感觉这个插件在平时用对时候检测效果还不错,就看看代码。
Sttuts2 045可以检测出来。
如他描述所说:可以检测CVE-2017-5638(S2-045)、CVE-2017-9805(S2-052)、CVE-2018-11776(S2-057)
其实S2-052对覆盖范围很广了,Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12,对这么大对版本都可以检测出来,其实已经包括了S2-045的的范围了。
发出实际的HTTP请求:
attack = callbacks.makeHttpRequest(basePair.getHttpService(), req) # Issue the actual request
尝试自己写一个插件:
```python
#coding=utf-8
callbacks = None
helpers = None
from burp import IBurpExtender # 定义插件的基本信息类
from burp import IScannerCheck # 应该是扫描的基础类
from burp import IScanIssue # 应该是Scanner那个界面的Issue作为一个基础类
class BurpExtender(IBurpExtender):
def registerExtenderCallbacks(self, this_callbacks):
global callbacks, helpers
callbacks = this_callbacks
helpers = callbacks.getHelpers()
callbacks.setExtensionName("BurpCollaboratorClientTest")
callbacks.registerScannerCheck(PerRequestScans()) # 注册这个扫描类型
print "Successfully loaded BurpCollaboratorClientTest by CQQ!"
return
# 展示Issue的类
class CustomScanIssue(IScanIssue):
def __init__(self, httpService, url, httpMessages, name, detail, confidence, severity):
self.HttpService = httpService
self.Url = url
self.HttpMessages = httpMessages
self.Name = name
self.Detail = detail
self.Severity = severity
self.Confidence = confidence
print "Reported: " + name + " on " + str(url)
return
def getUrl(self):
return self.Url
def getIssueName(self):
return self.Name
def getIssueType(self):
return 0
def getSeverity(self):
return self.Severity
def getConfidence(self):
return self.Confidence
def getIssueBackground(self):
return None
def getRemediationBackground(self):
return None
def getIssueDetail(self):
return self.Detail
def getRemediationDetail(self):
return None
def getHttpMessages(self):
return self.HttpMessages
def getHttpService(self):
return self.HttpService
# 具体的扫描的类
class PerRequestScans(IScannerCheck):
def __init__(self):
self.scan_checks = [
self.doCollaboratorTest
]
def doCollaboratorTest(self, basePair):
global callbacks
collab = callbacks.createBurpCollaboratorClientContext()
collab_payload =collab.generatePayload(True) # 生成Collaborator域名(payload)
command = "ping " + collab_payload + " -c1" # platform-agnostic command to check for RCE via DNS interaction
os.system(command) # 模拟执行命令
interactions = collab.fetchAllCollaboratorInteractions() # Check for collaboration
#if interactions,则证明命令已经执行,存在漏洞。
if interactions: # 返回一个Issue,这样才算是报告出来一个Issue
return [CustomScanIssue(basePair.getHttpService(), helpers.analyzeRequest(basePair).getUrl(),
[attack],
'RCE',
"The application appears to be vulnerable to Remote Code Execution",
'Firm', 'High')]
return []
载入Burp Extender: