在开始CRLF注入扫描前先判断Response Header Controll

A0WaQ4 · Nov 26, 2022 · 067b963 · 067b963
1 parent eb8ce57
commit 067b963
Show file tree

Hide file tree

Showing 4 changed files with 189 additions and 6 deletions.
diff --git a/src/main/java/burp/Application/HostScan.java b/src/main/java/burp/Application/HostScan.java
@@ -0,0 +1,111 @@
+package burp.Application;
+
+import burp.*;
+import burp.Bootstrap.CustomBurpParameters;
+import burp.Bootstrap.CustomBurpUrl;
+import burp.Bootstrap.YamlReader;
+
+import java.io.PrintWriter;
+import java.util.List;
+
+public class HostScan {
+    private IBurpExtenderCallbacks callbacks;
+    private IExtensionHelpers helpers;
+
+    public PrintWriter stderr;
+    public PrintWriter stdout;
+
+
+    private IHttpRequestResponse requestResponse;
+    private IHttpRequestResponse vulnRequestResponse;
+    private CustomBurpParameters requestParameters;
+    private List<String> payloads;
+    private YamlReader yamlReader;
+    private IRequestInfo iRequestInfo;
+    private Boolean isVuln = false;
+    private CustomBurpUrl customBurpUrl;
+    public HostScan(IBurpExtenderCallbacks callbacks, IHttpRequestResponse requestResponse, CustomBurpParameters requestParameters,CustomBurpUrl customBurpUrl) {
+        this.callbacks = callbacks;
+        this.helpers = callbacks.getHelpers();
+        this.stderr = new PrintWriter(callbacks.getStderr(), true);
+        this.requestResponse = requestResponse;
+        this.requestParameters = requestParameters;
+        this.yamlReader = YamlReader.getInstance(callbacks);
+        this.payloads = this.yamlReader.getStringList("Application.hostPayloads");
+        this.iRequestInfo = this.helpers.analyzeRequest(requestResponse);
+        this.customBurpUrl= customBurpUrl;
+        this.runHostScan();
+
+    }
+
+    private void runHostScan(){
+        List<String> requestHeader = this.getRequestHeaders();
+        String[] firstHeader = requestHeader.get(0).split(" ");
+        for(String payload:this.payloads){
+            if(this.customBurpUrl.getRequestQuery()==null&&this.iRequestInfo.getMethod()=="GET"){
+                String newFirstHeader = "GET "+firstHeader[1]+payload+" "+firstHeader[2];
+                requestHeader.set(0,newFirstHeader);
+            }else if(this.requestParameters.isEmptyParameters()){
+                String newFirstHeader = "GET "+firstHeader[1]+payload+" "+firstHeader[2];
+                requestHeader.set(0,newFirstHeader);
+            }else{
+                String newFirstHeader = "GET " + getTargetPath(firstHeader[1]) + this.getParametersPayload(payload) + " " + firstHeader[2];
+                requestHeader.set(0,newFirstHeader);
+            }
+            requestHeader.removeIf(header -> header.startsWith("Content-Type"));
+            String body = "";
+            byte[] requestBody = body.getBytes();
+            byte[] newRequest = this.helpers.buildHttpMessage(requestHeader,requestBody);
+            IHttpService httpService = this.requestResponse.getHttpService();
+            IHttpRequestResponse newRequestResponse = this.callbacks.makeHttpRequest(httpService,newRequest);
+            if(this.isHostVuln(newRequestResponse)){
+                this.vulnRequestResponse=newRequestResponse;
+                this.isVuln = true;
+                return;
+            }
+        }
+        return;
+    }
+
+
+    //  获取请求头
+    private List<String> getRequestHeaders(){
+        return this.iRequestInfo.getHeaders();
+    }
+
+    private String getTargetPath(String fistHeader_1){
+        String[] firstHeader_split = fistHeader_1.split("\\?");
+        return firstHeader_split[0];
+    }
+
+    //  获取参数payload
+    private String getParametersPayload(String hostPayload){
+        String parametersPayload = "?";
+        for (IParameter parameter : this.requestParameters.getParameters()) {
+            String name = parameter.getName();
+            parametersPayload = parametersPayload + name + "=" + hostPayload + "&";
+        }
+        return parametersPayload;
+    }
+
+
+
+    private Boolean isHostVuln(IHttpRequestResponse newRequestResponse){
+        byte[] response = newRequestResponse.getResponse();
+        List<String> analyzedResponse = this.helpers.analyzeResponse(response).getHeaders();
+        for(String headers : analyzedResponse){
+            if(headers.contains("Set-Host-Header-Response")){
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public IHttpRequestResponse getVulnRequestResponse(){
+        return this.vulnRequestResponse;
+    }
+
+    public Boolean getIsVuln(){
+        return this.isVuln;
+    }
+}
diff --git a/src/main/java/burp/BurpExtender.java b/src/main/java/burp/BurpExtender.java
@@ -1,6 +1,7 @@
 package burp;
 
 import burp.Application.CrlfScan;
+import burp.Application.HostScan;
 import burp.Bootstrap.CustomBurpParameters;
 import burp.Bootstrap.CustomBurpUrl;
 import burp.Bootstrap.YamlReader;
@@ -104,19 +105,44 @@ public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse)
 //
 //            this.stdout.println(name+"="+value);
 //        }
-        CrlfScan crlfScan = new CrlfScan(this.callbacks,baseRequestResponse,baseBurpParameters,baseBurpUrl);
-        if(crlfScan.getIsVuln()){
+        HostScan hostScan = new HostScan(this.callbacks,baseRequestResponse,baseBurpParameters,baseBurpUrl);
+        if(hostScan.getIsVuln()){
             int tagId = this.tags.add(
-                    "CRLF",
+                    "Scanning",
                     this.helpers.analyzeRequest(baseRequestResponse).getMethod(),
                     baseBurpUrl.getHttpRequestUrl().toString(),
                     this.helpers.analyzeResponse(baseRequestResponse.getResponse()).getStatusCode() + "",
-                    "[+] found CRLF Injection",
+                    "[loading] found Host Header Attack , now testing CRLF-Injection",
                     String.valueOf(baseRequestResponse.getResponse().length),
-                    crlfScan.getVulnRequestResponse()
+                    hostScan.getVulnRequestResponse()
             );
+            CrlfScan crlfScan = new CrlfScan(this.callbacks,baseRequestResponse,baseBurpParameters,baseBurpUrl);
+            if(crlfScan.getIsVuln()){
+                this.tags.save(
+                        tagId,
+                        "CRLF",
+                        this.helpers.analyzeRequest(baseRequestResponse).getMethod(),
+                        baseBurpUrl.getHttpRequestUrl().toString(),
+                        this.helpers.analyzeResponse(baseRequestResponse.getResponse()).getStatusCode() + "",
+                        "[+] found CRLF Injection",
+                        String.valueOf(baseRequestResponse.getResponse().length),
+                        crlfScan.getVulnRequestResponse()
+                );
+            }else{
+                this.tags.save(
+                        tagId,
+                        "Response Header Control",
+                        this.helpers.analyzeRequest(baseRequestResponse).getMethod(),
+                        baseBurpUrl.getHttpRequestUrl().toString(),
+                        this.helpers.analyzeResponse(baseRequestResponse.getResponse()).getStatusCode() + "",
+                        "[+] just found Response Header Control",
+                        String.valueOf(baseRequestResponse.getResponse().length),
+                        hostScan.getVulnRequestResponse()
+                );
+            }
         }
 
+
         // 输出UI
 
 

diff --git a/src/main/java/burp/UI/Tags.java b/src/main/java/burp/UI/Tags.java
@@ -223,6 +223,46 @@ public int add(String VulName, String Method, String url, String status, String
             return id;
         }
     }
+    /**
+     * 更新任务状态至任务栏面板
+     *
+     * @param id
+     * @param VulName
+     * @param Method
+     * @param url
+     * @param status
+     * @param Info
+     * @param requestResponse
+     * @return int id
+     */
+    public int save(int id, String VulName, String Method,String url, String status, String Info, String Size,IHttpRequestResponse requestResponse) {
+        Tags.TablesData dataEntry = Tags.this.Udatas.get(id);
+        String startTime = dataEntry.startTime;
+
+        Date d = new Date();
+        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+        String endTime = sdf.format(d);
+
+        synchronized (this.Udatas) {
+            this.Udatas.set(
+                    id,
+                    new TablesData(
+                            id,
+                            VulName,
+                            Method,
+                            url,
+                            status,
+                            Info,
+                            Size,
+                            requestResponse,
+                            startTime,
+                            endTime
+                    )
+            );
+            fireTableRowsUpdated(id, id);
+            return id;
+        }
+    }
 
 
     public class URLTable extends JTable {

diff --git a/src/main/resources/config.yml b/src/main/resources/config.yml
@@ -161,4 +161,10 @@ urlBlackListSuffix:
 
 Application:
   payloads:
-    - "%E5%98%8D%E5%98%8ASet-CRLF-injection:crlftoken=injection%0D%0A%20Set-CRLF-injection:crlftoken=injection%20%0D%0ASet-CRLF-injection:crlftoken=injection%0A%20Set-CRLF-injection:crlftoken=injection%2F%2E%2E%0D%0ASet-CRLF-injection:crlftoken=injection"
+    - "%20%0D%0ASet-CRLF-injection:crlftoken=injection"
+    - "%E5%98%8D%E5%98%8ASet-CRLF-injection:crlftoken=injection"
+    - "%0D%0A%20Set-CRLF-injection:crlftoken=injection"
+    - "%0A%20Set-CRLF-injection:crlftoken=injection"
+    - "%2F%2E%2E%0D%0ASet-CRLF-injection:crlftoken=injection"
+  hostPayloads:
+    - "Set-Host-Header-Response"