自动收集burpsuitescanenr模块扫描后的结果

自动收集burpsuite scanenr模块扫描后的结果

0x00需求

在QA进行功能测试时,同时也进行安全测试,减少产品安全测试所花费的时间,将工具可以发现的安全问题,尽可能早的提出来。

都安网站建设公司创新互联建站,都安网站设计制作,有大型网站制作公司丰富经验。已为都安超过千家提供企业网站建设服务。企业网站搭建\成都外贸网站建设公司要多少钱,请找那个售后服务好的都安做网站的公司定做!

0x01思路

  1. 找一台windows服务器,在该服务器上安装bp,bp的代理ip:本服务器ip,端口:8080
  2. QA测试时浏览器挂上代理(代理ip:windows服务器的ip,端口:8080)
  3. 编写burpsuite插件,将burpsuite scanner模块发现的漏洞存储到sqlite数据库
  4. QA在测试前,需要将测试的url添加到bp的scope中
  5. QA测试完,可以访问响应页面,查看安全测试结果

    0x02burpsuite 插件

    插件需要继承IScannerListener,使用其newScanIssue函数获取所有的扫描结果
    自动收集burpsuite scanenr模块扫描后的结果

package burp;

/*

  • @(#)IScanIssue.java
  • Copyright PortSwigger Ltd. All rights reserved.
  • This code may be used to extend the functionality of Burp Suite Community Edition
  • and Burp Suite Professional, provided that this usage does not violate the
  • license terms for those products.
    /
    /
  • This interface is used to retrieve details of Scanner issues. Extensions can
  • obtain details of issues by registering an IScannerListener or
  • by calling IBurpExtenderCallbacks.getScanIssues(). Extensions
  • can also add custom Scanner issues by registering an
  • IScannerCheck or calling
  • IBurpExtenderCallbacks.addScanIssue(), and providing their own
  • implementations of this interface. Note that issue descriptions and other
  • text generated by extensions are subject to an HTML whitelist that allows
  • only formatting tags and simple hyperlinks.
    */
    public interface IScanIssue
    {

    /**

    • This method returns the URL for which the issue was generated.
    • @return The URL for which the issue was generated.
      */
      java.net.URL getUrl();

    /**

    • This method returns the name of the issue type.
    • @return The name of the issue type (e.g. "SQL injection").
      */
      String getIssueName();

    /**

    • This method returns a numeric identifier of the issue type. See the Burp
    • Scanner help documentation for a listing of all the issue types.
    • @return A numeric identifier of the issue type.
      */
      int getIssueType();

    /**

    • This method returns the issue severity level.
    • @return The issue severity level. Expected values are "High", "Medium",
    • "Low", "Information" or "False positive".
    • */
      String getSeverity();

    /**

    • This method returns the issue confidence level.
    • @return The issue confidence level. Expected values are "Certain", "Firm"
    • or "Tentative".
      */
      String getConfidence();

    /**

    • This method returns a background description for this type of issue.
    • @return A background description for this type of issue, or
    • null if none applies. A limited set of HTML tags may be
    • used.
      */
      String getIssueBackground();

    /**

    • This method returns a background description of the remediation for this
    • type of issue.
    • @return A background description of the remediation for this type of
    • issue, or null if none applies. A limited set of HTML tags
    • may be used.
      */
      String getRemediationBackground();

    /**

    • This method returns detailed information about this specific instance of
    • the issue.
    • @return Detailed information about this specific instance of the issue,
    • or null if none applies. A limited set of HTML tags may be
    • used.
      */
      String getIssueDetail();

    /**

    • This method returns detailed information about the remediation for this
    • specific instance of the issue.
    • @return Detailed information about the remediation for this specific
    • instance of the issue, or null if none applies. A limited
    • set of HTML tags may be used.
      */
      String getRemediationDetail();

    /*

    • This method returns the HTTP messages on the basis of which the issue was
    • generated.
    • @return The HTTP messages on the basis of which the issue was generated.
    • Note: The items in this array should be instances of
    • IHttpRequestResponseWithMarkers if applicable, so that
    • details of the relevant portions of the request and response messages are
    • available.
      */
      IHttpRequestResponse[] getHttpMessages();

    /*

    • This method returns the HTTP service for which the issue was generated.
    • @return The HTTP service for which the issue was generated.
      */
      IHttpService getHttpService();

}

**如上newScanIssue可以获取到扫描的所有结果,比如:
1.java.net.URL getUrl(); 扫描的url
2.String getIssueName(); 问题类型: 如SQL injection(sql注入)
3.getSeverity(); 漏洞等级 "High", "Medium", "Low", "Information" or "False positive"
4.String getConfidence(); 确定程度 "Certain", "Firm" or "Tentative".

  1. String getIssueBackground(); 漏洞背景
  2. String getIssueDetail(); 漏洞详情
  3. IHttpRequestResponse[] getHttpMessages(); 漏洞证明的请求、响应包
    将以上信息获取后保存到数据库中即可
    完整代码:

from burp import IBurpExtender
from burp import IScannerListener
from java.io import PrintWriter
from threading import Thread
from java.lang import Class
from java.sql import DriverManager, SQLException
import time
class BurpExtender(IBurpExtender, IScannerListener):

def registerExtenderCallbacks(self, callbacks):
    # keep a reference to our callbacks object
    self._callbacks = callbacks

    # set our extension name
    callbacks.setExtensionName("scann_test")

    # obtain our output stream
    self._stdout = PrintWriter(callbacks.getStdout(), True)

    self._helpers = callbacks.getHelpers()

    # register ourselves as an
    callbacks.registerScannerListener(self)

def newScanIssue(self,issue):

    #self._stdout.println(issue.getConfidence())  Certain", "Firm" * or "Tentative"
    #CREATE TABLE `scanner` (`id` INTEGER PRIMARY KEY,`time` varchar(100),ip varchar(50),`url` varchar(30) ,`degree` varchar(30) ,`level` varchar(100) ,`detail` text ,`issueType` varchar(200) ,`issueBackground` text,`remediationBackground` text,`remediationDetail` text,`requests` text,`response` text ,issueName varcahr(50))
    if(issue.getConfidence()):

        Class.forName("org.sqlite.JDBC").newInstance()
        JDBC_URL = "jdbc:sqlite:%s" % ("d:/scanner.db")
        dbConn = DriverManager.getConnection(JDBC_URL)
        sql="insert into `scanner` (time,ip,url,degree,level,detail,issueType,issueBackground,remediationBackground,remediationDetail,requests,response,issueName) values(?,?,?,?,?,?,?,?,?,?,?,?,?);"
        preStmt=dbConn.prepareStatement(sql)
        current_time=time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())

        requests=""
        response=""
        for message in issue.getHttpMessages():

            for i in range(len(message.getRequest())):
                if(message.getRequest()[i]<255 and message.getRequest()[i]>0):
                    requests=requests+chr(message.getRequest()[i])
            requests+="\n--------------------------\n" 
            if(len(message.getResponse())!=0):
                for i in range(len(message.getResponse())):
                    if(message.getResponse()[i]<255 and message.getResponse()[i]>0):
                        response=response+chr(message.getResponse()[i])
            response+="\n--------------------------\n"
        ip=issue.getHttpService().getHost()

        if(issue.getIssueDetail()):
            detail=issue.getIssueDetail()
        else:
            detail="none"

        if(issue.getIssueBackground()):
            issueBackground=issue.getIssueBackground()
        else:
            issueBackground="none"

        if(issue.getRemediationBackground()):
            remediationBackground=issue.getRemediationBackground()
        else:
            remediationBackground="none"

        if(issue.getRemediationDetail()):
            remediationDetail=issue.getRemediationDetail()
        else:
            remediationDetail="none"

        preStmt.setString(1, str(current_time))
        preStmt.setString(2, str(ip))
        preStmt.setString(3, str(issue.getUrl()))
        preStmt.setString(4,str(issue.getConfidence()))
        preStmt.setString(5,str(issue.getSeverity()))
        preStmt.setString(6,str(detail))
        preStmt.setString(7,str(issue.getIssueType()))
        preStmt.setString(8,str(issueBackground))
        preStmt.setString(9,str(remediationBackground))
        preStmt.setString(10,str(remediationDetail))
        preStmt.setString(11,str(requests))
        preStmt.setString(12,str(response))
        preStmt.setString(13,str(issue.getIssueName()))

        preStmt.addBatch()
        dbConn.setAutoCommit(False)
        preStmt.executeBatch()
        dbConn.setAutoCommit(True)
        dbConn.close()

        self._stdout.println("time:")
        self._stdout.println(current_time)

        self._stdout.print("ip")
        self._stdout.println(ip)

        self._stdout.println("qudingchengdu:"+issue.getConfidence())

        self._stdout.print("url:")
        self._stdout.println(issue.getUrl())

        self._stdout.println(issue.getIssueName())

        self._stdout.println("level:"+issue.getSeverity())

        self._stdout.print("detail:")
        if(issue.getIssueDetail()):
            self._stdout.println(issue.getIssueDetail())
        else:
            self._stdout.println("none")

        self._stdout.println("getIssueType():")
        self._stdout.println(issue.getIssueType())

        self._stdout.print("getIssueBackground")
        if(issue.getIssueBackground()):
            self._stdout.println(issue.getIssueBackground())
        else:
            self._stdout.println("none")

        self._stdout.print("getRemediationBackground():")
        if(issue.getRemediationBackground()):
            self._stdout.println(issue.getRemediationBackground())
        else:
            self._stdout.println("none")

        self._stdout.print("getRemediationDetail():")
        if(issue.getRemediationDetail()):
            self._stdout.println(issue.getRemediationDetail())
        else:
            self._stdout.println("none")

        self._stdout.println("---------------------------")

0x03 burpsuite 扫描结果(在数据库中展示)

自动收集burpsuite scanenr模块扫描后的结果

0x04 待存问题

scanner 扫描过程中过滤js,jpg等文件
将需要测试的url自动添加到scope中


分享名称:自动收集burpsuitescanenr模块扫描后的结果
URL网址:http://azwzsj.com/article/jigcei.html