├── README.md ├── Snipaste_2020-06-11_21-31-19.jpg ├── Snipaste_2020-06-11_21-32-26.jpg ├── Snipaste_2020-06-11_21-32-58.jpg └── burp_find_shiro.py /README.md: -------------------------------------------------------------------------------- 1 | # burp_find_shiro 2 | 3 | 1、通过burp代理流量寻找shiro站点,加载模块 4 | 5 | ![image.png](https://github.com/Jumbo-WJB/burp_find_shiro/raw/master/Snipaste_2020-06-11_21-31-19.jpg) 6 | 7 | 2、开启代理,访问网站 8 | 9 | 3、如果网站使用的是shiro,则在模块输出和“Dashboard”提示 10 | 11 | ![image.png](https://github.com/Jumbo-WJB/burp_find_shiro/raw/master/Snipaste_2020-06-11_21-32-26.jpg) 12 | 13 | ![image.png](https://github.com/Jumbo-WJB/burp_find_shiro/raw/master/Snipaste_2020-06-11_21-32-58.jpg) 14 | 15 | 16 | -------------------------------------------------------------------------------- /Snipaste_2020-06-11_21-31-19.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Jumbo-WJB/burp_find_shiro/d00dff39f16e8fce5eab9464993b1f728bcf5786/Snipaste_2020-06-11_21-31-19.jpg -------------------------------------------------------------------------------- /Snipaste_2020-06-11_21-32-26.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Jumbo-WJB/burp_find_shiro/d00dff39f16e8fce5eab9464993b1f728bcf5786/Snipaste_2020-06-11_21-32-26.jpg -------------------------------------------------------------------------------- /Snipaste_2020-06-11_21-32-58.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Jumbo-WJB/burp_find_shiro/d00dff39f16e8fce5eab9464993b1f728bcf5786/Snipaste_2020-06-11_21-32-58.jpg -------------------------------------------------------------------------------- /burp_find_shiro.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | #author:Jumbo 3 | import re 4 | from burp import IBurpExtender, IScannerInsertionPointProvider, IScannerInsertionPoint, IParameter, IScannerCheck, IScanIssue,ITab,ICookie 5 | 6 | class BurpExtender(IBurpExtender, IScannerCheck): 7 | def registerExtenderCallbacks(self, callbacks): 8 | self._callbacks = callbacks 9 | self._helpers = callbacks.getHelpers() 10 | self._callbacks.setExtensionName("burp_find_shiro") 11 | print('burp_find_shiro') 12 | self._callbacks.registerScannerCheck(self) 13 | 14 | 15 | def doPassiveScan(self,messageInfo): # 被动检测 16 | # print('okkkkkkk') 17 | resquest = messageInfo.getRequest() 18 | httpService = messageInfo.getHttpService() 19 | protocol = httpService.getProtocol() 20 | port = httpService.getPort() 21 | host = httpService.getHost() 22 | ishttps = False 23 | if protocol == 'https': 24 | ishttps = True 25 | analyzedRequest = self._helpers.analyzeRequest(resquest) 26 | request_header = analyzedRequest.getHeaders() 27 | reqParameters = analyzedRequest.getParameters() 28 | # print('11111') 29 | parameterDirect = [] 30 | for parameter in reqParameters: 31 | # print(parameter.getType()) 32 | if parameter.getType() == 2: 33 | parameterName, parameterValue, parameterType = self.get_parameter_Name_Value_Type(parameter) 34 | # print('ok') 35 | # print(parameterName, parameterValue, parameterType) 36 | parameterDirect.append(['rememberMe', 'Jumbo',parameterType]) 37 | for directPayload in parameterDirect: 38 | parameterName, parameterValue, parameterType = directPayload 39 | self.NewRquests(resquest, protocol, host, port, ishttps, parameterName, parameterValue, parameterType,messageInfo) 40 | 41 | 42 | 43 | 44 | def get_request_info(self, request): 45 | analyzedRequest = self._helpers.analyzeRequest( 46 | request) 47 | reqHeaders = analyzedRequest.getHeaders() 48 | reqBodys = request[analyzedRequest.getBodyOffset():].tostring() 49 | reqMethod = analyzedRequest.getMethod() 50 | reqParameters = analyzedRequest.getParameters() 51 | return analyzedRequest, reqHeaders, reqBodys, reqMethod, reqParameters 52 | 53 | def get_parameter_Name_Value_Type(self, parameter): 54 | parameterName = parameter.getName() 55 | parameterValue = parameter.getValue() 56 | parameterType = parameter.getType() 57 | return parameterName, parameterValue, parameterType 58 | 59 | 60 | 61 | def get_response_info(self, response): 62 | analyzedResponse = self._helpers.analyzeResponse( 63 | response) 64 | resHeaders = analyzedResponse.getHeaders() 65 | resBodys = response[ 66 | analyzedResponse.getBodyOffset():].tostring() 67 | resStatusCode = analyzedResponse.getStatusCode() 68 | rescookies = analyzedResponse.getCookies() 69 | return resHeaders, resBodys, resStatusCode,rescookies 70 | 71 | 72 | def NewRquests(self, resquest, protocol, host, port, ishttps, parameterName, parameterValue, 73 | parameterType,messageInfo): 74 | resquest = messageInfo.getRequest() 75 | analyzedRequest = self._helpers.analyzeRequest(resquest) 76 | request_header = analyzedRequest.getHeaders() 77 | if not re.search("\/.*?\.js(\?|\s)",request_header[0]) and not re.search("\/.*?\.(css|jpg|png|mp4|avi|ico|gif|pdf|jpeg|bm4|mp3|rmvb|txt|html)",request_header[0]): 78 | try: 79 | # 构造参数 80 | newParameter = self._helpers.buildParameter(parameterName, parameterValue, parameterType) 81 | # 更新参数,并发送请求 82 | newRequest = self._helpers.updateParameter(resquest, newParameter) 83 | newAnalyzedRequest, newReqHeaders, newReqBodys, newReqMethod, newReqParameters = self.get_request_info( 84 | newRequest) 85 | 86 | # 新的响应 87 | newResponse = self._callbacks.makeHttpRequest(host, port, ishttps, newRequest) 88 | newResHeaders, newResBodys, newResStatusCode,rescookies = self.get_response_info(newResponse) 89 | # print(rescookies) 90 | for rescookie in rescookies: 91 | cookieName = rescookie.getName() 92 | cookieValue = rescookie.getValue() 93 | print(cookieName,cookieValue) 94 | if cookieName == 'rememberMe': 95 | if cookieValue == 'deleteMe': 96 | print('find shiro!') 97 | httpService = messageInfo.getHttpService() 98 | attack = self._callbacks.makeHttpRequest(messageInfo.getHttpService(), newRequest) 99 | url = self._helpers.analyzeRequest(attack).getUrl() 100 | issue=CustomScanIssue(httpService, url, 101 | [attack], 102 | 'find shiro', 103 | 'find shiro', 104 | 'Certain', 'Low') 105 | self._callbacks.addScanIssue(issue) 106 | return True 107 | 108 | 109 | # print('okokokokokokokoko') 110 | except Exception, e: 111 | print(e) 112 | pass 113 | 114 | 115 | class CustomScanIssue(IScanIssue): 116 | def __init__(self, httpService, url, httpMessages, name, detail, confidence, severity): 117 | self.HttpService = httpService 118 | self.Url = url 119 | self.HttpMessages = httpMessages 120 | self.Name = name 121 | self.Detail = detail 122 | self.Severity = severity 123 | self.Confidence = confidence 124 | print "Reported: " + name + " on " + str(url)+'\n'+"payload:"+detail 125 | return 126 | 127 | def getUrl(self): 128 | return self.Url 129 | 130 | def getIssueName(self): 131 | return self.Name 132 | 133 | def getIssueType(self): 134 | return 0 135 | 136 | def getSeverity(self): 137 | return self.Severity 138 | 139 | def getConfidence(self): 140 | return self.Confidence 141 | 142 | def getIssueBackground(self): 143 | return None 144 | 145 | def getRemediationBackground(self): 146 | return None 147 | 148 | def getIssueDetail(self): 149 | return self.Detail 150 | 151 | def getRemediationDetail(self): 152 | return None 153 | 154 | def getHttpMessages(self): 155 | return self.HttpMessages 156 | 157 | def getHttpService(self): 158 | return self.HttpService 159 | --------------------------------------------------------------------------------