forked from Trietptm-on-Security/WooYun-2
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Burp Suite使用介绍(四).html
121 lines (66 loc) · 116 KB
/
Burp Suite使用介绍(四).html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<html>
<head>
<title>Burp Suite使用介绍(四) - 小乐天</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<h1>原文地址:<a href="http://drops.wooyun.org/tips/2504">http://drops.wooyun.org/tips/2504</a></h1>
<p>
<h2>0x00 Intruder Scan</h2>
<hr />
<p>发送一个你想csrf_token的请求到intruder。</p>
<h3>1)Positions设置如下:</h3>
<p><img src="http://static.wooyun.org/20140714/2014071409505093108.png" alt="enter image description here" /></p>
<!--more-->
<h3>2)Options设置如下:</h3>
<pre><code>Request Engine
</code></pre>
<p><img src="http://static.wooyun.org/20140714/2014071402510866285.png" alt="enter image description here" /></p>
<pre><code>options>Grep-Extract>add
</code></pre>
<p><img src="http://static.wooyun.org/20140714/2014071402510875464.png" alt="enter image description here" /></p>
<p><img src="http://static.wooyun.org/20140714/2014071402510878768.png" alt="enter image description here" /></p>
<h3>3)payloads设置如下</h3>
<p><img src="http://static.wooyun.org/20140714/2014071402511070921.png" alt="enter image description here" /></p>
<p>这里payload type设置递归(Recursive grep),在Initial payload for first request设置一个有效的csrf_token值作为第一项</p>
<p><img src="http://static.wooyun.org/20140714/2014071402511075549.png" alt="enter image description here" /></p>
<h2>0x01 Active Scan with sqlmap</h2>
<hr />
<p>其实这个结合sqlmap有两种方法,<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="58bfdceebdc8d6b0efc7183b6c3a3a393f3db0f6f0b0f6e2bce2debce0d3">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>,我采用的也是他那个代码,但是在注入的时候我发现在burpsuite里查看HTTP history(历史记录)里的token是没有变化的,但是还是可以注入,刚开始挺纳闷的,我以为他写的那个代码有问题,后来他说不是,在burpsuite里是看不到的,然后我也同意他说的,就是替换这个过程直接经过宏功能替换了,不会显示在历史记录里。我这里就说下第二种方法吧。第一种点这里。</p>
<h3>1)首先是登录csrf_token页面,不需要拦截。然后选择Options>Sessions>Add</h3>
<p><img src="http://static.wooyun.org/20140714/2014071402511163812.png" alt="enter image description here" /></p>
<p><img src="http://static.wooyun.org/20140714/2014071402511131536.png" alt="enter image description here" /></p>
<h3>2)接着会弹出一个窗口选择Select macro>add</h3>
<p><img src="http://static.wooyun.org/20140714/2014071402511254538.png" alt="enter image description here" /></p>
<h3>3)点击add後会弹出两个页面如图所示:</h3>
<p><img src="http://static.wooyun.org/20140714/2014071402511315045.png" alt="enter image description here" /></p>
<h3>4)选择2-3个页面,第一个页面是请求页面,第二个页面是post数据的时候的页面,为了便于查看我这里添加了3个页面。</h3>
<p><img src="http://static.wooyun.org/20140714/2014071402511390464.png" alt="enter image description here" /></p>
<h3>5)选择第二个页面点击Configure item,指定root,添加一个自定义token参数</h3>
<p><img src="http://static.wooyun.org/20140714/2014071402511426851.png" alt="enter image description here" /></p>
<p><img src="http://static.wooyun.org/20140714/2014071402511483345.png" alt="enter image description here" /></p>
<h3>6)最后配置完可以点击Test macro看看我们配置成功了没</h3>
<p><img src="http://static.wooyun.org/20140714/2014071402511513340.png" alt="enter image description here" /></p>
<p><img src="http://static.wooyun.org/20140714/2014071402511524539.png" alt="enter image description here" /></p>
<h3>7)如果以上配置成功,再选择Scope选择应用范围</h3>
<p><img src="http://static.wooyun.org/20140714/2014071402511640672.png" alt="enter image description here" /></p>
<p><img src="http://static.wooyun.org/20140714/2014071402511671112.png" alt="enter image description here" /></p>
<h3>8)接着就是放到sqlmap里去跑数据咯</h3>
<p>如果是post页面,这里是把post的数据保存到request.txt文件里,然后运行命令如下:</p>
<pre><code>./sqlmap.py -r request.txt –proxy=http://127.0.0.1:8080
</code></pre>
<p>如果是get页面命令如下:</p>
<pre><code>./sqlmap.py –u “www.target.com/vuln.php?id=1” –proxy=http://127.0.0.1:8080
</code></pre>
<p><img src="http://static.wooyun.org/20140714/2014071402511613052.png" alt="enter image description here" /></p>
<h2>0x02 Session Randomness Analysis Sequencer</h2>
<hr />
<p>请求拦截一个地址,在响应内容中如果有cookie,或者我们可以在sequencer中自定义配置token参数</p>
<p><img src="http://static.wooyun.org/20140714/2014071402511798223.png" alt="enter image description here" /></p>
<p><img src="http://static.wooyun.org/20140714/2014071402511737746.png" alt="enter image description here" /></p>
<p>然后点击Start live capture进行分析</p>
<p><img src="http://static.wooyun.org/20140714/2014071402511843073.png" alt="enter image description here" /></p>
<p>等分析完即可生成报告,通过报告我们可以看出token是否可以伪造。</p>
<p>参考资料:http://resources.infosecinstitute.com/session-randomness-analysis-burp-suite-sequencer/</p> </p>
</body>
</html>