOffset() This method is used to obtain the offset within the response where the message body begins. Returns: The offset within the response where the message body begins. short getStatusCode() This method is used to obtain the HTTP status code contained in the response. Returns: The HTTP status code contained in the response. java.util.List<ICookie> getCookies() This method is used to obtain details of the HTTP cookies set in the response. Returns: A list of ICookie objects representing the cookies set in the response, if any. java.lang.String getStatedMimeType() This method is used to obtain the MIME type of the response, as stated in the HTTP headers. Returns: A textual label for the stated MIME type, or an empty String if this is not known or recognized. The possible labels are the same as those used in the main Burp UI. java.lang.String getInferredMimeType() This method is used to obtain the MIME type of the response, as inferred from the contents of the HTTP message body. Returns: A textual label for the inferred MIME type, or an empty String if this is not known or recognized. The possible labels are the same as those used in the main Burp UI.
python的呼叫方法:
#獲取響應包的資料
response = messageInfo.getResponse()
analyzedResponse = self._helpers.analyzeResponse(response) # returns IResponseInfo
response_headers = analyzedResponse.getHeaders()
response_bodys = response[analyzedResponse.getBodyOffset():].tostring()
IRequestInfo
該介面是用來獲取請求包的詳細內容的,通過IExtensionHelpers.analyzeRequest()的方法呼叫該物件中的方法。
該介面有getBodyOffset(),getContentType(),getHeaders(),getMethod(),getParameters(),getUrl()的方法。
java的呼叫方法:
java.lang.String getMethod() This method is used to obtain the HTTP method used in the request. Returns: The HTTP method used in the request. java.net.URL getUrl() This method is used to obtain the URL in the request. Returns: The URL in the request. java.util.List<java.lang.String> getHeaders() This method is used to obtain the HTTP headers contained in the request. Returns: The HTTP headers contained in the request. java.util.List<IParameter> getParameters() This method is used to obtain the parameters contained in the request. Returns: The parameters contained in the request. int getBodyOffset() This method is used to obtain the offset within the request where the message body begins. Returns: The offset within the request where the message body begins. byte getContentType() This method is used to obtain the content type of the message body. Returns: An indication of the content type of the message body. Available types are defined within this interface.
python的呼叫方法:
#獲取請求包的資料
resquest = messageInfo.getRequest()
analyzedRequest = self._helpers.analyzeRequest(resquest)
request_header = analyzedRequest.getHeaders()
request_bodys = resquest[analyzedRequest.getBodyOffset():].tostring()
0x02 示例程式碼
#-*-Thinking-*-
#coding=utf8
from burp import IBurpExtender
from burp import IHttpListener
from burp import IHttpRequestResponse
from burp import IResponseInfo
from burp import IRequestInfo
from burp import IHttpService
import re
# Class BurpExtender (Required) contaning all functions used to interact with Burp Suite API
print 'Thinking\'s find JSON callback Bui~'
class BurpExtender(IBurpExtender, IHttpListener):
# define registerExtenderCallbacks: From IBurpExtender Interface
def registerExtenderCallbacks(self, callbacks):
# keep a reference to our callbacks object (Burp Extensibility Feature)
self._callbacks = callbacks
# obtain an extension helpers object (Burp Extensibility Feature)
# http://portswigger.net/burp/extender/api/burp/IExtensionHelpers.html
self._helpers = callbacks.getHelpers()
# set our extension name that will display in Extender Tab
self._callbacks.setExtensionName("find JSON callback")
# register ourselves as an HTTP listener
callbacks.registerHttpListener(self)
# define processHttpMessage: From IHttpListener Interface
def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
# determine what tool we would like to pass though our extension:
if toolFlag == 64 or toolFlag == 16 or toolFlag == 8 or toolFlag == 4: #if tool is Proxy Tab or repeater
# determine if request or response:
if not messageIsRequest:#only handle responses
#獲取響應包的資料
response = messageInfo.getResponse()
analyzedResponse = self._helpers.analyzeResponse(response) # returns IResponseInfo
response_headers = analyzedResponse.getHeaders()
response_bodys = response[analyzedResponse.getBodyOffset():].tostring()
response_StatusCode = analyzedResponse.getStatusCode()
#獲取請求包的資料
resquest = messageInfo.getRequest()
analyzedRequest = self._helpers.analyzeResponse(resquest)
request_header = analyzedRequest.getHeaders()
request_bodys = resquest[analyzedRequest.getBodyOffset():].tostring()
#獲取服務資訊
httpService = messageInfo.getHttpService()
port = httpService.getPort()
host = httpService.getHost()
#第一種情況:url中帶有callback,且返回的是json資料。
expressionA = r'.*(callback).*'
expressionB = r'.*(application/json|application/javascript).*'
expressionC = r'.*(text/html|application/javascript).*'
for rqheader in request_header:
if rqheader.startswith("Host"):
rqhost = rqheader
break
ishtml = 0
for rpheader in response_headers:
if rpheader.startswith("Content-Type:") and re.match(expressionC,rpheader):
ishtml = 1
if rpheader.startswith("Content-Type:") and re.match(expressionB,rpheader):
if re.match(expressionA,request_header[0]):
print '='*10,'[success|有callback且返回json資料]','='*10,'\n\n[Host]',rqhost,port,'\n\n[URI]',request_header[0],'\n\n[ResponseBody]',response_bodys[0:30],'\n\n\n'
break
#第二種情況:url中沒有帶callback,但是通過新增callback引數後,便返回了帶方法名的json資料。
if not re.match(expressionA,request_header[0]):
new_headers = request_header
if '?' in new_headers[0]:
new_headers[0] = new_headers[0].replace('?','?callback=BuiBui&')
else:
new_headers[0] = new_headers[0][:-9] +'?callback=BuiBui'
req = self._helpers.buildHttpMessage(new_headers, request_bodys)
ishttps = False
if port == 443:
ishttps = True
if response_StatusCode == 200 and ishtml == 1:
rep = self._callbacks.makeHttpRequest(host, port, ishttps, req)
#TODO 在某些情況下makeHttpRequest時候會出現一些bug,得到的結果但是取不到response,很奇怪(已經解決,404頁面取不到正文返回包)
#新的請求請求包
analyzedreq = self._helpers.analyzeResponse(rep)
req_headers = analyzedreq.getHeaders()
req_bodys = rep[analyzedreq.getBodyOffset():].tostring()
#新的請求響應包
analyzedrep = self._helpers.analyzeResponse(rep)
rep_headers = analyzedrep.getHeaders()
rep_bodys = rep[analyzedrep.getBodyOffset():].tostring()
if 'BuiBui' in rep_bodys:
for repheader in rep_headers:
if repheader.startswith("Content-Type:") and re.match(expressionB,repheader):
print '='*10,'[success|發現隱藏callback且返回json資料]','='*10,'\n\n[Host]',rqhost,port,'\n\n[URI]',req_headers[0],'\n\n[ResponseBody]',rep_bodys[0:30],'\n\n\n'
break
0x03 載入外掛
當請求中有callback或隱藏callback且返回包是json格式的便會在output上列印記錄。
