-
-
Notifications
You must be signed in to change notification settings - Fork 237
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Script to solve burp labs or for bug bounty #340
base: main
Are you sure you want to change the base?
Changes from 20 commits
93a1322
cbb4c54
9c8550f
62827ce
a52e39d
184ee22
89f3feb
2d4f87d
2ca32f9
6193f5d
8246fb7
ef64087
ea7c1a6
a126174
aaed85c
eb53c3d
e13d5fc
c1028bc
088dbe9
f668db1
5d4b10c
0be7fa4
171120f
c0f239f
907b08d
b188c61
587d32f
ddc6190
09f6f72
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
# Version 1.0 | ||
# @author RUFFENACH Timothée | ||
# filter by RTT (time request). | ||
|
||
from javax.swing import JFrame, JPanel, JComboBox, JOptionPane,JFileChooser,JOptionPane | ||
|
||
# Auxiliary variables/constants needed for processing. | ||
global time,isCheck; | ||
init = False | ||
|
||
def getNumber(min,max,asked): | ||
number = JOptionPane.showInputDialog(None, asked, "Input", JOptionPane.QUESTION_MESSAGE) | ||
|
||
if int(number) >= min and int(number) <= max: | ||
number = int(number) | ||
return number | ||
else: | ||
JOptionPane.showMessageDialog(None, "Choose number between " + min + " to " + max) | ||
getNumber() | ||
|
||
# Called after injecting the payloads and before forward the message to the server. | ||
def processMessage(utils, message) : | ||
if (init == False): | ||
initialise() | ||
|
||
def initialise(): | ||
global init,entry,isCheck | ||
global time; | ||
time = getNumber(1,50000,"how many time do you want ?") | ||
isCheck = JOptionPane.showConfirmDialog(None, "more high or equal (YES) esle less or equal (NO)", "Confirm", JOptionPane.YES_NO_OPTION) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This English is rough, I'm happy to help but I need a better description of what's meant here. They should both start with capitals and there's a type in "else". There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I changed the sentences for more understanding, sorry my native language is not english There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No problem, that's why I was offering to help 👍 |
||
init = True | ||
|
||
|
||
# Called after receiving the fuzzed message from the server | ||
def processResult(utils, fuzzResult) : | ||
global isChek,time | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. isCheck? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. rename isCheck by choice There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. My point was that it's misspelled here. |
||
if isCheck == JOptionPane.YES_OPTION and (int(fuzzResult.getHttpMessage().getTimeElapsedMillis()) >= time): | ||
return bool(1) | ||
elif isCheck == JOptionPane.NO_OPTION and (int(fuzzResult.getHttpMessage().getTimeElapsedMillis()) <= time): | ||
return bool(1) | ||
else: | ||
return bool(0); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Any reason these can't just return true or false? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ok i have changed by TRUE and FALSE |
||
|
||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,52 @@ | ||||||
# @author Timothée Ruffenach | ||||||
# Version 1.0 | ||||||
# filters the fuzzing result with a string. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
from javax.swing import JOptionPane | ||||||
|
||||||
|
||||||
# global variable | ||||||
init = False | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. shouldInit? |
||||||
entry = "" | ||||||
isCheck = False | ||||||
|
||||||
# Called after injecting the payloads and before forward the message to the server. | ||||||
def processMessage(utils, message) : | ||||||
global number,payloads | ||||||
if not init: | ||||||
initialise() | ||||||
|
||||||
|
||||||
def initialise(): | ||||||
global init,entry,isCheck | ||||||
|
||||||
entry = "" | ||||||
|
||||||
# ask stings to find | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The code seems clear, this comment could be removed. |
||||||
while entry == "": | ||||||
entry = getString("what character string do you want to find ?") | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I made the changes and make correction of other sentence |
||||||
if entry == "": | ||||||
JOptionPane.showMessageDialog(None, "Empty string","Waring", JOptionPane.WARNING_MESSAGE) | ||||||
# ask reverse message | ||||||
isCheck = JOptionPane.showConfirmDialog(None, "Reverse", "Confim", JOptionPane.YES_NO_OPTION) | ||||||
|
||||||
|
||||||
init = True | ||||||
|
||||||
# Called after receiving the fuzzed message from the server | ||||||
def processResult(utils, fuzzResult) : | ||||||
global entry,isCheck | ||||||
body = fuzzResult.getHttpMessage().getResponseBody().toString() | ||||||
|
||||||
# test all posibility | ||||||
if isCheck == JOptionPane.NO_OPTION and entry in body: | ||||||
return bool(1); | ||||||
elif isCheck == JOptionPane.YES_OPTION and not entry in body: | ||||||
return bool(1); | ||||||
else: | ||||||
return bool(0); | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can these just return true/false? |
||||||
|
||||||
# Question | ||||||
def getString(question): | ||||||
stringInput = JOptionPane.showInputDialog(None, question, "Input", JOptionPane.QUESTION_MESSAGE) | ||||||
return stringInput |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,97 @@ | ||||||
# Version 1.1 | ||||||
# @author RUFFENACH Timothée | ||||||
# Script inspired from https://02108124551050482571.googlegroups.com/attach/54c6e34f6fe20/message_processor.js?part=0.1&view=1&vt=ANaJVrEJuACewYorhYYa_zyhyMSug06pmlERCqfYdLsukQBC3OW3LATuXG1WHk_Fw9a0nhexG8ykFDuFgBGYrKAg_pOQ61M36MwC9SOBGvK4KLZn3eDkNzY (dot run on owasp 2.12.0) | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. legacy script in javascript don't run with owasp 2.12.0 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's not a ZAP issue that's a JRE issue. If you're using a Java 11 JRE it'll still run. Also OWASP is the organization ZAP is the project/product 😉 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Link to the thread/post rather than the attachment, which should be more reliable. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't found the original post. |
||||||
# To resolve problem at from https://github.com/zaproxy/zaproxy/issues/2967 | ||||||
# The script fuzz in mode pitchfork. | ||||||
# To Use : Enable script. | ||||||
# In fuzzer Add number multiple EmptyNull payloads with a good number of iterations. | ||||||
# Select the desired number of payloads [limit 2 to 20] | ||||||
# Select the desired number of files [limit 2 to 20] | ||||||
|
||||||
from java.nio.file import Paths | ||||||
from javax.swing import JFileChooser | ||||||
from javax.swing import JOptionPane | ||||||
from org.zaproxy.zap.extension.fuzz.payloads.generator import FileStringPayloadGenerator | ||||||
|
||||||
payloads1 = None | ||||||
payloads2 = None | ||||||
init = False | ||||||
|
||||||
def processMessage(utils, message): | ||||||
global number, payloads, init | ||||||
|
||||||
if not init: | ||||||
initialise() | ||||||
|
||||||
# Stop if has end of payloads | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
for i in range(number): | ||||||
# if end of payload stop fuzzing | ||||||
if not payloads[i].hasNext(): | ||||||
utils.stopFuzzer() | ||||||
# close all payload | ||||||
for j in range(number): | ||||||
payloads.close() | ||||||
return | ||||||
|
||||||
for i in range(number): | ||||||
# Get the next value of payloads | ||||||
# Get information of body and replace with payload value | ||||||
payloadNext = payloads[i].next().getValue() | ||||||
body = message.getRequestBody().toString() | ||||||
body = body.replace(utils.getPaylaods().get(i).getValue(), payloadNext) | ||||||
# Set payload value to show in Fuzzer | ||||||
utils.getPaylaods().set(i,payloadNext) | ||||||
# set payload in body | ||||||
message.getRequestBody().setBody(body) | ||||||
message.getRequestHeader().setContentLength(message.getRequestBody().length()) | ||||||
|
||||||
def processResult(utils, fuzzResult): | ||||||
return True | ||||||
|
||||||
def chooseFile(): | ||||||
fileChooser = JFileChooser() | ||||||
fileChooser.setMultiSelectionEnabled(True) | ||||||
filePath = "" | ||||||
result = fileChooser.showOpenDialog(None) | ||||||
|
||||||
if result == JFileChooser.APPROVE_OPTION: | ||||||
selectedFiles = fileChooser.getSelectedFiles() | ||||||
for file in selectedFiles: | ||||||
filePath = file.getAbsolutePath() | ||||||
print('The path is :', filePath) | ||||||
|
||||||
return filePath | ||||||
|
||||||
def chooseNumber(): | ||||||
number = JOptionPane.showInputDialog(None, "How many payload do you want [2 to 20]:", "Input", JOptionPane.QUESTION_MESSAGE) | ||||||
|
||||||
# Check number between 2 to 20 | ||||||
if int(number) > 1 and int(number) < 21: | ||||||
number = int(number) | ||||||
return number | ||||||
Comment on lines
+68
to
+71
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why not |
||||||
else: | ||||||
JOptionPane.showMessageDialog(None, "Choose number between 2 to 20") | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
chooseNumber() | ||||||
|
||||||
def initialise(): | ||||||
global init | ||||||
global payloads | ||||||
global number | ||||||
|
||||||
payloads = [] | ||||||
filePaths = [] | ||||||
|
||||||
# input number of payloads | ||||||
number = -1 | ||||||
while number == -1: | ||||||
number = chooseNumber() | ||||||
|
||||||
# choose file user | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. user file? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, is here the files of users are add. i have modified the comment by "add files chosen by the user" |
||||||
for i in range(number): | ||||||
filePaths.append(chooseFile()) | ||||||
|
||||||
# Get payload in file to var payloads | ||||||
for i in range(number): | ||||||
payloads.append(FileStringPayloadGenerator(Paths.get(filePaths[i])).iterator()) | ||||||
|
||||||
init = True |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
// @author Ruffenach Timothée | ||
// The original script comes from the Fuzzer HTTP Processor section under the name random_x_forwarded_for_ip.js | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I was not saying to remove the name, just mention the other script. This is for maintenance purposes, if changes are done in one script they most likely need to be done in both. |
||
// Add in Header response X-Forwarded-For: Random IP | ||
// The sendingRequest and responseReceived functions will be called for all requests/responses sent/received by ZAP, | ||
// including automated tools (e.g. active scanner, fuzzer, ...) | ||
|
||
// Note that new HttpSender scripts will initially be disabled | ||
// Right click the script in the Scripts tree and select "enable" | ||
|
||
// For the latest list of 'initiator' values see the HttpSender class: | ||
// https://github.com/zaproxy/zaproxy/blob/main/zap/src/main/java/org/parosproxy/paros/network/HttpSender.java | ||
// 'helper' just has one method at the moment: helper.getHttpSender() which returns the HttpSender | ||
// instance used to send the request. | ||
|
||
// In order to facilitate identifying ZAP traffic and Web Application Firewall exceptions, ZAP is accompanied | ||
// by this script which can be used to add a specific header to all traffic that passes through | ||
// or originates from ZAP. e.g.: X-ZAP-Initiator: 3 | ||
|
||
function sendingRequest(msg, initiator, helper) { | ||
var random_ip = Math.floor(Math.random() * 254)+ "." + Math.floor(Math.random() * 254) + "." + Math.floor(Math.random() * 254) + "." + Math.floor(Math.random() * 254); | ||
msg.getRequestHeader().setHeader("X-Forwarded-For", random_ip); | ||
} | ||
|
||
function responseReceived(msg, initiator, helper) { | ||
// Nothing to do here | ||
} |
kingthorin marked this conversation as resolved.
Show resolved
Hide resolved
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# @author RUFFENACH timothée | ||
# Version 1.0 | ||
# encode payload to full HTML encode | ||
|
||
def process(payload): | ||
payloadEncode="" | ||
|
||
# convert to full HTML | ||
for i in payload: | ||
payloadEncode += "&#" | ||
payloadEncode += str(ord(i)) | ||
payloadEncode += ";" | ||
|
||
return payloadEncode |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe "shouldInit" should be more clear to future users/maintainers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok Im have rename to shouldInit