【BurpSuite】插件开发学习之Software Vulnerability Scanner

_HWHXY

已于 2022-08-30 12:54:09 修改

阅读量757

点赞数

分类专栏： BurpSuite插件文章标签：学习 java 开发语言

于 2022-08-21 21:42:53 首次发布

本文链接：https://blog.csdn.net/xiru9972/article/details/126452552

版权

BurpSuite插件专栏收录该内容

18 篇文章 5 订阅

订阅专栏

【BurpSuite】插件开发学习之Software Vulnerability Scanner

前言

插件开发学习第2套。前置文章
【BurpSuite】插件学习之Log4shell

PS:这里没有TOKEN也是可以查询成功的

Software Vulnerability Scanner

https://github.com/PortSwigger/software-vulnerability-scanner.git
逻辑代码在

|____src
| |____.DS_Store
| |____main
| | |____.DS_Store
| | |____resources
| | | |____rules.json
| | | |____logo_small.png
| | |____java
| | | |____.DS_Store
| | | |____burp
| | | | |____tasks
| | | | | |____PathScanTask.java
| | | | | |____SoftwareScanTask.java
| | | | |____.DS_Store
| | | | |____PathIssue.java
| | | | |____Utils.java
| | | | |____models
| | | | | |____Software.java
| | | | | |____Vulnerability.java
| | | | | |____VulnersRequest.java
| | | | | |____Path.java
| | | | | |____Domain.java
| | | | |____gui
| | | | | |____TabComponent.form
| | | | | |____TabComponent.java
| | | | | |____path
| | | | | | |____PathsTable.java
| | | | | |____software
| | | | | | |____SoftwareTable.java
| | | | | |____rules
| | | | | | |____RulesTableListener.java
| | | | | | |____RulesTable.java
| | | | |____VulnersService.java
| | | | |____HttpClient.java
| | | | |____SoftwareIssue.java
| | | | |____BurpExtender.java

初始化VulnersService

vulnersService = new VulnersService(this, callbacks, helpers, domains, tabComponent);
try {
    vulnersService.loadRules();
} catch (IOException e) {
    callbacks.printError("[Vulners]" + e.getMessage());
}

初始化Rules:initPassiveScan

JSONObject data = httpClient.get("rules", new HashMap<String, String>());
JSONObject rules = data.getJSONObject("rules");

实际就是个http请求，在httpclient.java里面
在这里插入图片描述

List<String> headers = new ArrayList<>();
        headers.add("POST " + VULNERS_API_PATH + action + "/ HTTP/1.1");
        headers.add("Host: " + VULNERS_API_HOST);
        headers.add("User-Agent: vulners-burpscanner-v-1.2");
        headers.add("Content-type: application/json");

        JSONObject jsonBody = new JSONObject();

        if (burpExtender.getApiKey() != null) {
            jsonBody = jsonBody.put("apiKey", burpExtender.getApiKey());
        }

if (object.getString("result").equals("OK")) {
                return object.getJSONObject("data");
            }

doPassiveScan

在被动扫描中取出所有的域名domain和路径path，加入到hashmap中保存下来。

Domain domain = domains.get(domainName);
        if (domain == null) {
            domains.put(domainName, domain = new Domain());
        }

        if (!domain.getPaths().containsKey(path)) {
            callbacks.printOutput("[Vulners] adding new path '" + path + "' for domain " + domainName);
            domain.getPaths().put(path, null);
            vulnersService.checkURLPath(domainName, path, baseRequestResponse);
        }

根据这俩值检查是不是已经找到的

void checkURLPath(final String domainName, final String path, final IHttpRequestResponse baseRequestResponse) {
        VulnersRequest request = new VulnersRequest(domainName, path, baseRequestResponse);

        new PathScanTask(request, httpClient, vulnersRequest -> {
            Set<Vulnerability> vulnerabilities = vulnersRequest.getVulnerabilities();

PathScanTask

    public void run() {

        JSONObject data = httpClient.get("path", new HashMap<String, String>() {{
            put("path", vulnersRequest.getPath());
        }});

实际上这个就是通过API将path丢进去查询历史漏洞的
在这里插入图片描述
这也是整个插件的核心点，所以上面需要loadrules，去确保命中正则的path才会去check是否有漏洞，而非所有的path都去查询，毕竟是HTTP请求

SoftwareScanTask

根据扫描结果生成software结构体

Software software = new Software(
                    match.getType() + match.getMatchGroup(),
                    match.getType(),
                    match.getMatchGroup(),

                    matchRules.get(match.getType()).get("type"),
                    matchRules.get(match.getType()).get("alias")
            );

关键是从HTTPclient中提取出

software
version（match.getMatchGroup()）
type

命中正则的path则会处理这个issue
起始主要是正则匹配version，如果明确得到了version就可以去下一个接口找了

 public void run() {

        Software software = vulnersRequest.getSoftware();

        JSONObject data = httpClient.get("software", new HashMap<String, String>(){{
            put("software", software.getAlias());
            put("version", software.getVersion());
            put("type", software.getMatchType());
        }});

        Set<Vulnerability> vulnerabilities = Utils.getVulnerabilities(data);