【BurpSuite】插件学习之Software Vulnerability Scanner

【BurpSuite】插件开发学习之Software Vulnerability Scanner

前言

插件开发学习第2套。前置文章
【BurpSuite】插件学习之Log4shell

PS:这里没有TOKEN也是可以查询成功的

Software Vulnerability Scanner

https://github.com/PortSwigger/software-vulnerability-scanner.git
逻辑代码在

|____src
| |____.DS_Store
| |____main
| | |____.DS_Store
| | |____resources
| | | |____rules.json
| | | |____logo_small.png
| | |____java
| | | |____.DS_Store
| | | |____burp
| | | | |____tasks
| | | | | |____PathScanTask.java
| | | | | |____SoftwareScanTask.java
| | | | |____.DS_Store
| | | | |____PathIssue.java
| | | | |____Utils.java
| | | | |____models
| | | | | |____Software.java
| | | | | |____Vulnerability.java
| | | | | |____VulnersRequest.java
| | | | | |____Path.java
| | | | | |____Domain.java
| | | | |____gui
| | | | | |____TabComponent.form
| | | | | |____TabComponent.java
| | | | | |____path
| | | | | | |____PathsTable.java
| | | | | |____software
| | | | | | |____SoftwareTable.java
| | | | | |____rules
| | | | | | |____RulesTableListener.java
| | | | | | |____RulesTable.java
| | | | |____VulnersService.java
| | | | |____HttpClient.java
| | | | |____SoftwareIssue.java
| | | | |____BurpExtender.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

初始化VulnersService

vulnersService = new VulnersService(this, callbacks, helpers, domains, tabComponent);
try {
    vulnersService.loadRules();
} catch (IOException e) {
    callbacks.printError("[Vulners]" + e.getMessage());
}
1
2
3
4
5
6

初始化Rules:initPassiveScan

JSONObject data = httpClient.get("rules", new HashMap<String, String>());
JSONObject rules = data.getJSONObject("rules");
1
2

实际就是个http请求，在httpclient.java里面

List<String> headers = new ArrayList<>();
        headers.add("POST " + VULNERS_API_PATH + action + "/ HTTP/1.1");
        headers.add("Host: " + VULNERS_API_HOST);
        headers.add("User-Agent: vulners-burpscanner-v-1.2");
        headers.add("Content-type: application/json");

        JSONObject jsonBody = new JSONObject();

        if (burpExtender.getApiKey() != null) {
            jsonBody = jsonBody.put("apiKey", burpExtender.getApiKey());
        }
1
2
3
4
5
6
7
8
9
10
11

if (object.getString("result").equals("OK")) {
                return object.getJSONObject("data");
            }
1
2
3

doPassiveScan

在被动扫描中取出所有的域名domain和路径path，加入到hashmap中保存下来。

Domain domain = domains.get(domainName);
        if (domain == null) {
            domains.put(domainName, domain = new Domain());
        }

        if (!domain.getPaths().containsKey(path)) {
            callbacks.printOutput("[Vulners] adding new path '" + path + "' for domain " + domainName);
            domain.getPaths().put(path, null);
            vulnersService.checkURLPath(domainName, path, baseRequestResponse);
        }
1
2
3
4
5
6
7
8
9
10

根据这俩值检查是不是已经找到的

void checkURLPath(final String domainName, final String path, final IHttpRequestResponse baseRequestResponse) {
        VulnersRequest request = new VulnersRequest(domainName, path, baseRequestResponse);

        new PathScanTask(request, httpClient, vulnersRequest -> {
            Set<Vulnerability> vulnerabilities = vulnersRequest.getVulnerabilities();
1
2
3
4
5

PathScanTask

    public void run() {

        JSONObject data = httpClient.get("path", new HashMap<String, String>() {{
            put("path", vulnersRequest.getPath());
        }});
1
2
3
4
5

实际上这个就是通过API将path丢进去查询历史漏洞的

这也是整个插件的核心点，所以上面需要loadrules，去确保命中正则的path才会去check是否有漏洞，而非所有的path都去查询，毕竟是HTTP请求

SoftwareScanTask

根据扫描结果生成software结构体

Software software = new Software(
                    match.getType() + match.getMatchGroup(),
                    match.getType(),
                    match.getMatchGroup(),

                    matchRules.get(match.getType()).get("type"),
                    matchRules.get(match.getType()).get("alias")
            );
1
2
3
4
5
6
7
8

关键是从HTTPclient中提取出

• software
• version（match.getMatchGroup()）
• type

命中正则的path则会处理这个issue
起始主要是正则匹配version，如果明确得到了version就可以去下一个接口找了

 public void run() {

        Software software = vulnersRequest.getSoftware();

        JSONObject data = httpClient.get("software", new HashMap<String, String>(){{
            put("software", software.getAlias());
            put("version", software.getVersion());
            put("type", software.getMatchType());
        }});

        Set<Vulnerability> vulnerabilities = Utils.getVulnerabilities(data);
1
2
3
4
5
6
7
8
9
10
11

至此链路就通了，剩下就是UI以及一些输出上面的改动了。

改进

这个仅仅支持被动扫描，按照这个逻辑，实际上是可以重写doactivescan去支持主动扫描的。