Shulou(Shulou.com)05/31 Report--

This article will explain in detail about the use of Python to develop Burp Suite plug-in example analysis, the quality of the article content is high, so Xiaobian share for everyone to make a reference, I hope you have a certain understanding of related knowledge after reading this article.

We will insert a large number of sql injection detection parameters after each parameter, and obtain the sent request data and receive the response data through the interface class, and then determine whether the sql injection vulnerability exists according to the response data.

Required interface classes:

IIntruderPayloadProcessor:

This is a payload processor for the Intruder tool, we can register one via IBurpExtenderCallbacks.registerIntruderPayloadProcessor(). There are two functions in this class that need to be implemented getProcessorName () and processPayload ()

getProcessorName method:

Used to get the name of the payload processor

processPayload method:

Burp calls this method once each time the processor applies payload to an Intruder attack.

IHttpListener:

This is an http listener, any http request initiated by a tool in burp or http response received will notify this listener, through IBurpExtenderCallbacks.registerIntruderPayloadProcessor() registration, we can get interactive data through this class, analysis and modification. There is a processHttpMessage () in this class that needs to be implemented.

processHttpMessage method:

All http packets need to be retrieved and this method must be rewritten via the above interface.

(Other api classes are not introduced here, see previous articles)

Code implementation and interpretation

Step 1:

Import our burpapi class

Step 2:

Write the sql injection statement you need to use to an array

Here is just a demonstration. There are a lot of test statements at this address:

https://github.com/trietptm/SQL-Injection-Payloads

Step 3:

Register all required interface classes

Step 4:

Having registered the payload generator, now complete our payload generator

Returns a new instance of this interface.

Step 5:

Payload generator scheduled for intruder tool.

Step 6:

Process payloads returned from payload generator

Step 7:

Having previously registered http listeners, you can now use http listeners to get http request and response data and analyze and modify interaction data.

messageInfo is a class, we get and modify related data through class methods:

As you can see above, getHttpService () returns an IHttpService example.

You can get detailed http information details by calling the method inside.

My pycharm uses python3 environment variables, currently jython only supports python2, so we must use python2 syntax to print, the result will be output in the burp terminal.

Finally, a complete code:

Note: When used, configure as follows

Final effect:

About the use of Python to develop Burp Suite plug-in sample analysis shared here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.