def _add_writeup(self):
os.mkdir(self.writeup)
Writer.Replace(os.path.join(self.writeup, "report.md"),
("\n" * 5).join([
"# NAME:", "# DESCRIPTION:", "# IMPACT",
"# RECOMMENDED FIX:", ""
]))
Writer.Replace(os.path.join(self.writeup, "payload"), "")
Writer.Replace(os.path.join(self.writeup, "request"), "")
def extract_cmd(self, raw):
try:
args = Args(raw, [("log_id", int), ("fp", str)], 2)
if self._validate(args, "log_id"):
content = self.logs.Get(args.log_id).response.body
if isinstance(content, (list, dict)):
Writer.Json(args.fp, content)
else:
Writer.Replace(args.fp, content)
self.display.Format("Log: {0} Extracted: {1}", True,
args.log_id, args.fp)
return True
except:
self._error()
return False
def Run(self):
s = time.time()
t = Threader(15,self.results)
for w in self._wl:
url = self.build_url(w)
t.add((self.req,{"url" : url}))
t.start()
elapsed = time.gmtime(time.time() - s)
final = self.update_display(True)
Writer.Replace(self.options.output,final)
def Code(logs,fp):
mapped = []
multi = False
jpad = 4
opad = 0
tpl = "single"
if not isinstance(logs,list):
logs = [logs]
if len(logs) > 1:
multi = True
jpad = 8
opad = 4
tpl = "multiple"
for log in logs:
mapped.append(Generate.substitute_map(log,jpad))
const_header = "None"
const_cookies = "None"
if multi:
if len(set(map(lambda x: x["@@HEADER"],mapped))) == 1:
const_header = To.Code(logs[0].request.HeaderNoCookies())
for m in mapped:
m["@@HEADER"] = "header"
if len(set(map(lambda x: x["@@COOKIES"],mapped))) == 1:
const_cookies = To.Code(logs[0].request.cookies)
for m in mapped:
m["@@COOKIES"] = "cookies"
t = Reader.Read("{0}/{1}.pyt".format(os.path.dirname(__file__),tpl))
req_objs = [Generate.gen_request_object(m,opad) for m in mapped]
if multi:
t = Reader.Substitute(t,"@@HEADER",const_header)
t = Reader.Substitute(t,"@@COOKIES",const_cookies)
t = Reader.Substitute(t,"@@REQOBJS",",\n".join(req_objs))
else:
t = Reader.Substitute(t,"@@REQOBJ",req_objs[0])
Writer.Replace(fp,t)
return "Python Script Written to: {0}".format(fp)
def Run(self):
hr = "-" * 80
if os.path.isdir(self.path):
print("\nTarget: {0} already exists...\n".format(self.name))
sys.exit()
print(hr)
print("Creating Target: {0}".format(self.name))
print("Path: {0}".format(self.path))
os.mkdir(self.path)
print(hr)
self._accept_scope()
Writer.Replace(self.notes, "\n")
self._add_writeup()
print("Target Created: {0}".format(self.name))
print("Path: {0}".format(self.path))
print(hr)
print("Starting belch CLI ...")
self._change_working()
self._start_belch()
def _accept_scope(self):
parsed = self._parse_lines(
"http[s]*\:\/\/[^\s\*]+",
self._multi_line_input("Enter Target Scope:"),
)
working = []
consolidated = []
project = {
"proxy": {
"http_history_display_filter": {
"by_request_type": {
"show_only_in_scope_items": True
}
},
"match_replace_rules": [{
"comment": "Add QWERTY Query String Exists",
"enabled": True,
"is_simple_match": False,
"rule_type": "request_first_line",
"string_match": "^(\\w+\\s[^\\s]+\\?[^\\s]+)(\\sHTTP.+)$",
"string_replace": "$1&qwerty=ytrewq$2"
}, {
"comment": "Add QWERTY No Query String",
"enabled": True,
"is_simple_match": False,
"rule_type": "request_first_line",
"string_match": "^(\\w+\\s[^\\?]+)(\\sHTTP.+)$",
"string_replace": "$1?qwerty=ytrewq$2"
}, {
"comment": "Add QWERTY Query (?) exists with no query",
"enabled": True,
"is_simple_match": False,
"rule_type": "request_first_line",
"string_match": "^(\\w+\\s[^\\s]+\\?)(\\sHTTP.+)$",
"string_replace": "$1qwerty=ytrewq$2"
}, {
"comment": "Add QWERTY Remove Doubled query",
"enabled": True,
"is_simple_match": False,
"rule_type": "request_first_line",
"string_match":
"^(\\w+\\s[^\\s]+\\?[^\\s]*)qwerty\\=ytrewq\\&qwerty\\=ytrewq([^\\s]*\\sHTTP.+)$",
"string_replace": "$1qwerty=ytrewq$2"
}, {
"comment":
"Emulate IE",
"enabled":
False,
"is_simple_match":
False,
"rule_type":
"request_header",
"string_match":
"^User-Agent.*$",
"string_replace":
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
}, {
"comment":
"Emulate iOS",
"enabled":
False,
"is_simple_match":
False,
"rule_type":
"request_header",
"string_match":
"^User-Agent.*$",
"string_replace":
"User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3"
}, {
"comment":
"Emulate Android",
"enabled":
False,
"is_simple_match":
False,
"rule_type":
"request_header",
"string_match":
"^User-Agent.*$",
"string_replace":
"User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Droid Build/FRG22D) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
}, {
"comment": "Require non-cached response",
"enabled": False,
"is_simple_match": False,
"rule_type": "request_header",
"string_match": "^If-Modified-Since.*$"
}, {
"comment": "Require non-cached response",
"enabled": False,
"is_simple_match": False,
"rule_type": "request_header",
"string_match": "^If-None-Match.*$"
}, {
"comment": "Hide Referer header",
"enabled": False,
"is_simple_match": False,
"rule_type": "request_header",
"string_match": "^Referer.*$"
}, {
"comment": "Require non-compressed responses",
"enabled": False,
"is_simple_match": False,
"rule_type": "request_header",
"string_match": "^Accept-Encoding.*$"
}, {
"comment": "Ignore cookies",
"enabled": False,
"is_simple_match": False,
"rule_type": "response_header",
"string_match": "^Set-Cookie.*$"
}, {
"comment":
"Rewrite Host header",
"enabled":
False,
"is_simple_match":
False,
"rule_type":
"request_header",
"string_match":
"^Host: foo.example.org$",
"string_replace":
"Host: bar.example.org"
}, {
"comment":
"Add spoofed CORS origin",
"enabled":
False,
"is_simple_match":
True,
"rule_type":
"request_header",
"string_replace":
"Origin: foo.example.org"
}, {
"comment":
"Remove HSTS headers",
"enabled":
False,
"is_simple_match":
False,
"rule_type":
"response_header",
"string_match":
"^Strict\\-Transport\\-Security.*$"
}, {
"comment": "Disable browser XSS protection",
"enabled": False,
"is_simple_match": True,
"rule_type": "response_header",
"string_replace": "X-XSS-Protection: 0"
}]
},
"target": {
"scope": {
"exclude": [],
"include": []
},
"filter": {
"by_request_type": {
"show_only_in_scope_items": True
}
}
}
}
scope = []
for r in parsed:
u = urlparse(r)
pp = u.path.split("/")
if pp[-1].find(".") > -1:
pp[-1] = ""
working.append("https://{0}{1}".format(u.netloc,
"/".join(pp)).rstrip("/"))
for w in sorted(set(working), key=len):
found = False
for c in consolidated:
if w.find(c) == 0:
found = True
if not found:
consolidated.append(w)
for x in consolidated:
u = urlparse(x)
scope.append("https://{0}{1}".format(u.netloc, u.path))
scope.append("http://{0}{1}".format(u.netloc, u.path))
project["target"]["scope"]["include"].append({
"enabled": "true",
"protocol": "any",
"host": u.netloc,
"file": u.path
})
Writer.Replace(self.scope, "\n".join(scope))
Writer.Json(self.project, project)
Writer.Replace(self.orig, "\n".join(parsed))
def _start_belch(self):
time.sleep(2)
Writer.Replace(self.burp, "<?xml version=\"1.0\"?>\n<items></items>")
waabi.belch.Cli().Start(self.burp, None)
def Header(record,fp):
Writer.Json(fp,record.request.header)
return "Header Written to: {0}".format(fp)
def Save(self):
Writer.Json(self._file, self._options)