取消cookie中参数的fuzz

A0WaQ4 · Nov 24, 2022 · 6198cf3 · 6198cf3
1 parent bce9e7c
commit 6198cf3
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 8 deletions.
diff --git a/src/main/java/.DS_Store b/src/main/java/.DS_Store
diff --git a/src/main/java/burp/Application/CrlfScan.java b/src/main/java/burp/Application/CrlfScan.java
@@ -2,6 +2,7 @@
 
 import burp.*;
 import burp.Bootstrap.CustomBurpParameters;
+import burp.Bootstrap.CustomBurpUrl;
 import burp.Bootstrap.YamlReader;
 
 import java.io.PrintWriter;
@@ -23,8 +24,9 @@ public class CrlfScan {
     private YamlReader yamlReader;
     private IRequestInfo iRequestInfo;
     private Boolean isVuln = false;
+    private CustomBurpUrl customBurpUrl;
 
-    public CrlfScan(IBurpExtenderCallbacks callbacks, IHttpRequestResponse requestResponse, CustomBurpParameters requestParameters) {
+    public CrlfScan(IBurpExtenderCallbacks callbacks, IHttpRequestResponse requestResponse, CustomBurpParameters requestParameters,CustomBurpUrl customBurpUrl) {
         this.callbacks = callbacks;
         this.helpers = callbacks.getHelpers();
         this.stderr = new PrintWriter(callbacks.getStderr(), true);
@@ -33,6 +35,7 @@ public CrlfScan(IBurpExtenderCallbacks callbacks, IHttpRequestResponse requestRe
         this.yamlReader = YamlReader.getInstance(callbacks);
         this.payloads = this.yamlReader.getStringList("Application.payloads");
         this.iRequestInfo = this.helpers.analyzeRequest(requestResponse);
+        this.customBurpUrl= customBurpUrl;
         this.runCrlfScan();
 
     }
@@ -41,7 +44,10 @@ private void runCrlfScan(){
         List<String> requestHeader = this.getRequestHeaders();
         String[] firstHeader = requestHeader.get(0).split(" ");
         for(String payload:this.payloads){
-            if(this.requestParameters.isEmptyParameters()){
+            if(this.customBurpUrl.getRequestQuery()==null&&this.iRequestInfo.getMethod()=="GET"){
+                String newFirstHeader = "GET "+firstHeader[1]+payload+" "+firstHeader[2];
+                requestHeader.set(0,newFirstHeader);
+            }else if(this.requestParameters.isEmptyParameters()){
                 String newFirstHeader = "GET "+firstHeader[1]+payload+" "+firstHeader[2];
                 requestHeader.set(0,newFirstHeader);
             }else{

diff --git a/src/main/java/burp/BurpExtender.java b/src/main/java/burp/BurpExtender.java
@@ -104,7 +104,7 @@ public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse)
 //
 //            this.stdout.println(name+"="+value);
 //        }
-        CrlfScan crlfScan = new CrlfScan(this.callbacks,baseRequestResponse,baseBurpParameters);
+        CrlfScan crlfScan = new CrlfScan(this.callbacks,baseRequestResponse,baseBurpParameters,baseBurpUrl);
         if(crlfScan.getIsVuln()){
             int tagId = this.tags.add(
                     "CRLF",

diff --git a/src/main/resources/config.yml b/src/main/resources/config.yml
@@ -161,8 +161,4 @@ urlBlackListSuffix:
 
 Application:
   payloads:
-    - "%0D%0A%20Set-CRLF-injection:crlftoken=injection"
-    - "%20%0D%0ASet-CRLF-injection:crlftoken=injection"
-    - "%0A%20Set-CRLF-injection:crlftoken=injection"
-    - "%2F%2E%2E%0D%0ASet-CRLF-injection:crlftoken=injection"
-    - "%E5%98%8D%E5%98%8ASet-CRLF-injection:crlftoken=injection"
+    - "%E5%98%8D%E5%98%8ASet-CRLF-injection:crlftoken=injection%0D%0A%20Set-CRLF-injection:crlftoken=injection%20%0D%0ASet-CRLF-injection:crlftoken=injection%0A%20Set-CRLF-injection:crlftoken=injection%2F%2E%2E%0D%0ASet-CRLF-injection:crlftoken=injection"