-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathCTFhelper.py
202 lines (146 loc) · 6.42 KB
/
CTFhelper.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
# Author :unamer
from burp import IBurpExtender
from burp import IScannerCheck
from burp import IScanIssue
from java.io import PrintWriter
from java.lang import RuntimeException
from java.net import URL
import re
from os import path
from urlparse import urlparse
stderr = None
stdout = None
helpers = None
cbs = None
class backupScan(IScannerCheck):
def __init__(self):
self.hs = set()
self.patterns = {
re.compile(r'([^\/]*\.php\d{0,1})', re.IGNORECASE): [r'.\1.swp', r'.\1.swn', r'.\1.swo', r'\1.bak',
r'\1.zip', r'.\1.txt', r'\1.~', r'\1~', r'\1.bak',
r'\1.bak~', r'\1.source', r'\1_source', r'\1.old',
'\1_old', r'\1.new', r'\1_new', r'.\1.un~', r'\1-',
r'\1_'],
re.compile(r'([^\/]*\.)(php\d{0,1})', re.IGNORECASE): [r'\1txt', r'\1bak', r'.\1swp', r'\1swn', r'\1swo',
r'\1zip', r'\1~', r'\1bak.\2', r'\1rar', r'\1tar.gz',
r'\1tar.xz', r'\17z', r'\1new.\2', r'\1new_\2',
r'\1~\2']}
def doPassiveScan(self, baseRequestResponse):
# Nope ...
return None
def doActiveScan(self, baseRequestResponse, insertionPoint):
reqinfo = helpers.analyzeRequest(baseRequestResponse)
url = str(reqinfo.getUrl())
url = urlparse(url)
issues = []
burl = url.scheme + '://' + url.netloc + '/' + url.path
if burl in self.hs or url.path[-1] == '/':
return None
self.hs.add(burl)
for regex in self.patterns.iterkeys():
subs = self.patterns[regex]
for sub in subs:
baktest = helpers.buildHttpRequest(URL(url.scheme, url.hostname, url.port, regex.sub(sub, url.path)))
attack = cbs.makeHttpRequest(baseRequestResponse.getHttpService(), baktest)
reqinfo = helpers.analyzeResponse(attack.getResponse())
if reqinfo.getStatusCode() == 200:
issues.append(CustomScanIssue(
attack.getHttpService(),
helpers.analyzeRequest(attack).getUrl(),
[attack],
"Backup file leaked",
"Suspecious backup file likely leaked",
"High"))
return issues
def consolidateDuplicateIssues(self, existingIssue, newIssue):
if existingIssue.getIssueName() == newIssue.getIssueName():
return -1
return 0
class DirScan(IScannerCheck):
def __init__(self):
self.hs = set()
self.patterns = ['.git', '.git/index', '.hg', '.svn', '.idea', '.git/config', '.idea/workspace.xml', '.bzr',
'wwwroot.zip', 'www.zip', 'backup.zip', '.htpasswd', 'www.tar.gz', 'backup.tar.gz',
'wwwroot.tar.gz', '.DS_Store','.git/config']
def doPassiveScan(self, baseRequestResponse):
# Nope ...
return None
def doActiveScan(self, baseRequestResponse, insertionPoint):
reqinfo = helpers.analyzeRequest(baseRequestResponse)
url = str(reqinfo.getUrl())
url = urlparse(url)
issues = []
rpath, file = path.split(url.path)
burl = url.scheme + '://' + url.netloc + '/' + rpath
if burl in self.hs:
return None
self.hs.add(burl)
for dir in self.patterns:
dirtest = helpers.buildHttpRequest(URL(url.scheme, url.hostname, url.port, rpath + '/' + dir))
attack = cbs.makeHttpRequest(baseRequestResponse.getHttpService(), dirtest)
reqinfo = helpers.analyzeResponse(attack.getResponse())
if reqinfo.getStatusCode() == 200:
issues.append(CustomScanIssue(
attack.getHttpService(),
helpers.analyzeRequest(attack).getUrl(),
[attack],
"Sensitive info leaked",
"Sensitive directory or file likely leaked",
"High"))
return issues
def consolidateDuplicateIssues(self, existingIssue, newIssue):
if existingIssue.getIssueName() == newIssue.getIssueName():
return -1
return 0
class BurpExtender(IBurpExtender, IScannerCheck):
#
# implement IBurpExtender
#
def __init__(self):
self.hs = set()
def registerExtenderCallbacks(self, callbacks):
# keep a reference to our callbacks object
global cbs, helpers, stdout, stderr
cbs = callbacks
helpers = callbacks.getHelpers()
stdout = PrintWriter(callbacks.getStdout(), True)
stderr = PrintWriter(callbacks.getStderr(), True)
callbacks.setExtensionName("CTF helper")
stdout.println("Welcome to my CTF world...")
stdout.println('CTF helper by unamer.')
# register ourselves as a custom scanner check
callbacks.registerScannerCheck(backupScan())
callbacks.registerScannerCheck(DirScan())
#
# class implementing IScanIssue to hold our custom scan issue details
#
class CustomScanIssue(IScanIssue):
def __init__(self, httpService, url, httpMessages, name, detail, severity):
self._httpService = httpService
self._url = url
self._httpMessages = httpMessages
self._name = name
self._detail = detail
self._severity = severity
def getUrl(self):
return self._url
def getIssueName(self):
return self._name
def getIssueType(self):
return 0
def getSeverity(self):
return self._severity
def getConfidence(self):
return "Certain"
def getIssueBackground(self):
pass
def getRemediationBackground(self):
pass
def getIssueDetail(self):
return self._detail
def getRemediationDetail(self):
pass
def getHttpMessages(self):
return self._httpMessages
def getHttpService(self):
return self._httpService