albinowax / activescanplusplus Goto Github PK
View Code? Open in Web Editor NEWActiveScan++ Burp Suite Plugin
Home Page: https://twitter.com/albinowax
License: Apache License 2.0
ActiveScan++ Burp Suite Plugin
Home Page: https://twitter.com/albinowax
License: Apache License 2.0
.
Hello everyone
please , can someone tell me how to fix this error
I used this script
https://github.com/MyRobotLab/inmoov/blob/develop/InMoov/testScripts/InMoov.minimalFingerStarter.py
------Traceback (most recent call last): File string, line 50,
in moduleAttributeError: org.myrobotlab.service.InMoovHand object has no attribute setAutoEnable
at org.python.core.Py.AttributeError(Py.java:205)
at org.python.core.PyObject.noAttributeError(PyObject.java:1013)
at org.python.core.PyObject.getattr(PyObject.java:1008)
at org.python.pycode._pyx5.f$0(string:84)
at org.python.pycode._pyx5.call_function(string)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1386)
at org.python.core.Py.exec(Py.java:1430)
at org.python.util.PythonInterpreter.exec(PythonInterpreter.java:267)
at org.myrobotlab.service.Python$PIThread.run(Python.java:160)------
Hello,
I was wondering if you might consider implementing a check for CVE-2018-11776? I did read what you said in #8 about being a lightweight scanner addon, but I figure since CVE-2018-11776 is another OGNL related, simple payload it might not be that much work to implement?
An example exploit PoC can be found here. Or maybe an even better payload is just a simple addition injection one like in here ${(111+111)}
, which gets executed and translated to 222
. English translation.
Having this integrated into a Burp extension would be extremely valuable. The check for the older struts vuln (CVE-2017-5638) has certainly helped me out. The problem with vulnerability scanners is they don't typically also crawl and if they do, it's not deep. Where the check for CVE-2017-5638 has come in handy is for complex sites that have applications nested way past the web root /. Using Burp to crawl, then having that check performed six or seven /directories deep is just something a typical vulnerability scan will miss.
If this isn't something you want to do, of course feel free to close this ticket as wontfix.
Cheers!
Some research dropped from the awesome folk at PentesterLabs regarding this rails bug: https://blog.pentesterlab.com/cve-2019-5418-on-waf-bypass-and-caching-10e93f9a1981
They highlighted that the Dir
method in Ruby relies on a glob
. Globs accept a wide range of chars that can ultimately be used to our advantage to bypass WAFs. Example taken from their blog post:
> Dir["/etc/passwd"].uniq
=> ["/etc/passwd"]
> Dir["/etc/p*ss*d"].uniq
=> ["/etc/passwd"]
> Dir["/e*c/p*ss*d"].uniq
=> ["/etc/passwd"]
> Dir["/e?c/p*ss[w|z]d"].uniq
=> ["/etc/passwd"]
Should we make the current payload include glob characters by default? Or should we have a list of payloads? Thoughts? Happy to send a PR.
BIG-IP supports iRules - a subset of rules written in TCL. An attacker can inject iRule code in to a request and force a BIG-IP to execute remote code, sniff connections or scan internal networks. An attacker that successfully exploits iRule injections can gain a foothold in the device memory, break out of the TCL interpreter and cause severe damage without leaving a trace in logging facilities.
https://www.youtube.com/watch?time_continue=1876&v=2f15ZOIU7ks
https://github.com/artsploit/solr-injection#black-box-detection
GET /xxx?q=aaa%26shards=http://callback_server/solr
GET /xxx?q=aaa&shards=http://callback_server/solr
GET /xxx?q={!type=xmlparser v="<!DOCTYPE a SYSTEM 'http://callback_server/solr'><a></a>"}
Solr is used a lot in underlying search/filtering technology, so I think these payloads should be tried in most forms, could lead to easy bugs.
The search string of "400 Illegal character 0x0 in state" is really the wrong way to look for this vulnerability.
It should verify that the response is of error code 400, then look for either "<<<" or ">>>" in the response status line. If either of those 2 strings exist, then you have a vulnerable system.
add detection of
jexl injection
and Hubl Injection
The scan instructs the first request to sleep for 0 seconds and the second for 10 seconds. It does not check if the received responses are valid.
I discovered this with an application that at irregular intervals gave socket timeout problems which meant that there was no response at all.
Mac OS X
Burp Pro 1.6.05
ActiveScan++ version 1.0.8
Python 2.7.8
Java 1.7.0_67
Jython 2.7-b2
From Burp's Extensions log:
Traceback (most recent call last):
File "/Users/ryan/Tools/Burp Pro/bapps/3123d5b5f25c4128894d97ea1acc4976/activeScan++.py", line 16, in <module>
import pickle
ImportError: No module named pickle
at org.python.core.Py.ImportError(Py.java:300)
at org.python.core.imp.import_first(imp.java:774)
at org.python.core.imp.import_module_level(imp.java:866)
at org.python.core.imp.importName(imp.java:946)
at org.python.core.ImportFunction.__call__(__builtin__.java:1300)
at org.python.core.PyObject.__call__(PyObject.java:373)
at org.python.core.__builtin__.__import__(__builtin__.java:1253)
at org.python.core.imp.importOne(imp.java:965)
at org.python.pycode._pyx1.f$0(/Users/ryan/Tools/Burp Pro/bapps/3123d5b5f25c4128894d97ea1acc4976/activeScan++.py:498)
at org.python.pycode._pyx1.call_function(/Users/ryan/Tools/Burp Pro/bapps/3123d5b5f25c4128894d97ea1acc4976/activeScan++.py)
at org.python.core.PyTableCode.call(PyTableCode.java:165)
at org.python.core.PyCode.call(PyCode.java:18)
at org.python.core.Py.runCode(Py.java:1312)
at org.python.core.__builtin__.execfile_flags(__builtin__.java:520)
at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:225)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at burp.r8c.<init>(Unknown Source)
at burp.ri.a(Unknown Source)
at burp.whd.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
Hey,
I am getting following error in Errors tab of the Load Burp Suite Extension window:
Traceback (most recent call last):
File "C:\Users\vojnovic\Downloads\activeScan++.py", line 33, in registerExtenderCallbacks
host = HostAttack(callbacks)
File "C:\Users\vojnovic\Downloads\activeScan++.py", line 161, in __init__
self._rebind = map(lambda i: i.getAuthority(), getIssues('Arbitrary host header accepted'))
File "C:\Users\vojnovic\Downloads\activeScan++.py", line 477, in getIssues
prev_reported = filter(lambda i: i.getIssueName() == name, callbacks.getScanIssues(''))
TypeError: 'NoneType' object is not iterable
at org.python.core.Py.TypeError(Py.java:235)
at org.python.core.PyObject.__iter__(PyObject.java:798)
at org.python.core.PyObject$1.iterator(PyObject.java:810)
at org.python.core.__builtin__.filter(__builtin__.java:543)
at org.python.core.BuiltinFunctions.__call__(__builtin__.java:158)
at org.python.core.PyObject.__call__(PyObject.java:408)
at org.python.pycode._pyx1.getIssues$47(C:\Users\vojnovic\Downloads\activeScan++.py:478)
at org.python.pycode._pyx1.call_function(C:\Users\vojnovic\Downloads\activeScan++.py)
at org.python.core.PyTableCode.call(PyTableCode.java:165)
at org.python.core.PyBaseCode.call(PyBaseCode.java:134)
at org.python.core.PyFunction.__call__(PyFunction.java:317)
at org.python.pycode._pyx1.__init__$9(C:\Users\vojnovic\Downloads\activeScan++.py:162)
at org.python.pycode._pyx1.call_function(C:\Users\vojnovic\Downloads\activeScan++.py)
at org.python.core.PyTableCode.call(PyTableCode.java:165)
at org.python.core.PyBaseCode.call(PyBaseCode.java:301)
at org.python.core.PyBaseCode.call(PyBaseCode.java:194)
at org.python.core.PyFunction.__call__(PyFunction.java:387)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:220)
at org.python.core.PyMethod.__call__(PyMethod.java:211)
at org.python.core.PyMethod.__call__(PyMethod.java:206)
at org.python.core.Deriveds.dispatch__init__(Deriveds.java:19)
at org.python.core.PyObjectDerived.dispatch__init__(PyObjectDerived.java:1057)
at org.python.core.PyType.type___call__(PyType.java:1565)
at org.python.core.PyType.__call__(PyType.java:1548)
at org.python.core.PyObject.__call__(PyObject.java:387)
at org.python.core.PyObject.__call__(PyObject.java:391)
at org.python.pycode._pyx1.registerExtenderCallbacks$2(C:\Users\vojnovic\Downloads\activeScan++.py:45)
at org.python.pycode._pyx1.call_function(C:\Users\vojnovic\Downloads\activeScan++.py)
at org.python.core.PyTableCode.call(PyTableCode.java:165)
at org.python.core.PyBaseCode.call(PyBaseCode.java:301)
at org.python.core.PyBaseCode.call(PyBaseCode.java:194)
at org.python.core.PyFunction.__call__(PyFunction.java:387)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:220)
at org.python.core.PyMethod.__call__(PyMethod.java:211)
at org.python.core.PyMethod.__call__(PyMethod.java:201)
at org.python.core.PyMethod.__call__(PyMethod.java:196)
at org.python.core.PyObject._jcallexc(PyObject.java:3502)
at org.python.core.PyObject._jcall(PyObject.java:3534)
at org.python.proxies.__main__$BurpExtender$0.registerExtenderCallbacks(Unknown Source)
at burp.jic.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
BurpSuite: free 1.6
jPython: jython-standalone-2.7-b2.jar
Python: 2.7
When I run https://github.com/pajswigger/content-length-fixer I will get alerted that ActiveScan++ sends incorrect Content-Length headers when it is doing a test request with application/xml
as Content-Type, when it is using an Accept header of ../../../../../../../../../../../../../e*c/h*s*s{{
or using the Content-Type header of ${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("X-Ack",2273*5098)}.multipart/form-data
Burp's Active Scanner injects payloads with 127.0.0.1
within them.
If the application outputs the 127.0.0.1
string the doRailsScan method of this extension will wrongly report that the application may be vulnerable to CVE-2019-5418.
Currently the payload attempts to read the /etc/hosts
Linux file.
Maybe there's another local file that could be called and/or string matched to lessen the chance of false positives?
I'm not sure what to suggest which would yield less false positives, but perhaps someone else has a good idea? Maybe something a bit more obscure in the /etc/passwd
file? Although this may not be any better.
Feel free to close this issue if you feel that the current check is the best balance.
Hi,
while testing the current ActiveScan++ 1.0.9 on Burp 1.6.12 (jython-2.7-b4) against a Debian Wheezy system vulnerable for CVE-2014-6271 and CVE-2014-6278 only the CVE-2014-6271 pattern/vulnerability was found.
To verify this a valid request on Burp was used:
GET /cgi-bin/test-cgi HTTP/1.1
Host: 127.0.0.1:8090
User-Agent: () { _; } >_[$($())] { /bin/sleep 20; }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,de-DE;q=0.8,de;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
which takes the 20 seconds.
As i don't know the internals of ActiveScan++ or Burp i wasn't sure if only one vulnerability is identified so i've replaced:
'any': ['"&timeout $time&\'`sleep $time`\'', '() { :;}; /bin/sleep $time', '() { _; } >_[$$($$())] { /bin/sleep $time; }'],
with
'any': ['"&timeout $time&\'`sleep $time`\'', 'foo', '() { _; } >_[$$($$())] { /bin/sleep $time; }'],
but the vulnerability is still not identified.
Is there anything what i can do here to debug this further?
Thanks in advance for a reply.
Hi,
I'm using Burp Pro v1.7.33. I can see on the changelog that Collaborator API has been restricted and I can see many exceptions in the Error log:
at org.python.core.PyObject.__call__(PyObject.java:478)
at org.python.core.PyObject.__call__(PyObject.java:482)
at org.python.core.PyMethod.__call__(PyMethod.java:141)
at org.python.pycode._pyx4.doActiveScan$33(C:\Users\user\AppData\Roaming\BurpSuite\bapps\3123d5b5f25c4128894d97ea1acc4976\activeScan++.py:421)
at org.python.pycode._pyx4.call_function(C:\Users\user\AppData\Roaming\BurpSuite\bapps\3123d5b5f25c4128894d97ea1acc4976\activeScan++.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:218)
at org.python.core.PyMethod.__call__(PyMethod.java:213)
at org.python.core.PyObject._jcallexc(PyObject.java:3626)
at org.python.core.PyObject._jcall(PyObject.java:3658)
at org.python.proxies.__main__$Solr$5.doActiveScan(Unknown Source)
at burp.dhd.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
java.lang.IllegalStateException: Burp Collaborator is disabled in the Project options
at burp.onf.a(Unknown Source)
at burp.onf.generatePayload(Unknown Source)
at burp.l1c.generatePayload(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204)
at org.python.core.PyObject.__call__(PyObject.java:478)
at org.python.core.PyObject.__call__(PyObject.java:482)
at org.python.core.PyMethod.__call__(PyMethod.java:141)
at org.python.pycode._pyx4.doActiveScan$33(C:\Users\user\AppData\Roaming\BurpSuite\bapps\3123d5b5f25c4128894d97ea1acc4976\activeScan++.py:421)
at org.python.pycode._pyx4.call_function(C:\Users\user\AppData\Roaming\BurpSuite\bapps\3123d5b5f25c4128894d97ea1acc4976\activeScan++.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:218)
at org.python.core.PyMethod.__call__(PyMethod.java:213)
at org.python.core.PyObject._jcallexc(PyObject.java:3626)
at org.python.core.PyObject._jcall(PyObject.java:3658)
at org.python.proxies.__main__$Solr$5.doActiveScan(Unknown Source)
at burp.dhd.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
java.lang.IllegalStateException: Burp Collaborator is disabled in the Project options
at burp.onf.a(Unknown Source)
at burp.onf.generatePayload(Unknown Source)
at burp.l1c.generatePayload(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204)
at org.python.core.PyObject.__call__(PyObject.java:478)
at org.python.core.PyObject.__call__(PyObject.java:482)
at org.python.core.PyMethod.__call__(PyMethod.java:141)
at org.python.pycode._pyx4.doActiveScan$33(C:\Users\user\AppData\Roaming\BurpSuite\bapps\3123d5b5f25c4128894d97ea1acc4976\activeScan++.py:421)
at org.python.pycode._pyx4.call_function(C:\Users\user\AppData\Roaming\BurpSuite\bapps\3123d5b5f25c4128894d97ea1acc4976\activeScan++.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:218)
at org.python.core.PyMethod.__call__(PyMethod.java:213)
at org.python.core.PyObject._jcallexc(PyObject.java:3626)
at org.python.core.PyObject._jcall(PyObject.java:3658)
at org.python.proxies.__main__$Solr$5.doActiveScan(Unknown Source)
at burp.dhd.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
java.lang.IllegalStateException: Burp Collaborator is disabled in the Project options
at burp.onf.a(Unknown Source)
at burp.onf.generatePayload(Unknown Source)
at burp.l1c.generatePayload(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204)
at org.python.core.PyObject.__call__(PyObject.java:478)
at org.python.core.PyObject.__call__(PyObject.java:482)
at org.python.core.PyMethod.__call__(PyMethod.java:141)
at org.python.pycode._pyx4.doActiveScan$33(C:\Users\user\AppData\Roaming\BurpSuite\bapps\3123d5b5f25c4128894d97ea1acc4976\activeScan++.py:421)
at org.python.pycode._pyx4.call_function(C:\Users\user\AppData\Roaming\BurpSuite\bapps\3123d5b5f25c4128894d97ea1acc4976\activeScan++.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:218)
at org.python.core.PyMethod.__call__(PyMethod.java:213)
at org.python.core.PyObject._jcallexc(PyObject.java:3626)
at org.python.core.PyObject._jcall(PyObject.java:3658)
at org.python.proxies.__main__$Solr$5.doActiveScan(Unknown Source)
at burp.dhd.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
java.lang.IllegalStateException: Burp Collaborator is disabled in the Project options
at burp.onf.a(Unknown Source)
at burp.onf.generatePayload(Unknown Source)
at burp.l1c.generatePayload(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186)
at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204)
at org.python.core.PyObject.__call__(PyObject.java:478)
at org.python.core.PyObject.__call__(PyObject.java:482)
at org.python.core.PyMethod.__call__(PyMethod.java:141)
at org.python.pycode._pyx4.doActiveScan$33(C:\Users\user\AppData\Roaming\BurpSuite\bapps\3123d5b5f25c4128894d97ea1acc4976\activeScan++.py:421)
at org.python.pycode._pyx4.call_function(C:\Users\user\AppData\Roaming\BurpSuite\bapps\3123d5b5f25c4128894d97ea1acc4976\activeScan++.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:218)
at org.python.core.PyMethod.__call__(PyMethod.java:213)
at org.python.core.PyObject._jcallexc(PyObject.java:3626)
at org.python.core.PyObject._jcall(PyObject.java:3658)
at org.python.proxies.__main__$Solr$5.doActiveScan(Unknown Source)
at burp.dhd.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
My active scan has halted and this is one of few Extensions I'm using which has thrown exceptions so I'm trying to find the cause.
Many thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.