Python黑客编程之Bp字典生成插件

描述

• 编写一款burpsuite插件，用于从浏览的网页中抓取特定文字，生成字典给Intruder使用

代码

• 注册插件
• 创建JMenuItem菜单，在target站点中右键触发回调函数wordlist_menu
• wordlist_menu获取菜单上下文，取出选中的站点
• 向选中的站点发出请求，解析响应，根据内容附加字符来生成字典

import re
from burp import IBurpExtender
from burp import IContextMenuFactory
from java.util import ArrayList
from javax.swing import JMenuItem
from datetime import datetime
from HTMLParser import HTMLParser

class TagStripper(HTMLParser):
    def __init__(self):
        HTMLParser.__init__(self)
        self.page_text = []

    def handle_data(self, data):
        self.page_text.append(data)

    def handler_comment(self, data):
        self.handle_data(data)

    def strip(self, html):
        self.feed(html)
        return "".join(self.page_text)

class BurpExtender(IBurpExtender, IContextMenuFactory):
    def registerExtenderCallbacks(self, callbacks):
        self._callbacks = callbacks
        self._helpers = callbacks.getHelpers()
        self.context = None
        self.hosts = set()
        self.wordlist = set(["password"])
        callbacks.setExtensionName("BHP WordList")
        callbacks.registerContextMenuFactory(self)
        return

    def createMenuItems(self, context_menu):
        self.context = context_menu
        menu_list = ArrayList()
        menu_list.add(JMenuItem("Create Wordlist", actionPerformed=self.wordlist_menu))
        return menu_list

    def wordlist_menu(self, event):
        http_traffic = self.context.getSelectedMessages()
        for traffic in http_traffic:
            http_service = traffic.getHttpService()
            host = http_service.getHost()
            self.hosts.add(host)

            http_response = traffic.getResponse()
            if http_response:
                self.get_words(http_response)

        self.display_wordlist()
        return

    def get_words(self, response):
        headers, body = response.tostring().split("\r\n\r\n", 1)
        if headers.lower().find("content-type: text") == -1:
            return
        tag_stripper = TagStripper()
        word_text = tag_stripper.strip(body)
        words = re.findall("[a-zA-Z]\w{2,}", word_text)
        for word in words:
            if len(word) <= 12:
                self.wordlist.add(word.lower())

        return

    def mangle(self, word):
        year = datetime.now().year
        suffixed = ["", "1", "!", year]
        mangled = []
        for password in (word, word.capitalize()):
            for suffix in suffixed:
                mangled.append("%s%s" % (password, suffix))

        return mangled

    def display_wordlist(self):
        print("#comment: BHP Wordlist for site(s) %s" % ", ".join(self.hosts))
        for word in sorted(self.wordlist):
            for password in self.mangle(word):
                print(password)

        return

结果

• 选择new live task，配置被动扫描
  
• 浏览靶机站点来触发扫描，在target标签页中选中目标请求，右键选择create wordlist
  
• 在插件日志中可以看到生成的字典，发送给Intruder使用