├── README.md ├── images ├── p1.jpg ├── p2.jpg └── p3.jpg ├── pom.xml └── src ├── .DS_Store ├── burp ├── Bootstrap │ ├── CustomBurpUrl.java │ ├── ExtensionHelpers.java │ ├── HttpAnalyze.java │ └── YamlReader.java ├── BurpExtender.java ├── CustomScanIssue.java ├── Scan │ ├── JsonScan.java │ └── ScanTask.java └── View │ ├── ScanQueueTag.java │ └── Tags.java └── config ├── .DS_Store └── config.yml /README.md: -------------------------------------------------------------------------------- 1 | ![](https://socialify.git.ci/a1phaboy/JsonDetect/image?description=1&font=Rokkitt&language=1&name=1&owner=1&pattern=Circuit%20Board&stargazers=1&theme=Light) 2 | # JsonDetect 3 | [FastjsonScan](https://github.com/a1phaboy/FastjsonScan) 移植burp插件 4 | 支持被动扫描json,根据不同json库的特性识别出相应的json依赖库 5 | 如果请求包body中含有json会高亮 6 | ![img.png](images/p1.jpg) 7 | 8 | 插件会进行被动扫描 9 | ![img.png](images/p2.jpg) 10 | 11 | 结果会输出至JsonDetect面板 12 | ![img.png](images/p3.jpg) 13 | 14 | ## 用法 15 | 16 | **目前只适配burp pro版本!!!** 17 | **目前只适配burp pro版本!!!** 18 | **目前只适配burp pro版本!!!** 19 | 20 | 将config文件夹以及里面的配置文件放在插件同一个根目录下即可 21 | config.yml文件支持自定义黑白名单以及请求包规则 22 | -------------------------------------------------------------------------------- /images/p1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a1phaboy/JsonDetect/121510e927fddeade649fd623e5dfe044a8bb389/images/p1.jpg -------------------------------------------------------------------------------- /images/p2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a1phaboy/JsonDetect/121510e927fddeade649fd623e5dfe044a8bb389/images/p2.jpg -------------------------------------------------------------------------------- /images/p3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a1phaboy/JsonDetect/121510e927fddeade649fd623e5dfe044a8bb389/images/p3.jpg -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 4 | 4.0.0 5 | tech.a1phaboy.burp 6 | JsonDetect 7 | 1.0 8 | 9 | src 10 | 11 | 12 | maven-compiler-plugin 13 | 3.7.0 14 | 15 | 1.8 16 | 1.8 17 | 18 | 19 | 20 | 21 | maven-assembly-plugin 22 | 23 | 24 | jar-with-dependencies 25 | 26 | 27 | 28 | 29 | true 30 | 31 | 32 | 33 | 34 | 35 | 36 | make-assembly 37 | package 38 | 39 | single 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | net.portswigger.burp.extender 51 | burp-extender-api 52 | 2.3 53 | 54 | 55 | 56 | 57 | com.google.code.gson 58 | gson 59 | 2.8.6 60 | 61 | 62 | 63 | 64 | com.google.guava 65 | guava 66 | 29.0-jre 67 | 68 | 69 | 70 | 71 | org.apache.commons 72 | commons-text 73 | 1.6 74 | 75 | 76 | 77 | 78 | org.beanshell 79 | bsh 80 | 2.0b5 81 | 82 | 83 | org.yaml 84 | snakeyaml 85 | 1.29 86 | 87 | 88 | -------------------------------------------------------------------------------- /src/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a1phaboy/JsonDetect/121510e927fddeade649fd623e5dfe044a8bb389/src/.DS_Store -------------------------------------------------------------------------------- /src/burp/Bootstrap/CustomBurpUrl.java: -------------------------------------------------------------------------------- 1 | package burp.Bootstrap; 2 | 3 | import java.net.URL; 4 | import java.io.PrintWriter; 5 | import java.net.MalformedURLException; 6 | 7 | import burp.IExtensionHelpers; 8 | import burp.IHttpRequestResponse; 9 | import burp.IBurpExtenderCallbacks; 10 | 11 | public class CustomBurpUrl { 12 | private IBurpExtenderCallbacks callbacks; 13 | private IExtensionHelpers helpers; 14 | 15 | public PrintWriter stderr; 16 | 17 | private IHttpRequestResponse requestResponse; 18 | 19 | public CustomBurpUrl(IBurpExtenderCallbacks callbacks, IHttpRequestResponse requestResponse) { 20 | this.callbacks = callbacks; 21 | this.helpers = callbacks.getHelpers(); 22 | this.stderr = new PrintWriter(callbacks.getStderr(), true); 23 | 24 | this.requestResponse = requestResponse; 25 | } 26 | 27 | public IHttpRequestResponse requestResponse() { 28 | return this.requestResponse; 29 | } 30 | 31 | /** 32 | * 获取-请求协议 33 | * 34 | * @return 35 | */ 36 | public String getRequestProtocol() { 37 | return this.requestResponse.getHttpService().getProtocol(); 38 | } 39 | 40 | /** 41 | * 获取-请求主机 42 | * 43 | * @return 44 | */ 45 | public String getRequestHost() { 46 | return this.requestResponse.getHttpService().getHost(); 47 | } 48 | 49 | /** 50 | * 获取-请求端口 51 | * 52 | * @return 53 | */ 54 | public int getRequestPort() { 55 | return this.requestResponse.getHttpService().getPort(); 56 | } 57 | 58 | /** 59 | * 获取-请求路径 60 | * 61 | * @return 62 | */ 63 | public String getRequestPath() { 64 | return this.helpers.analyzeRequest(this.requestResponse).getUrl().getPath(); 65 | } 66 | 67 | /** 68 | * 获取-请求参数 69 | * 70 | * @return 71 | */ 72 | public String getRequestQuery() { 73 | return this.helpers.analyzeRequest(this.requestResponse).getUrl().getQuery(); 74 | } 75 | 76 | /** 77 | * 获取-请求域名名称 78 | * 79 | * @return 80 | */ 81 | public String getRequestDomainName() { 82 | if (this.getRequestPort() == 80 || this.getRequestPort() == 443) { 83 | return this.getRequestProtocol() + "://" + this.getRequestHost(); 84 | } else { 85 | return this.getRequestProtocol() + "://" + this.getRequestHost() + ":" + this.getRequestPort(); 86 | } 87 | } 88 | 89 | /** 90 | * 获取-获取http请求url 91 | * 92 | * @return 93 | */ 94 | public URL getHttpRequestUrl() { 95 | try { 96 | if (this.getRequestQuery() == null) { 97 | return new URL(this.getRequestDomainName() + this.getRequestPath()); 98 | } else { 99 | return new URL(this.getRequestDomainName() + this.getRequestPath() + "?" + this.getRequestQuery()); 100 | } 101 | } catch (MalformedURLException e) { 102 | e.printStackTrace(this.stderr); 103 | } 104 | return null; 105 | } 106 | } -------------------------------------------------------------------------------- /src/burp/Bootstrap/ExtensionHelpers.java: -------------------------------------------------------------------------------- 1 | package burp.Bootstrap; 2 | 3 | import burp.IBurpExtenderCallbacks; 4 | import burp.IExtensionHelpers; 5 | import burp.View.Tags; 6 | 7 | import java.io.File; 8 | 9 | public class ExtensionHelpers { 10 | 11 | private static IExtensionHelpers helpers; 12 | private static IBurpExtenderCallbacks callbacks; 13 | private Tags tags; 14 | 15 | public ExtensionHelpers(IBurpExtenderCallbacks callbacks){ 16 | this.callbacks = callbacks; 17 | this.helpers = callbacks.getHelpers(); 18 | 19 | } 20 | 21 | 22 | 23 | 24 | public String getExtensionFilePath() { 25 | String path = ""; 26 | Integer lastIndex = this.callbacks.getExtensionFilename().lastIndexOf(File.separator); 27 | path = this.callbacks.getExtensionFilename().substring(0, lastIndex) + File.separator; 28 | return path; 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /src/burp/Bootstrap/HttpAnalyze.java: -------------------------------------------------------------------------------- 1 | package burp.Bootstrap; 2 | 3 | import burp.*; 4 | 5 | import java.util.Arrays; 6 | 7 | public class HttpAnalyze { 8 | private static IBurpExtenderCallbacks callbacks; 9 | private static IExtensionHelpers helpers; 10 | private static IHttpRequestResponse requestResponse; 11 | 12 | public HttpAnalyze(IBurpExtenderCallbacks callbacks, IHttpRequestResponse baseRequestResponse){ 13 | HttpAnalyze.callbacks = callbacks; 14 | HttpAnalyze.helpers = callbacks.getHelpers(); 15 | HttpAnalyze.requestResponse = baseRequestResponse; 16 | } 17 | 18 | public IRequestInfo AnalyzeRequest() { 19 | return helpers.analyzeRequest(requestResponse.getRequest()); 20 | } 21 | 22 | public IResponseInfo AnlyzeResponse(){ 23 | return helpers.analyzeResponse(requestResponse.getResponse()); 24 | } 25 | 26 | /* json分析 27 | * 需要判断 请求包中的body数据是否是json字符串 28 | * 如果是 ,则判断为json;否 则返回 false 29 | */ 30 | public boolean AnalyzeJsonByReqBody(){ 31 | int ReqBodyOffset = this.AnalyzeRequest().getBodyOffset(); 32 | byte[] byteReqBody = Arrays.copyOfRange(requestResponse.getRequest(),ReqBodyOffset,requestResponse.getRequest().length); 33 | String ReqBody = new String(byteReqBody).trim(); 34 | if(ReqBody.startsWith("{") && ReqBody.endsWith("}")){ 35 | return true; 36 | } 37 | return ReqBody.startsWith("[") && ReqBody.endsWith("]"); 38 | } 39 | } -------------------------------------------------------------------------------- /src/burp/Bootstrap/YamlReader.java: -------------------------------------------------------------------------------- 1 | package burp.Bootstrap; 2 | 3 | import java.util.Map; 4 | import java.util.List; 5 | import java.util.HashMap; 6 | import java.util.LinkedHashMap; 7 | import java.io.File; 8 | import java.io.FileInputStream; 9 | import java.io.FileNotFoundException; 10 | import java.io.PrintWriter; 11 | 12 | import org.yaml.snakeyaml.Yaml; 13 | 14 | import burp.IBurpExtenderCallbacks; 15 | 16 | public class YamlReader { 17 | private static YamlReader instance; 18 | 19 | private static Map> properties = new HashMap<>(); 20 | 21 | private YamlReader(IBurpExtenderCallbacks callbacks) throws FileNotFoundException { 22 | ExtensionHelpers customBurpHelpers = new ExtensionHelpers(callbacks); 23 | String c = customBurpHelpers.getExtensionFilePath() + "config/config.yml"; 24 | File f = new File(c); 25 | properties = new Yaml().load(new FileInputStream(f)); 26 | } 27 | 28 | public static synchronized YamlReader getInstance(IBurpExtenderCallbacks callbacks) { 29 | if (instance == null) { 30 | try { 31 | instance = new YamlReader(callbacks); 32 | } catch (FileNotFoundException e) { 33 | e.printStackTrace(new PrintWriter(callbacks.getStderr(), true)); 34 | } 35 | } 36 | return instance; 37 | } 38 | 39 | /** 40 | * 获取yaml属性 41 | * 可通过 "." 循环调用 42 | * 例如这样调用: YamlReader.getInstance().getValueByKey("a.b.c.d") 43 | * 44 | * @param key 45 | * @return 46 | */ 47 | public Object getValueByKey(String key) { 48 | String separator = "."; 49 | String[] separatorKeys = null; 50 | if (key.contains(separator)) { 51 | separatorKeys = key.split("\\."); 52 | } else { 53 | return properties.get(key); 54 | } 55 | Map> finalValue = new HashMap<>(); 56 | for (int i = 0; i < separatorKeys.length - 1; i++) { 57 | if (i == 0) { 58 | finalValue = (Map) properties.get(separatorKeys[i]); 59 | continue; 60 | } 61 | if (finalValue == null) { 62 | break; 63 | } 64 | finalValue = (Map) finalValue.get(separatorKeys[i]); 65 | } 66 | return finalValue == null ? null : finalValue.get(separatorKeys[separatorKeys.length - 1]); 67 | } 68 | 69 | public String getString(String key) { 70 | return String.valueOf(this.getValueByKey(key)); 71 | } 72 | 73 | public String getString(String key, String defaultValue) { 74 | if (null == this.getValueByKey(key)) { 75 | return defaultValue; 76 | } 77 | return String.valueOf(this.getValueByKey(key)); 78 | } 79 | 80 | public Boolean getBoolean(String key) { 81 | return (boolean) this.getValueByKey(key); 82 | } 83 | 84 | public Integer getInteger(String key) { 85 | return (Integer) this.getValueByKey(key); 86 | } 87 | 88 | public double getDouble(String key) { 89 | return (double) this.getValueByKey(key); 90 | } 91 | 92 | public List getStringList(String key) { 93 | return (List) this.getValueByKey(key); 94 | } 95 | 96 | public LinkedHashMap getLinkedHashMap(String key) { 97 | return (LinkedHashMap) this.getValueByKey(key); 98 | } 99 | } -------------------------------------------------------------------------------- /src/burp/BurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import burp.Bootstrap.CustomBurpUrl; 4 | import burp.Bootstrap.HttpAnalyze; 5 | import burp.Bootstrap.YamlReader; 6 | import burp.Scan.JsonScan; 7 | import burp.View.Tags; 8 | 9 | import java.io.PrintWriter; 10 | import java.nio.charset.StandardCharsets; 11 | import java.util.*; 12 | 13 | public class BurpExtender implements IBurpExtender,IHttpListener,IScannerCheck{ 14 | public static String NAME = "JsonDetect"; 15 | 16 | private static IBurpExtenderCallbacks callbacks; 17 | private static IExtensionHelpers helpers; 18 | private static YamlReader yamlReader; 19 | private PrintWriter stdout; 20 | private PrintWriter stderr; 21 | private Tags tags; 22 | 23 | 24 | 25 | @Override 26 | public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) { 27 | //设置名称 28 | callbacks.setExtensionName(NAME); 29 | 30 | //输入输出 31 | stdout = new PrintWriter(callbacks.getStdout(),true); 32 | stderr = new PrintWriter(callbacks.getStderr(),true); 33 | 34 | //初始化 35 | BurpExtender.callbacks = callbacks; 36 | BurpExtender.helpers = callbacks.getHelpers(); 37 | BurpExtender.yamlReader = YamlReader.getInstance(callbacks); 38 | 39 | //UI界面 40 | this.tags = new Tags(callbacks,NAME); 41 | 42 | //banner 43 | showSomething(); 44 | 45 | 46 | //注册 47 | callbacks.registerHttpListener(this); 48 | callbacks.registerScannerCheck(this); 49 | 50 | } 51 | 52 | @Override 53 | public void processHttpMessage(int i, boolean isRequest, IHttpRequestResponse iHttpRequestResponse) { 54 | if (isRequest){ 55 | HttpAnalyze httpAnalyze = new HttpAnalyze(callbacks,iHttpRequestResponse) ; 56 | if (httpAnalyze.AnalyzeJsonByReqBody()){ 57 | iHttpRequestResponse.setHighlight("yellow"); 58 | iHttpRequestResponse.setComment("JsonType"); 59 | } 60 | } 61 | } 62 | 63 | @Override 64 | public List doPassiveScan(IHttpRequestResponse baseRequestResponse) { 65 | stdout.println("===== doPassiveScan ====="); 66 | List domainNameBlacklist = yamlReader.getStringList("scan.domainName.blacklist"); 67 | List domainNameWhitelist = yamlReader.getStringList("scan.domainName.whitelist"); 68 | 69 | //获取url 70 | CustomBurpUrl baseBurpUrl = new CustomBurpUrl(callbacks,baseRequestResponse); 71 | 72 | 73 | //判断域名黑名单 74 | if (domainNameBlacklist != null && domainNameBlacklist.size() >= 1) { 75 | if (isMatchDomainName(baseBurpUrl.getRequestHost(), domainNameBlacklist)) { 76 | return null; 77 | } 78 | } 79 | 80 | // 判断域名白名单 81 | if (domainNameWhitelist != null && domainNameWhitelist.size() >= 1) { 82 | if (!isMatchDomainName(baseBurpUrl.getRequestHost(), domainNameWhitelist)) { 83 | return null; 84 | } 85 | } 86 | 87 | // 判断当前请求后缀,是否为url黑名单后缀 88 | if (this.isUrlBlackListSuffix(baseBurpUrl)) { 89 | return null; 90 | } 91 | 92 | 93 | //请求分析 94 | HttpAnalyze httpAnalyze = new HttpAnalyze(callbacks,baseRequestResponse) ; 95 | if (httpAnalyze.AnalyzeJsonByReqBody()){ // 判断body是否是json格式数据 96 | int tagId = this.tags.getScanQueueTagClass().add( 97 | "json", 98 | baseBurpUrl.getHttpRequestUrl().toString(), 99 | "waiting for test results", 100 | baseRequestResponse 101 | ); 102 | JsonScan scan = null; 103 | try { 104 | scan = new JsonScan(callbacks,baseRequestResponse,yamlReader); 105 | } catch (InterruptedException e) { 106 | e.printStackTrace(); 107 | } 108 | assert scan != null; 109 | this.tags.getScanQueueTagClass().save( 110 | tagId, 111 | baseBurpUrl.getHttpRequestUrl().toString(), 112 | "json", 113 | scan.getResult(), 114 | baseRequestResponse 115 | ); 116 | stdout.println(scan.getResult()); 117 | // HashMap payloadMap = scan.getPayloadMap(); 118 | // for (String type : payloadMap.keySet()) { 119 | // stdout.println("Type:" + type ); 120 | // stdout.println("payload:"+ new String(payloadMap.get(type))); 121 | // stdout.println("=================================="); 122 | // } 123 | 124 | 125 | 126 | List issues = new ArrayList<>(1); 127 | issues.add(new CustomScanIssue( 128 | baseRequestResponse.getHttpService(), 129 | helpers.analyzeRequest(baseRequestResponse).getUrl(), 130 | new IHttpRequestResponse[] { callbacks.applyMarkers(baseRequestResponse, null, null) }, 131 | "Json", 132 | "The response contains the string: " + "json", 133 | "Information")); 134 | return issues; 135 | } 136 | return null; 137 | } 138 | 139 | 140 | /** 141 | * 判断是否查找的到指定的域名 142 | * 143 | * @param domainName 需匹配的域名 144 | * @param domainNameList 待匹配的域名列表 145 | * @return 146 | */ 147 | private static Boolean isMatchDomainName(String domainName, List domainNameList) { 148 | domainName = domainName.trim(); 149 | 150 | if (domainName.length() <= 0) { 151 | return false; 152 | } 153 | 154 | if (domainNameList == null || domainNameList.size() <= 0) { 155 | return false; 156 | } 157 | 158 | if (domainName.contains(":")) { 159 | domainName = domainName.substring(0, domainName.indexOf(":")); 160 | } 161 | 162 | String reverseDomainName = new StringBuffer(domainName).reverse().toString(); 163 | 164 | for (String domainName2 : domainNameList) { 165 | domainName2 = domainName2.trim(); 166 | 167 | if (domainName2.length() <= 0) { 168 | continue; 169 | } 170 | 171 | if (domainName2.contains(":")) { 172 | domainName2 = domainName2.substring(0, domainName2.indexOf(":")); 173 | } 174 | 175 | String reverseDomainName2 = new StringBuffer(domainName2).reverse().toString(); 176 | 177 | if (domainName.equals(domainName2)) { 178 | return true; 179 | } 180 | 181 | if (reverseDomainName.contains(".") && reverseDomainName2.contains(".")) { 182 | List splitDomainName = new ArrayList(Arrays.asList(reverseDomainName.split("[.]"))); 183 | 184 | List splitDomainName2 = new ArrayList(Arrays.asList(reverseDomainName2.split("[.]"))); 185 | 186 | if (splitDomainName.size() <= 0 || splitDomainName2.size() <= 0) { 187 | continue; 188 | } 189 | 190 | if (splitDomainName.size() < splitDomainName2.size()) { 191 | for (int i = splitDomainName.size(); i < splitDomainName2.size(); i++) { 192 | splitDomainName.add("*"); 193 | } 194 | } 195 | 196 | if (splitDomainName.size() > splitDomainName2.size()) { 197 | for (int i = splitDomainName2.size(); i < splitDomainName.size(); i++) { 198 | splitDomainName2.add("*"); 199 | } 200 | } 201 | 202 | int ii = 0; 203 | for (int i = 0; i < splitDomainName.size(); i++) { 204 | if (splitDomainName2.get(i).equals("*")) { 205 | ii = ii + 1; 206 | } else if (splitDomainName.get(i).equals(splitDomainName2.get(i))) { 207 | ii = ii + 1; 208 | } 209 | } 210 | 211 | if (ii == splitDomainName.size()) { 212 | return true; 213 | } 214 | } 215 | } 216 | return false; 217 | } 218 | 219 | /** 220 | * 判断是否url黑名单后缀 221 | * 大小写不区分 222 | * 是 = true, 否 = false 223 | * 224 | * @param burpUrl 225 | * @return 226 | */ 227 | private boolean isUrlBlackListSuffix(CustomBurpUrl burpUrl) { 228 | if (!this.yamlReader.getBoolean("urlBlackListSuffix.config.isStart")) { 229 | return false; 230 | } 231 | 232 | String noParameterUrl = burpUrl.getHttpRequestUrl().toString().split("\\?")[0]; 233 | String urlSuffix = noParameterUrl.substring(noParameterUrl.lastIndexOf(".") + 1); 234 | 235 | List suffixList = this.yamlReader.getStringList("urlBlackListSuffix.suffixList"); 236 | if (suffixList == null || suffixList.size() == 0) { 237 | return false; 238 | } 239 | 240 | for (String s : suffixList) { 241 | if (s.toLowerCase().equals(urlSuffix.toLowerCase())) { 242 | return true; 243 | } 244 | } 245 | 246 | return false; 247 | } 248 | 249 | public void showSomething(){ 250 | stdout.println("=========================="); 251 | stdout.println("v1.0 powered by a1phaboy"); 252 | stdout.println("Github:https://github.com/a1phaboy"); 253 | stdout.println("wx:aWFtYTFwaGFib3k="); 254 | stdout.println("=========================="); 255 | } 256 | @Override 257 | public List doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) { 258 | return null; 259 | } 260 | 261 | @Override 262 | public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) { 263 | return 0; 264 | } 265 | } 266 | -------------------------------------------------------------------------------- /src/burp/CustomScanIssue.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import java.net.URL; 4 | 5 | class CustomScanIssue implements IScanIssue { 6 | private IHttpService httpService; 7 | private URL url; 8 | private IHttpRequestResponse[] httpMessages; 9 | private String name; 10 | private String detail; 11 | private String severity; 12 | 13 | public CustomScanIssue( 14 | IHttpService httpService, 15 | URL url, 16 | IHttpRequestResponse[] httpMessages, 17 | String name, 18 | String detail, 19 | String severity) 20 | { 21 | this.httpService = httpService; 22 | this.url = url; 23 | this.httpMessages = httpMessages; 24 | this.name = name; 25 | this.detail = detail; 26 | this.severity = severity; 27 | } 28 | 29 | @Override 30 | public URL getUrl() 31 | { 32 | return url; 33 | } 34 | 35 | @Override 36 | public String getIssueName() 37 | { 38 | return name; 39 | } 40 | 41 | @Override 42 | public int getIssueType() 43 | { 44 | return 0; 45 | } 46 | 47 | @Override 48 | public String getSeverity() 49 | { 50 | return severity; 51 | } 52 | 53 | @Override 54 | public String getConfidence() 55 | { 56 | return "Certain"; 57 | } 58 | 59 | @Override 60 | public String getIssueBackground() 61 | { 62 | return null; 63 | } 64 | 65 | @Override 66 | public String getRemediationBackground() 67 | { 68 | return null; 69 | } 70 | 71 | @Override 72 | public String getIssueDetail() 73 | { 74 | return detail; 75 | } 76 | 77 | @Override 78 | public String getRemediationDetail() 79 | { 80 | return null; 81 | } 82 | 83 | @Override 84 | public IHttpRequestResponse[] getHttpMessages() 85 | { 86 | return httpMessages; 87 | } 88 | 89 | @Override 90 | public IHttpService getHttpService() 91 | { 92 | return httpService; 93 | } 94 | 95 | } -------------------------------------------------------------------------------- /src/burp/Scan/JsonScan.java: -------------------------------------------------------------------------------- 1 | package burp.Scan; 2 | 3 | import burp.*; 4 | import burp.Bootstrap.YamlReader; 5 | 6 | import java.nio.charset.StandardCharsets; 7 | import java.util.*; 8 | 9 | public class JsonScan implements ScanTask{ 10 | private static IBurpExtenderCallbacks callbacks; 11 | private static IHttpRequestResponse requestResponse; 12 | private static YamlReader yamlReader; 13 | private static IBurpCollaboratorClientContext burpCollaboratorClient; 14 | private static IExtensionHelpers helpers; 15 | private static String dnsurl; 16 | private static String result; 17 | private HashMap fastjsonPayloadMap; 18 | private HashMap orgjsonPayloadMap; 19 | 20 | 21 | public JsonScan(IBurpExtenderCallbacks callbacks, IHttpRequestResponse requestResponse, YamlReader yamlReader) throws InterruptedException { 22 | JsonScan.callbacks = callbacks; 23 | JsonScan.requestResponse = requestResponse; 24 | JsonScan.yamlReader = yamlReader; 25 | JsonScan.burpCollaboratorClient = callbacks.createBurpCollaboratorClientContext(); 26 | JsonScan.helpers = callbacks.getHelpers(); 27 | fastjsonPayloadMap = new HashMap<>(); 28 | orgjsonPayloadMap = new HashMap<>(); 29 | JsonScan.dnsurl = this.initPayloadMap(); 30 | JsonScan.result = ""; 31 | this.doScan(); 32 | } 33 | 34 | //初始化payloadMap 35 | private String initPayloadMap(){ 36 | //获取DNS payload 37 | String dnsurl = burpCollaboratorClient.generatePayload(true); 38 | 39 | /* 40 | * fastjson detect 41 | */ 42 | byte[] errDetect = yamlReader.getString("application.fastjson.payloads.errDetect").getBytes(); 43 | byte[] netDetect = String.format(yamlReader.getString("application.fastjson.payloads.netDetect"),dnsurl).getBytes(); 44 | byte[] autoTypeDetect = String.format(yamlReader.getString("application.fastjson.payloads.autoTypeDetect"),dnsurl).getBytes(); 45 | byte[] dnsDetect48 = String.format(yamlReader.getString("application.fastjson.payloads.dnsDetect48"),dnsurl).getBytes(); 46 | byte[] dnsDetect68 = String.format(yamlReader.getString("application.fastjson.payloads.dnsDetect68"),dnsurl).getBytes(); 47 | byte[] desDetect80 = String.format(yamlReader.getString("application.fastjson.payloads.desDetect80"),dnsurl,dnsurl).getBytes(); 48 | 49 | fastjsonPayloadMap.put("errDetect",Arrays.copyOfRange(errDetect,1,errDetect.length-1)); 50 | fastjsonPayloadMap.put("netDetect",Arrays.copyOfRange(netDetect,1,netDetect.length-1)); 51 | fastjsonPayloadMap.put("autoTypeDetect",Arrays.copyOfRange(autoTypeDetect,1,autoTypeDetect.length-1)); 52 | fastjsonPayloadMap.put("dnsDetect48",Arrays.copyOfRange(dnsDetect48,1,dnsDetect48.length-1)); 53 | fastjsonPayloadMap.put("dnsDetect68",Arrays.copyOfRange(dnsDetect68,1,dnsDetect68.length-1)); 54 | fastjsonPayloadMap.put("dnsDetect80",Arrays.copyOfRange(desDetect80,1,desDetect80.length-1)); 55 | 56 | /* 57 | * org.fastjson detect 58 | */ 59 | byte[] orgjsonDetect = String.format(yamlReader.getString("application.orgjson.payloads.errDetect"),dnsurl,dnsurl).getBytes(); 60 | orgjsonPayloadMap.put("errDetect",Arrays.copyOfRange(orgjsonDetect,1,orgjsonDetect.length-1)); 61 | 62 | 63 | return dnsurl; 64 | } 65 | 66 | 67 | @Override 68 | public void doScan() throws InterruptedException { 69 | //报错探测 70 | byte[] errDetectReq = rebuildReq(requestResponse,fastjsonPayloadMap.get("errDetect")); 71 | IHttpRequestResponse doReq = callbacks.makeHttpRequest(requestResponse.getHttpService(), errDetectReq); 72 | String errResp = new String(doReq.getResponse()); 73 | int pos = errResp.indexOf("fastjson-version"); 74 | if( pos != -1){ 75 | result = "[*]" + new String(Arrays.copyOfRange(doReq.getResponse(),pos,pos+23)) + " | "; 76 | } 77 | 78 | //DNS探测 79 | //先进行出网检测 80 | boolean netout = false; 81 | sendDnsPayload("netDetect"); 82 | for(IBurpCollaboratorInteraction dnslog : burpCollaboratorClient.fetchCollaboratorInteractionsFor(getDnsurl())){ 83 | String de_dnslog = new String(Base64.getDecoder().decode(dnslog.getProperty("raw_query")), StandardCharsets.UTF_8); 84 | if(de_dnslog.contains("NETOUT_")){ 85 | //有记录 86 | netout = true; 87 | break; 88 | } 89 | } 90 | if(netout){ 91 | //autoType状态检测 92 | boolean autoType = false; 93 | sendDnsPayload("autoTypeDetect"); 94 | for(IBurpCollaboratorInteraction dnslog : burpCollaboratorClient.fetchCollaboratorInteractionsFor(getDnsurl())){ 95 | String de_dnslog = new String(Base64.getDecoder().decode(dnslog.getProperty("raw_query")), StandardCharsets.UTF_8); 96 | if(de_dnslog.contains("AUTOTYPE_")){ 97 | //有记录 98 | autoType = true; 99 | break; 100 | } 101 | } 102 | //报错探测拿到的版本,不需要做进一步的探测了 103 | if(!result.isEmpty()){ 104 | result = result + (autoType?" autoType On":" autoType Off"); 105 | return ; 106 | } 107 | //判断fastjson版本 108 | String errresult; 109 | errresult = sendDnsPayload("dnsDetect48"); 110 | if(!errresult.equals("")){ 111 | result = errresult + (autoType?" autoType On":" autoType Off"); 112 | return ; 113 | } 114 | errresult = sendDnsPayload("dnsDetect68"); 115 | if(!errresult.equals("")){ 116 | result = errresult + (autoType?" autoType On":" autoType Off"); 117 | return ; 118 | } 119 | errresult = sendDnsPayload("dnsDetect80"); 120 | if(!errresult.equals("")){ 121 | result = errresult + (autoType?" autoType On":" autoType Off"); 122 | return ; 123 | } 124 | for(IBurpCollaboratorInteraction dnslog : burpCollaboratorClient.fetchCollaboratorInteractionsFor(getDnsurl())){ 125 | String de_dnslog = new String(Base64.getDecoder().decode(dnslog.getProperty("raw_query")), StandardCharsets.UTF_8); 126 | if(de_dnslog.contains("48_")){ 127 | //有记录 128 | result = "[*]Fastjson < 1.2.48 | " + (autoType?"autoType On":"autoType Off"); 129 | break; 130 | } 131 | if(de_dnslog.contains("68_")){ 132 | if(autoType){ 133 | result = "[*]Fastjson ≥ 1.2.48 | autoType On"; 134 | }else{ 135 | result = "[*]1.2.48 ≤ Fastjson ≤ 1.2.68 | autoType Off"; 136 | } 137 | break; 138 | } 139 | if(de_dnslog.contains("83_")){ 140 | result = "[*]Fastjson ==1.2.83 | autoType Off"; 141 | break; 142 | } 143 | if(de_dnslog.contains("80_")){ 144 | result = "[*]1.2.69 ≤ Fastjson ≤ 1.2.80 | autoType Off"; 145 | break; 146 | } 147 | } 148 | } 149 | else { 150 | if(result.isEmpty()){ 151 | /* 152 | * 这里可以判断各类的json依赖库 153 | * ===== 施工中 ===== 154 | */ 155 | errDetectReq = rebuildReq(requestResponse,orgjsonPayloadMap.get("errDetect")); 156 | doReq = callbacks.makeHttpRequest(requestResponse.getHttpService(), errDetectReq); 157 | errResp = new String(doReq.getResponse()); 158 | pos = errResp.indexOf("org.json"); 159 | if( pos != -1){ 160 | result = "[+] org.json "; 161 | } 162 | 163 | pos = errResp.indexOf("jackson"); 164 | if( pos != -1){ 165 | result = "[+] jackson"; 166 | return ; 167 | } 168 | result = "[-]未检测出json库"; 169 | 170 | } 171 | else{ 172 | result += "不出网"; 173 | } 174 | } 175 | } 176 | 177 | @Override 178 | public String getResult() { 179 | return result; 180 | } 181 | 182 | public byte[] rebuildReq(IHttpRequestResponse request,byte[] payload){ 183 | IRequestInfo req = helpers.analyzeRequest(request); 184 | List req_head = req.getHeaders(); 185 | return helpers.buildHttpMessage(req_head,payload); 186 | } 187 | public String getDnsurl(){ 188 | return dnsurl; 189 | } 190 | 191 | public HashMap getPayloadMap(){ 192 | return this.fastjsonPayloadMap; 193 | } 194 | public String sendDnsPayload(String type) throws InterruptedException { 195 | byte[] Detect = rebuildReq(requestResponse,fastjsonPayloadMap.get(type)); 196 | IHttpRequestResponse doReq = callbacks.makeHttpRequest(requestResponse.getHttpService(), Detect); 197 | String errResp = new String(doReq.getResponse()); 198 | int pos = errResp.indexOf("fastjson-version"); 199 | if( pos != -1){ 200 | result = "[*]" + new String(Arrays.copyOfRange(doReq.getResponse(),pos,pos+23)) + " | "; 201 | return result; 202 | }else{ 203 | Thread.sleep(5000); 204 | return ""; 205 | } 206 | 207 | 208 | } 209 | } 210 | -------------------------------------------------------------------------------- /src/burp/Scan/ScanTask.java: -------------------------------------------------------------------------------- 1 | package burp.Scan; 2 | 3 | public interface ScanTask { 4 | 5 | void doScan() throws InterruptedException; 6 | 7 | String getResult(); 8 | 9 | } 10 | -------------------------------------------------------------------------------- /src/burp/View/ScanQueueTag.java: -------------------------------------------------------------------------------- 1 | package burp.View; 2 | 3 | import java.awt.*; 4 | import java.text.SimpleDateFormat; 5 | import java.util.ArrayList; 6 | import java.util.Date; 7 | import java.util.List; 8 | import javax.swing.*; 9 | import javax.swing.table.AbstractTableModel; 10 | import javax.swing.table.TableModel; 11 | 12 | import burp.*; 13 | 14 | public class ScanQueueTag extends AbstractTableModel implements IMessageEditorController { 15 | 16 | private JSplitPane mjSplitPane; 17 | private List Udatas = new ArrayList(); 18 | private IMessageEditor HRequestTextEditor; 19 | private IMessageEditor HResponseTextEditor; 20 | private IHttpRequestResponse currentlyDisplayedItem; 21 | private ScanQueueTag.URLTable Utable; 22 | private JScrollPane UscrollPane; 23 | private JSplitPane HjSplitPane; 24 | private JTabbedPane Ltable; 25 | private JTabbedPane Rtable; 26 | 27 | public ScanQueueTag(IBurpExtenderCallbacks callbacks, JTabbedPane tabs) { 28 | JPanel scanQueue = new JPanel(new BorderLayout()); 29 | 30 | // 主分隔面板 31 | mjSplitPane = new JSplitPane(JSplitPane.VERTICAL_SPLIT); 32 | 33 | // 任务栏面板 34 | Utable = new ScanQueueTag.URLTable(ScanQueueTag.this); 35 | UscrollPane = new JScrollPane(Utable); 36 | 37 | // 请求与响应界面的分隔面板规则 38 | HjSplitPane = new JSplitPane(); 39 | HjSplitPane.setDividerLocation(0.5D); 40 | 41 | // 请求的面板 42 | Ltable = new JTabbedPane(); 43 | HRequestTextEditor = callbacks.createMessageEditor(ScanQueueTag.this, false); 44 | Ltable.addTab("Request", HRequestTextEditor.getComponent()); 45 | 46 | // 响应的面板 47 | Rtable = new JTabbedPane(); 48 | HResponseTextEditor = callbacks.createMessageEditor(ScanQueueTag.this, false); 49 | Rtable.addTab("Response", HResponseTextEditor.getComponent()); 50 | 51 | // 自定义程序UI组件 52 | HjSplitPane.add(Ltable, "left"); 53 | HjSplitPane.add(Rtable, "right"); 54 | 55 | mjSplitPane.add(UscrollPane, "left"); 56 | mjSplitPane.add(HjSplitPane, "right"); 57 | 58 | scanQueue.add(mjSplitPane); 59 | tabs.addTab("扫描队列", scanQueue); 60 | } 61 | 62 | @Override 63 | public IHttpService getHttpService() { 64 | return currentlyDisplayedItem.getHttpService(); 65 | } 66 | 67 | @Override 68 | public byte[] getRequest() { 69 | return currentlyDisplayedItem.getRequest(); 70 | } 71 | 72 | @Override 73 | public byte[] getResponse() { 74 | return currentlyDisplayedItem.getResponse(); 75 | } 76 | 77 | @Override 78 | public int getRowCount() { 79 | return this.Udatas.size(); 80 | } 81 | 82 | @Override 83 | public int getColumnCount() { 84 | return 6; 85 | } 86 | 87 | @Override 88 | public String getColumnName(int columnIndex) { 89 | switch (columnIndex) { 90 | case 0: 91 | return "#"; 92 | case 1: 93 | return "url"; 94 | case 2: 95 | return "application"; 96 | case 3: 97 | return "issue"; 98 | case 4: 99 | return "startTime"; 100 | case 5: 101 | return "endTime"; 102 | } 103 | return null; 104 | } 105 | 106 | @Override 107 | public Class getColumnClass(int columnIndex) { 108 | return String.class; 109 | } 110 | 111 | @Override 112 | public Object getValueAt(int rowIndex, int columnIndex) { 113 | ScanQueueTag.TablesData datas = this.Udatas.get(rowIndex); 114 | switch (columnIndex) { 115 | case 0: 116 | return datas.id; 117 | case 1: 118 | return datas.url; 119 | case 2: 120 | return datas.application; 121 | case 3: 122 | return datas.issue; 123 | case 4: 124 | return datas.startTime; 125 | case 5: 126 | return datas.endTime; 127 | } 128 | return null; 129 | } 130 | 131 | /** 132 | * 新增任务至任务栏面板 133 | * 134 | * @param application 135 | * @param url 136 | * @param issue 137 | * @param requestResponse 138 | * @return int id 139 | */ 140 | public int add(String application, String url, 141 | String issue, IHttpRequestResponse requestResponse) { 142 | synchronized (this.Udatas) { 143 | Date d = new Date(); 144 | SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); 145 | String startTime = sdf.format(d); 146 | 147 | int id = this.Udatas.size(); 148 | this.Udatas.add( 149 | new TablesData( 150 | id, 151 | url, 152 | application, 153 | issue, 154 | startTime, 155 | "", 156 | requestResponse 157 | ) 158 | ); 159 | fireTableRowsInserted(id, id); 160 | return id; 161 | } 162 | } 163 | 164 | /** 165 | * 更新任务状态至任务栏面板 166 | * 167 | * @param id 168 | * @param url 169 | * @param application 170 | * @param issue 171 | * @param requestResponse 172 | * @return int id 173 | */ 174 | public int save(int id, 175 | String url,String application,String issue, 176 | IHttpRequestResponse requestResponse) { 177 | ScanQueueTag.TablesData dataEntry = ScanQueueTag.this.Udatas.get(id); 178 | String startTime = dataEntry.startTime; 179 | 180 | Date d = new Date(); 181 | SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); 182 | String endTime = sdf.format(d); 183 | 184 | synchronized (this.Udatas) { 185 | this.Udatas.set( 186 | id, 187 | new TablesData( 188 | id, 189 | url, 190 | application, 191 | issue, 192 | startTime, 193 | endTime, 194 | requestResponse 195 | ) 196 | ); 197 | fireTableRowsUpdated(id, id); 198 | return id; 199 | } 200 | } 201 | 202 | /** 203 | * 自定义Table 204 | */ 205 | private class URLTable extends JTable { 206 | public URLTable(TableModel tableModel) { 207 | super(tableModel); 208 | } 209 | 210 | public void changeSelection(int row, int col, boolean toggle, boolean extend) { 211 | ScanQueueTag.TablesData dataEntry = ScanQueueTag.this.Udatas.get(convertRowIndexToModel(row)); 212 | HRequestTextEditor.setMessage(dataEntry.requestResponse.getRequest(), true); 213 | HResponseTextEditor.setMessage(dataEntry.requestResponse.getResponse(), false); 214 | currentlyDisplayedItem = dataEntry.requestResponse; 215 | super.changeSelection(row, col, toggle, extend); 216 | } 217 | } 218 | 219 | /** 220 | * 界面显示数据存储模块 221 | */ 222 | private static class TablesData { 223 | final int id; 224 | final String url; 225 | final String application; 226 | final String issue; 227 | final String startTime; 228 | final String endTime; 229 | final IHttpRequestResponse requestResponse; 230 | 231 | public TablesData(int id, String url, String application,String issue, 232 | String startTime, String endTime, IHttpRequestResponse requestResponse) { 233 | this.id = id; 234 | this.url = url; 235 | this.application = application; 236 | this.issue = issue; 237 | this.startTime = startTime; 238 | this.endTime = endTime; 239 | this.requestResponse = requestResponse; 240 | } 241 | } 242 | } -------------------------------------------------------------------------------- /src/burp/View/Tags.java: -------------------------------------------------------------------------------- 1 | package burp.View; 2 | 3 | import java.awt.*; 4 | import javax.swing.JTabbedPane; 5 | 6 | import burp.ITab; 7 | import burp.IBurpExtenderCallbacks; 8 | 9 | import burp.Bootstrap.YamlReader; 10 | 11 | public class Tags implements ITab { 12 | private final JTabbedPane tabs; 13 | 14 | private String tagName; 15 | 16 | // private BaseSettingTag baseSettingTag; 17 | private ScanQueueTag scanQueueTag; 18 | 19 | public Tags(IBurpExtenderCallbacks callbacks, String name) { 20 | this.tagName = name; 21 | 22 | tabs = new JTabbedPane(); 23 | 24 | YamlReader yamlReader = YamlReader.getInstance(callbacks); 25 | 26 | // 扫描队列-窗口 27 | ScanQueueTag scanQueueTag = new ScanQueueTag(callbacks, tabs); 28 | this.scanQueueTag = scanQueueTag; 29 | 30 | // 基本设置-窗口 31 | // BaseSettingTag baseSettingTag = new BaseSettingTag(callbacks, tabs, yamlReader); 32 | // this.baseSettingTag = baseSettingTag; 33 | 34 | // 自定义组件-导入 35 | callbacks.customizeUiComponent(tabs); 36 | 37 | // 将自定义选项卡添加到Burp的UI 38 | callbacks.addSuiteTab(Tags.this); 39 | } 40 | 41 | /** 42 | * 基础设置tag 43 | * 44 | * @return 45 | */ 46 | // public BaseSettingTag getBaseSettingTagClass() { 47 | // return this.baseSettingTag; 48 | // } 49 | 50 | /** 51 | * 扫描队列tag 52 | * 可通过该类提供的方法,进行tag任务的添加与修改 53 | * 54 | * @return 55 | */ 56 | public ScanQueueTag getScanQueueTagClass() { 57 | return this.scanQueueTag; 58 | } 59 | 60 | @Override 61 | public String getTabCaption() { 62 | return this.tagName; 63 | } 64 | 65 | @Override 66 | public Component getUiComponent() { 67 | return this.tabs; 68 | } 69 | } -------------------------------------------------------------------------------- /src/config/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/a1phaboy/JsonDetect/121510e927fddeade649fd623e5dfe044a8bb389/src/config/.DS_Store -------------------------------------------------------------------------------- /src/config/config.yml: -------------------------------------------------------------------------------- 1 | # 扫描配置 2 | scan: 3 | # 域名扫描规则 4 | domainName: 5 | # 域名黑名单 6 | # 注: 黑名单优先级最高 7 | # 注: 为空表示关闭该功能 8 | # 使用规则: 9 | # 1. 过滤某个域名: www.domain1.com 10 | # 2. 过滤某个域名的全部子域名: *.domain2.com 11 | # 3. 过滤某个域名的部分子域名: a.*.domain2.com/*.a.*.domain2.com 12 | # 使用方法: 13 | # blacklist: 14 | # - "www.domain1.com" 15 | # - "*.domain2.com" 16 | blacklist: 17 | - "*.dnslog.cn" 18 | - "*.ceye.io" 19 | - "*.fofa.so" 20 | - "*.shodan.io" 21 | - "*.github.com" 22 | # 域名白名单 23 | # 注: 黑名单优先级最高 24 | # 注: 为空表示关闭该功能 25 | # 使用规则: 26 | # 1. 只扫描某个域名: www.domain1.com 27 | # 2. 只扫描某个域名的全部子域名: *.domain2.com 28 | # 3. 只扫描某个域名的部分子域名: a.*.domain2.com/*.a.*.domain2.com 29 | # 使用方法: 30 | # whitelist: 31 | # - "www.domain1.com" 32 | # - "*.domain2.com" 33 | whitelist: 34 | 35 | 36 | # url黑名单后缀 37 | # url的后缀出现这些字段的都不进行测试 38 | urlBlackListSuffix: 39 | config: 40 | isStart: true 41 | suffixList: 42 | - "3g2" 43 | - "3gp" 44 | - "7z" 45 | - "aac" 46 | - "abw" 47 | - "aif" 48 | - "aifc" 49 | - "aiff" 50 | - "arc" 51 | - "au" 52 | - "avi" 53 | - "azw" 54 | - "bin" 55 | - "bmp" 56 | - "bz" 57 | - "bz2" 58 | - "cmx" 59 | - "cod" 60 | - "csh" 61 | - "css" 62 | - "csv" 63 | - "doc" 64 | - "docx" 65 | - "eot" 66 | - "epub" 67 | - "gif" 68 | - "gz" 69 | - "ico" 70 | - "ics" 71 | - "ief" 72 | - "jar" 73 | - "jfif" 74 | - "jpe" 75 | - "jpeg" 76 | - "jpg" 77 | - "m3u" 78 | - "mid" 79 | - "midi" 80 | - "mjs" 81 | - "mp2" 82 | - "mp3" 83 | - "mpa" 84 | - "mpe" 85 | - "mpeg" 86 | - "mpg" 87 | - "mpkg" 88 | - "mpp" 89 | - "mpv2" 90 | - "odp" 91 | - "ods" 92 | - "odt" 93 | - "oga" 94 | - "ogv" 95 | - "ogx" 96 | - "otf" 97 | - "pbm" 98 | - "pdf" 99 | - "pgm" 100 | - "png" 101 | - "pnm" 102 | - "ppm" 103 | - "ppt" 104 | - "pptx" 105 | - "ra" 106 | - "ram" 107 | - "rar" 108 | - "ras" 109 | - "rgb" 110 | - "rmi" 111 | - "rtf" 112 | - "snd" 113 | - "svg" 114 | - "swf" 115 | - "tar" 116 | - "tif" 117 | - "tiff" 118 | - "ttf" 119 | - "vsd" 120 | - "wav" 121 | - "weba" 122 | - "webm" 123 | - "webp" 124 | - "woff" 125 | - "woff2" 126 | - "xbm" 127 | - "xls" 128 | - "xlsx" 129 | - "xpm" 130 | - "xul" 131 | - "xwd" 132 | - "zip" 133 | - "js" 134 | - "wmv" 135 | - "asf" 136 | - "asx" 137 | - "rm" 138 | - "rmvb" 139 | - "mp4" 140 | - "mov" 141 | - "m4v" 142 | - "dat" 143 | - "mkv" 144 | - "flv" 145 | - "vob" 146 | - "txt" 147 | - "php" 148 | - "asp" 149 | 150 | # 应用程序配置 151 | application: 152 | # 应用名称 153 | fastjson: 154 | payloads: 155 | errDetect: 156 | - "{\"@type\": \"java.lang.AutoCloseable\"" 157 | netDetect: 158 | - "{\"name\":{\"@type\":\"java.net.Inet4Address\",\"val\":\"NETOUT_.%s\"}" 159 | autoTypeDetect: 160 | - "[{\"@type\":\"java.net.CookiePolicy\"},{\"@type\":\"java.net.Inet4Address\",\"val\":\"AUTOTYPE_.%s\"}]" 161 | dnsDetect48: 162 | - "[{\"@type\":\"java.lang.Class\",\"val\":\"java.io.ByteArrayOutputStream\"},{\"@type\":\"java.io.ByteArrayOutputStream\"},{\"@type\":\"java.net.InetSocketAddress\"{\"address\":,\"val\":\"48_.%s\"}}]" 163 | dnsDetect68: 164 | - "{\"a\": {\"@type\": \"java.lang.AutoCloseable\",\"@type\": \"com.alibaba.fastjson.JSONReader\",\"reader\": {\"@type\": \"jdk.nashorn.api.scripting.URLReader\",\"url\": \"http://68_.%s\"}}}" 165 | desDetect80: 166 | - "[{\"@type\":\"java.lang.Exception\",\"@type\":\"com.alibaba.fastjson.JSONException\",\"x\":{\"@type\":\"java.net.InetSocketAddress\"{\"address\":,\"val\":\"80_.%s\"}}},{\"@type\":\"java.lang.Exception\",\"@type\":\"com.alibaba.fastjson.JSONException\",\"message\":{\"@type\":\"java.net.InetSocketAddress\"{\"address\":,\"val\":\"83_.%s\"}}}]" 167 | orgjson: 168 | payloads: 169 | errDetect: 170 | - "{a:'\r'}" --------------------------------------------------------------------------------