本文介绍了如何开发BurpSuite插件SoftwareVulnerabilityScanner,详细讲解了从加载规则到执行被动扫描的过程。核心功能包括通过HTTP请求查询历史漏洞和根据正则匹配进行软件版本检测,支持对特定路径进行有效率的漏洞扫描。同时,文中指出该插件目前仅支持被动扫描,但具备扩展到主动扫描的潜力。
【BurpSuite】插件开发学习之Software Vulnerability Scanner
前言
插件开发学习第2套。前置文章
【BurpSuite】插件学习之Log4shell
PS:这里没有TOKEN也是可以查询成功的
Software Vulnerability Scanner
https://github.com/PortSwigger/software-vulnerability-scanner.git
逻辑代码在
|____src
| |____.DS_Store
| |____main
| | |____.DS_Store
| | |____resources
| | | |____rules.json
| | | |____logo_small.png
| | |____java
| | | |____.DS_Store
| | | |____burp
| | | | |____tasks
| | | | | |____PathScanTask.java
| | | | | |____SoftwareScanTask.java
| | | | |____.DS_Store
| | | | |____PathIssue.java
| | | | |____Utils.java
| | | | |____models
| | | | | |____Software.java
| | | | | |____Vulnerability.java
| | | | | |____VulnersRequest.java
| | | | | |____Path.java
| | | | | |____Domain.java
| | | | |____gui
| | | | | |____TabComponent.form
| | | | | |____TabComponent.java
| | | | | |____path
| | | | | | |____PathsTable.java
| | | | | |____software
| | | | | | |____SoftwareTable.java
| | | | | |____rules
| | | | | | |____RulesTableListener.java
| | | | | | |____RulesTable.java
| | | | |____VulnersService.java
| | | | |____HttpClient.java
| | | | |____SoftwareIssue.java
| | | | |____BurpExtender.java
初始化VulnersService
vulnersService = new VulnersService(this, callbacks, helpers, domains, tabComponent);
try {
vulnersService.loadRules();
} catch (IOException e) {
callbacks.printError("[Vulners]" + e.getMessage());
}
初始化Rules:initPassiveScan
JSONObject data = httpClient.get("rules", new HashMap<String, String>());
JSONObject rules = data.getJSONObject("rules");
实际就是个http请求,在httpclient.java里面
List<String> headers = new ArrayList<>();
headers.add("POST " + VULNERS_API_PATH + action + "/ HTTP/1.1");
headers.add("Host: " + VULNERS_API_HOST);
headers.add("User-Agent: vulners-burpscanner-v-1.2");
headers.add("Content-type: application/json");
JSONObject jsonBody = new JSONObject();
if (burpExtender.getApiKey() != null) {
jsonBody = jsonBody.put("apiKey", burpExtender.getApiKey());
}
if (object.getString("result").equals("OK")) {
return object.getJSONObject("data");
}
doPassiveScan
在被动扫描中取出所有的域名domain和路径path,加入到hashmap中保存下来。
Domain domain = domains.get(domainName);
if (domain == null) {
domains.put(domainName, domain = new Domain());
}
if (!domain.getPaths().containsKey(path)) {
callbacks.printOutput("[Vulners] adding new path '" + path + "' for domain " + domainName);
domain.getPaths().put(path, null);
vulnersService.checkURLPath(domainName, path, baseRequestResponse);
}
根据这俩值检查是不是已经找到的
void checkURLPath(final String domainName, final String path, final IHttpRequestResponse baseRequestResponse) {
VulnersRequest request = new VulnersRequest(domainName, path, baseRequestResponse);
new PathScanTask(request, httpClient, vulnersRequest -> {
Set<Vulnerability> vulnerabilities = vulnersRequest.getVulnerabilities();
PathScanTask
public void run() {
JSONObject data = httpClient.get("path", new HashMap<String, String>() {{
put("path", vulnersRequest.getPath());
}});
实际上这个就是通过API将path丢进去查询历史漏洞的
这也是整个插件的核心点,所以上面需要loadrules,去确保命中正则的path才会去check是否有漏洞,而非所有的path都去查询,毕竟是HTTP请求
SoftwareScanTask
根据扫描结果生成software结构体
Software software = new Software(
match.getType() + match.getMatchGroup(),
match.getType(),
match.getMatchGroup(),
matchRules.get(match.getType()).get("type"),
matchRules.get(match.getType()).get("alias")
);
关键是从HTTPclient中提取出
- software
- version(match.getMatchGroup())
- type
命中正则的path则会处理这个issue
起始主要是正则匹配version,如果明确得到了version就可以去下一个接口找了
public void run() {
Software software = vulnersRequest.getSoftware();
JSONObject data = httpClient.get("software", new HashMap<String, String>(){{
put("software", software.getAlias());
put("version", software.getVersion());
put("type", software.getMatchType());
}});
Set<Vulnerability> vulnerabilities = Utils.getVulnerabilities(data);
至此链路就通了,剩下就是UI以及一些输出上面的改动了。
改进
这个仅仅支持被动扫描,按照这个逻辑,实际上是可以重写doactivescan去支持主动扫描的。
扫一扫
257
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
