├── .gitignore ├── FuckAnywhere.py └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .idea 3 | .gradle -------------------------------------------------------------------------------- /FuckAnywhere.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # Author: key @ Yuanheng Lab 3 | 4 | from burp import IBurpExtender 5 | from burp import IScannerCheck 6 | from burp import IScanIssue 7 | from burp import IScannerInsertionPoint 8 | from burp import IParameter 9 | 10 | import re 11 | 12 | class BurpExtender(IBurpExtender, IScannerCheck): 13 | 14 | def registerExtenderCallbacks(self, callbacks): 15 | self._callbacks = callbacks 16 | self._helpers = callbacks.getHelpers() 17 | print('FuckAnywhere - By key @ Yuanheng Lab') 18 | callbacks.setExtensionName("FuckAnywhere") 19 | callbacks.registerScannerCheck(self) 20 | 21 | def _build_payload(self): 22 | return "Your Payload" 23 | 24 | def _url_filter(self, url): 25 | try: 26 | url_index = url.index("?") 27 | url = url.substring(0, url_index) 28 | except: 29 | url = url 30 | result = re.findall("[\\w]+[\\.](3g2|3gp|7z|aac|abw|aif|aifc|aiff|arc|au|avi|azw|bin|bmp|bz|bz2|cmx|cod|csh|css|csv|doc|docx|eot|epub|gif|gz|ico|ics|ief|jar|jfif|jpe|jpeg|jpg|m3u|mid|midi|mjs|mp2|mp3|mpa|mpe|mpeg|mpg|mpkg|mpp|mpv2|odp|ods|odt|oga|ogv|ogx|otf|pbm|pdf|pgm|png|pnm|ppm|ppt|pptx|ra|ram|rar|ras|rgb|rmi|rtf|snd|svg|swf|tar|tif|tiff|ttf|vsd|wav|weba|webm|webp|woff|woff2|xbm|xls|xlsx|xpm|xul|xwd|zip|zip)", url) 31 | if result != []: 32 | return False 33 | else: 34 | return True 35 | 36 | def _build_request_list(self, baseRequestResponse): 37 | request_list = [] 38 | request_info = self._helpers.analyzeRequest(baseRequestResponse) 39 | # Check Parameters 40 | param_list = request_info.getParameters() 41 | url = request_info.getUrl().toString() 42 | if self._url_filter(url): 43 | if param_list != []: 44 | request_message = baseRequestResponse.getRequest() 45 | for p in param_list: 46 | key = p.getName() 47 | value = p.getValue() 48 | ptype = p.getType() 49 | payload = self._build_payload() 50 | if (ptype == IParameter.PARAM_URL) or (ptype == IParameter.PARAM_BODY) or (ptype == IParameter.PARAM_COOKIE): 51 | request_message = self._helpers.updateParameter(request_message, self._helpers.buildParameter(key, payload, ptype)) 52 | request_list.append(request_message) 53 | request_message = self._helpers.updateParameter(request_message, self._helpers.buildParameter(key, value, ptype)) 54 | else: 55 | value_start = p.getValueStart() 56 | request_message_copy = request_message 57 | request_message_str = self._helpers.bytesToString(request_message_copy) 58 | request_message_list = list(request_message_str) 59 | for i in range(len(value)): 60 | request_message_list.pop(value_start) 61 | for i in range(0,len(payload)): 62 | request_message_list.insert(value_start+i, payload[i]) 63 | request_list.append(self._helpers.stringToBytes(''.join(request_message_list))) 64 | 65 | header_list = request_info.getHeaders() 66 | other_header_list = ["Accept-Charset", "Accept-Datetime", "Accept-Encoding", "Accept-Language", "Cache-Control", "Client-IP", "Connection", "Contact", "Cookie", "DNT", "Forwarded", "Forwarded-For", "Forwarded-For-Ip", "Forwarded-Proto", "From", "Host", "Max-Forwards", "Origin", "Pragma", "Referer", "TE", "True-Client-IP", "Upgrade", "User-Agent", "Via", "Warning", "X-Api-Version", "X-ATT-DeviceId", "X-Client-IP", "X-Correlation-ID", "X-Csrf-Token", "X-CSRFToken", "X-Custom-IP-Authorization", "X-Do-Not-Track", "X-Foo", "X-Foo-Bar", "X-Forward", "X-Forward-For", "X-Forward-Proto", "X-Forwarded", "X-Forwarded-By", "X-Forwarded-For", "X-Forwarded-For-Original", "X-Forwarded-Host", "X-Forwarded-Port", "X-Forwarded-Proto", "X-Forwarded-Protocol", "X-Forwarded-Scheme", "X-Forwarded-Server", "X-Forwarded-Ssl", "X-Forwarder-For", "X-Forwared-Host", "X-Frame-Options", "X-From", "X-Geoip-Country", "X-Host", "X-Http-Destinationurl", "X-Http-Host-Override", "X-Http-Method", "X-HTTP-Method-Override", "X-Http-Path-Override", "X-Https", "X-Htx-Agent", "X-Hub-Signature", "X-If-Unmodified-Since", "X-Imbo-Test-Config", "X-Insight", "X-Ip", "X-Ip-Trail", "X-Original-URL", "X-Originating-IP", "X-Override-URL", "X-ProxyUser-Ip", "X-Real-IP", "X-Remote-Addr", "X-Remote-IP", "X-Request-ID", "X-Requested-With", "X-Rewrite-URL", "X-UIDH", "X-Wap-Profile", "X-XSRF-TOKEN", "If-Modified-Since"] 67 | if header_list != []: 68 | for i in range(1, len(header_list)): 69 | header_list = request_info.getHeaders() 70 | # Header: Don't URLEncode 71 | payload = self._helpers.urlDecode(self._build_payload()) 72 | tmp_header = header_list[i] 73 | tmp_header_split = tmp_header.split(": ") 74 | tmp_header_split[1] = payload 75 | header_name = tmp_header_split[0] 76 | if header_name in other_header_list: 77 | other_header_list.remove(header_name) 78 | header_list[i] = ": ".join(tmp_header_split) 79 | request_message = self._helpers.buildHttpMessage(header_list, baseRequestResponse.getRequest()[request_info.getBodyOffset():]) 80 | request_list.append(request_message) 81 | 82 | for i in other_header_list: 83 | header_list = request_info.getHeaders() 84 | payload = self._helpers.urlDecode(self._build_payload()) 85 | header_list.add("{0}: {1}".format(i, payload)) 86 | request_message = self._helpers.buildHttpMessage(header_list, baseRequestResponse.getRequest()[request_info.getBodyOffset():]) 87 | request_list.append(request_message) 88 | return request_list 89 | 90 | 91 | def doPassiveScan(self, baseRequestResponse): 92 | request_list = self._build_request_list(baseRequestResponse) 93 | if request_list != []: 94 | for r in request_list: 95 | checkRequestResponse = self._callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), r) 96 | 97 | return [] 98 | 99 | def doActiveScan(self, baseRequestResponse, insertionPoint): 100 | pass 101 | 102 | def consolidateDuplicateIssues(self, existingIssue, newIssue): 103 | return 0 104 | 105 | class CustomScanIssue(IScanIssue): 106 | def __init__(self, httpService, url, httpMessages, name, detail, severity): 107 | self._httpService = httpService 108 | self._url = url 109 | self._httpMessages = httpMessages 110 | self._name = name 111 | self._detail = detail 112 | self._severity = severity 113 | 114 | def getUrl(self): 115 | return self._url 116 | 117 | def getIssueName(self): 118 | return self._name 119 | 120 | def getIssueType(self): 121 | return 0 122 | 123 | def getSeverity(self): 124 | return self._severity 125 | 126 | def getConfidence(self): 127 | return "Certain" 128 | 129 | def getIssueBackground(self): 130 | pass 131 | 132 | def getRemediationBackground(self): 133 | pass 134 | 135 | def getIssueDetail(self): 136 | return self._detail 137 | 138 | def getRemediationDetail(self): 139 | pass 140 | 141 | def getHttpMessages(self): 142 | return self._httpMessages 143 | 144 | def getHttpService(self): 145 | return self._httpService 146 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Fuck Anywhere 2 | 3 | **作者**:key@元亨实验室 4 | 5 | **声明**:由于传播、利用本项目所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,项目作者不为此承担任何责任。 6 | 7 | ## 介绍 8 | 9 | 这是一个用于在HTTP请求中随处插入测试代码的BurpSuite插件,其原理就是基于BurpSuite提供的被动式扫描API,对流经Burp Proxy模块的流量进行全量扫描,扫描作用域为:请求参数(JSON字段、正常请求参数、Cookie参数、XML字段、Mulitpart)、请求头(请求自带请求头与自定义请求头)。 10 | 11 | ## 使用 12 | 13 | 替换如下代码中的`Your Payload`为你的测试代码: 14 | 15 | ```python 16 | def _build_payload(self): 17 | return "Your Payload" 18 | ``` 19 | --------------------------------------------------------------------------------