Based on actual combat Burp Suite Plug in tips

This article was first published in qi'anxin attack and defense community

0×00 Preface

​ Burp Suite Is an integrated penetration testing tool , It's a collection of penetration test components , So that we can do it better automatically or manually web Penetration testing and attack of applications . In the penetration test , We use Burp Suite It will make the testing work easier and more convenient , Even if you don't need great skill , Only we are familiar with Burp Suite Use , It also makes penetration testing easy and efficient .

Burp Suite The executable program is java Document type jar file , The free version can be downloaded from Free version download address Download . Free version Burp Suite There will be many restrictions , Many advanced tools cannot be used , If you want to use more advanced functions , Need to pay for Professional Edition .

0×01 Professional activation

Yes, of course , As a qualified security person , I'm sure I'll go whoring for nothing . Let's take a look at the installation steps of professional version .

because Burp Suite By Java Written in language , So we need to install JAVA Environmental Science . Click me to download

Open... After downloading Click on the install
installation is complete
open CMD Command input java -version The following figure indicates that the installation is successful

It doesn't matter if you don't see the above figure after entering the command , We manually add it to the environment variable

Right click on my computer （ This computer ）→ attribute → Advanced system setup → senior → environment variable →Path

Install us java Put the catalog in Path Inside Here's the picture

C:\Program Files (x86)\Java\jre1.8.0_101\bin

OK, It's done

Next we start to install Click me to download

open burp-loader-keygen-2020_1.jar Click on run


Click on Manual activation

Click next , Registration completed

Seeing this step means successful registration

0×02 Plug in environment installation

See if you can't wait to install plug-ins here , But it won't work , because Burp Suite Some plug-ins of need to rely on python perhaps ruby To implement , So we need to install jython and jruby

Click me to download jruby

Click me to download jython

After downloading, we click Extender →Options Just import the corresponding file path according to the prompt

0×03 The plug-in USES

Start by opening Extender →BApp Store You can see that there are a large number of plug-ins in the plug-in market

There are too many plug-ins , Few are used in actual combat , Next, let's talk about practical plug-ins

###Shiro Vulnerability passive detection

describe ：

Apache Shiro It's Apache （Apache） The software foundation's set is used to perform certification 、 to grant authorization 、 Encryption and session management Java Security framework . Apache Shiro Default used CookieRememberMeManager, Its handling cookie The process is ： obtain rememberMe Of cookie value  > Base64 decode –>AES Decrypt –> Deserialization . However AES The key is hard coded , As a result, attackers can construct malicious data to cause deserialization RCE Loophole .

The plug-in written by master meow , Very easy to use , recommend ！

Download address

Open... After downloading burp Click... On the main page Extender, You can see there's a ADD click

Our plug-in is java Write so choose java The script imports the plug-in and then goes to the next step

The following interface appears, which means the installation is successful

Then we can dig holes happily , Because this plug-in is passive detection , So we don't need to configure it , Directly on BURP That's it , If you encounter loopholes, you will Target The page is displayed , Let's open a shooting range to test , Here's the picture .

tag Check the vulnerability in the interface

waiting for test results =  scanning shiro key  in 
shiro key scan out of memory error =  scanning shiro key when , A memory error occurred 
shiro key scan diff page too many errors =  scanning shiro key when , The similarity comparison between pages fails too much 
shiro key scan task timeout =  scanning shiro key when , Task execution timeout 
shiro key scan unknown error =  scanning shiro key when , An unknown error occurred 
[-] not found shiro key =  No scan  shiro key
[+] found shiro key: xxxxxx =  Scan out  shiro key

fastjson Vulnerability passive detection

describe ：

Fastjson  It's Alibaba's open source JSON Parsing library , It can parse  JSON  Format string , Support will  Java Bean  Serialize to  JSON  character string , You can also get it from  JSON  Deserialize string to  JavaBean. Fastjson  There is a deserialization Remote Code Execution Vulnerability , When an application or system uses  Fastjson  For those controlled by users  JSON  When parsing string data , It may lead to the harm of remote code execution .

It is still the work of master Miaowu . Click me to download

Just compare the installation steps of the plug-in with the above , This plug-in is also passive detection , So we don't need to configure it , If you encounter loopholes, you will Target The page is displayed , Let's open a website to test , Here's the picture .

Struts2 Vulnerability passive detection

describe ：

Apache Struts It's Apache （Apache） An open source project of the software foundation , It's a set of tools for creating enterprise class Java Web Open source applications MVC frame , There are multiple remote command execution vulnerabilities .  Attackers can launch remote attacks , It can not only steal website data information , You can even get control of the website server . and , At present, automated tools for this vulnerability are beginning to appear , Attackers do not need to have expertise related to vulnerabilities to invade the server , Directly execute the command operation , Steal data and even perform destructive operations .

Plug in download address ： Click me to download

Just compare the installation steps of the plug-in with the above , The successful installation is shown in the figure below .

Let's use it to test Struts2 Loophole , Create a vulnerability environment locally

Environment download address

Using this plug-in is also passive detection , So we don't need to configure it and open it directly BURP Just visit the website , If the vulnerability is scanned, it will be in Target The page is displayed , Or we can click on its own interface to show the vulnerability , Here's the picture .

Sensitive information collection tools

describe ：

HaE Is based on  BurpSuite  plug-in unit  JavaAPI  Developed auxiliary plug-ins for request highlighting and information extraction . The plug-in can match the response message or request message in a custom regular way , You can decide whether the corresponding request that meets the custom regular match needs to be highlighted 、 information extraction .

HaE Plug ins are made by gh0stkey The master wrote A great plug-in , Easy to use and powerful .

Download address

gh0stkey stay Github The usage method introduced is as follows ：

Plug in loading : Extender - Extensions - Add - Select File - Next

Initial loading HaE Will initialize the configuration file , The default configuration file has a built-in regular : Email, The initialized configuration file will be placed with BurpSuite Jar Under the same level directory of the package .

In addition to the initialized configuration file , also Setting.yml, This file is used to store the configuration file path ;HaE Support custom configuration file path , You can click Select File Button to select a custom profile .

The following screen appears to indicate successful installation

default Email The rules

Generated rule file

HaE Support custom configuration file path , You can click Select File Button to select a custom profile .

At this stage, the installation has been successful , Next, a friend will ask , What if I can't write rules , These things are too difficult for me to use , Don't worry about , author gh0stkey Master has prepared a public rules website , It provides most common rules , For everyone to use . Address

The way to use it is to copy these rules and open Config.yml Copy the file in and then OK 了

The default rule
Copy the rules in the rules website and paste them to save （ Remember to exit when replacing rules burp）

Open our plug-in HaE We can find that our rules have been replaced successfully , It's ready to use



We use Swagger To demonstrate the rules of

stay Proxy - HTTP History You can see the highlight request , The response tab contains Swagger UI The label of , The matched information is extracted .

There are more usages waiting for you to use .

403Bypasser

 Bypass  403  Restricted directory  burpsuite  Expand . By using  PassiveScan（ Enabled by default ）, This extension will automatically scan each  403  request , So just add to  burpsuite  And enjoy .

install

BurpSuite -> Extender -> Extensions -> Add -> Extension Type: Python -> Select file: 403bypasser.py -> Next till Finish

This plug-in uses python Compiling , This uses the installation we talked about before jython This plugin , We can get burp Use python Format plugin .

Seeing the following interface indicates that the installation is successful （ Yes, it's empty ）

Okay , So we can use it happily .（ This plugin is also passive scanning ）

We can take a look at this plug-in payload, You can find that the main function of this plug-in is to bypass403 Page , for instance , For example, we sometimes see that many websites restrict external access , If you visit, it will directly display 403, We may change it IP The header is local 127.0.0.1 We can get around this limit , This plug-in can automatically help us verify , Is it convenient .

$1/$2
$1/%2e/$2
$1/$2/.
$1//$2//
$1/./$2/./
$1/$2anything -H "X-Original-URL: /$2" 
$1/$2 -H "X-Custom-IP-Authorization: 127.0.0.1" 
$1 -H "X-Rewrite-URL: /$2"
$1/$2 -H "Referer: /$2"
$1/$2 -H "X-Originating-IP: 127.0.0.1"
$1/$2 -H "X-Forwarded-For: 127.0.0.1"
$1/$2 -H "X-Remote-IP: 127.0.0.1"
$1/$2 -H "X-Client-IP: 127.0.0.1"
$1/$2 -H "X-Host: 127.0.0.1"
$1/$2 -H "X-Forwarded-Host: 127.0.0.1"
$1/$2%20/
$1/%20$2%20/
$1/$2?
$1/$2???
$1/$2//
$1/$2/
$1/$2/.randomstring
$1/$2..;/

Okay , At present, my frequently used plug-ins have been shared , There are many easy-to-use plug-ins that I haven't mentioned , I hope you can also leave a message to share , Let's talk about BURP Some of the tips ,burp It is a very powerful penetration testing tool , We usually make the most frequently used tools for penetration , It actually has many useful functions to share with you .

dnslog function

Burp Collaborator It's from Burp suite v1.6.15 New features added by version , That is to say DNSlog, monitor DNS Parse records and HTTP Access records , It is very useful in detecting blind injection vulnerabilities .

Start by opening Collaborator

Main interface menu items burp - burp collaborator client Enable


Click on copy to clipborad To copy the payload url,number to generate Is the quantity generated ,

Let's come. ping Just copy it URL

You can see BURP Successfully received our request

Conditional competition vulnerability test

“ Competitive conditions ” Occurs when multiple threads access the same shared code at the same time 、 Variable 、 Files and other scenes without lock operation or synchronization operation .

Developers tend to think that code will be executed in a linear way when they develop code , And they ignore that parallel servers execute multiple threads simultaneously , This can lead to unexpected results .

To put it simply ： You had 100 Yuan , Buying a commodity costs 100, You can start multiple threads to run , It is possible that more than one user can buy successfully

“ Competitive conditions ” Loopholes are sometimes difficult to get through the black box / Gray box method to excavate , Because this vulnerability is very affected by environmental factors , Like network latency 、 The processing capacity of the server . Generally, such problems will be found by auditing the code

have access to Burp Of intruder Function to send multiple concurrent requests

Send the request package to Intruder

Intruder – Payloads – Payload Stes

Payload type Set to NUll payloads

Payload Options Frequency setting 100 Time

Set the maximum number of threads 999 , Click on Start attack

Intruder The module matches the Chinese in the returned package

In some tutorials of penetration testing , use Intruder Module burst or fuzz When , Generally, we only talk about identifying whether the explosion is successful by returning the length of the packet or the status code / whether fuzz Give us what we want .

Actually in Intruder->Option->Grep-Match The function of returning package matching content is provided in , Content matching can be done through simple strings or regular expressions .


You can see that if the match is successful, it will be ticked

A friend may ask , What if I match Chinese characters , Demonstrate how to match Chinese characters .

If you want to match Chinese , Need to convert Chinese into hexadecimal , Using regular matching , The operation is as follows ： First use python Turn Chinese into hexadecimal （ Not limited to this method ）

Then set the regular matching pattern , Add hex

Successfully matched to , You can operate it .

Conclusion ：BURP Its functions are more than these , You can explore other functions to make it more convenient to dig holes , If there are other better plug-ins and skills, I hope you can leave a message and share .

disclaimer ：

Only for authorized security testing , It is forbidden to attack the site without authorization . This article is only for study and research . It is strictly forbidden to use the content of this article to illegally operate other Internet applications , If it is used for illegal purposes , The consequences will be borne by you , All risks arising are not related to the author of this article , If you continue to read this article, you will follow this content by default .