嘻嘻,这个是当时随便写的,凑个文章摸下鱼🐟儿啦(●’◡’●)

RP: Burp Suite


*Intro

大致来说BurpSuite是一个很热门的渗透工具,它集成了进行web应用渗透的大部分功能,是一个很专业很不错的选择。


*Installation

安装BurpSuite很容易,直接在以下网页选择合适的BurpSuite版本并根据自身系统下载就行了:

https://portswigger.net/burp/communitydownload

下载好BurpSuite之后,还得下载Java环境,在以下的网页下载:

https://www.java.com/en/download/

*Cettin’ [CA] Certified

在开始使用BurpSuite之前,由于BurpSuite会充当浏览器和网络之间的代理,就需要一个合理的证书使得BurpSuite能够更改和读取HTTPS传输内容;不过这里以火狐浏览器为例。

那么先以默认方式打开安装好的BurpSuite,

image-20200618100224375.png

然后在火狐浏览器中安装一个方便控制代理的控件,FoxyProxy,

image-20200618100420852.png

配置一个合适的代理选项,要求配置的内容必须和BurpSuite中Proxy -> Options的监听接口配置的相同,

image-20200618100527673.png

image-20200618100619025.png

然后点击Save,并确保代理是开启状态,

image-20200618100651337.png

在火狐浏览器中输入以下URL之一,

http://127.0.0.1:8080
http://burp

点击右上角下载CA证书,

image-20200618100846320.png

下载完毕后,在谷歌设置内搜索certificates,选择view certificates,

image-20200618101038266.png

再点击import,将下载的CA证书导入,

image-20200618101144575.png

确认信任对象,

image-20200618101222777.png

再点击OK即可。


*Overview of Features

那么可以先从BurpSuite的快速导航选项开始:

image-20200618101455169.png

它们的名称以及功能分别对应:

  • Target:定义测试项目的范围。可以使用它来有效的创建正在测试的应用的站点地图。
  • Proxy:允许我们能够通过集中流量以进一步分析。
  • Intruder:这是一个强大的工具,可适用于从模糊测试到凭证填充等工作。
  • Repeater:允许我们”重复“先前已进行或未进行修改的请求。通常用在入侵者进行模糊测试的前期步骤中。
  • Sequencer:分析Web应用中某些不可预测部分的”随机性“。这通常用于测试会话Cookie等。
  • Decoder:这是一种可以让我们对数据执行各种转换的工具,支持部分基础加密和编码算法。
  • Comparer:可以使用它来比较不同的响应或其他数据。例如站点地图或代理的历史记录等;这与linux的diff非常相似,支持以字符/字节为单位的比较。
  • Extender:这允许我们添加扩展组件。比如一些集成工具,其他自定义的扫描等。
  • Scanner:自动化的Web漏洞扫描,可以突出显示应用中可能存在的漏洞和风险,以供进一步的手动操作和利用。

问题答案:

#1Which tool in Burp Suite can we use to perform a ‘diff’ on responses and other pieces of data?

Comparer

#2What tool could we use to analyze randomness in different pieces of data such as password reset tokens?

Sequencer

#3Which tool can we use to set the scope of our project?

Target

#4While only available in the premium versions of Burp Suite, which tool can we use to automatically identify different vulnerabilities in the application we are examining?

Scanner

#5Encoding or decoding data can be particularly useful when examining URL parameters or protections on a form, which tool allows us to do just that?

Decoder

#6Which tool allows us to redirect our web traffic into Burp for further examination?

Proxy

#7Simple in concept but powerful in execution, which tool allows us to reissue requests?

Repeater

#8With four modes, which tool in Burp can we use for a variety of purposes such as field fuzzing?

Intruder

#9Last but certainly not least, which tool allows us to modify Burp Suite via the addition of extensions?

Extender

*Engage Dark Mode

那么,这里是配置BurpSuite的主题。

在BurpSuite的User options -> Display选择中可以配置BurpSuite的样式:

image-20200618102840692.png

将Look and feel选成Darcula就能配置成夜间主题了:

image-20200618103001735.png

效果图:

image-20200618103039192.png


*Proxy

简单来说BurpSuite在浏览器和网络中间通过代理来获取通讯的内容,这意味着我们可以像在中间人攻击中看到的那样,修改我们对网络的请求,然后将其发送;也可以删除不想发送的请求,或者是将这些请求发送到BurpSuite的其他工具上(比如Repeater和Intruder,以进行修改和操作来诱发漏洞)。

那么可以从BurpSuite的Proxy -> Options看到代理的监听配置,

image-20200618103553811.png

启动靶机:

image-20200618103957839.png

然后在BurpSuite的Proxy -> Intercept 中将 Intercept设置成on,确保火狐的FoxyProxy启动的同时,随意访问靶机,可以发现请求头信息:

image-20200618104108365.png

其中点击action可知,将请求头内容发送至Repeater或Intruder的快捷方法分别为组合键Ctrl+R和Ctrl+I:

image-20200618104212934.png

现在将Intercept设置成off,将请求全部放行,再点击HTTP history选项卡,即可看到请求的历史记录:

image-20200618104358561.png

除了能获取到以HTTP协议封装的信息,也可以由其他未使用HTTP协议如Socket通讯的历史记录:

image-20200618104514691.png

而在Options选项卡中,还可以设置对客户端请求的拦截规则:

image-20200618104645604.png

问题答案:

#2By default, the Burp Suite proxy listens on only one interface. What is it? Use the format of IP:PORT

127.0.0.1:8080

#4Return to your web browser and navigate to the web application hosted on the VM we deployed just a bit ago. Note that the page appears to be continuously loading. Change back to Burp Suite, we now have a request that’s waiting in our intercept tab. Take a look at the actions, which shortcut allows us to forward the request to Repeater?

Ctrl-R

#5How about if we wanted to forward our request to Intruder?

Ctrl-I

#6Burp Suite saves the history of requests sent through the proxy along with their varying details. This can be especially useful when we need to have proof of our actions throughout a penetration test or we want to modify and resend a request we sent a while back. What is the name of the first section wherein general web requests (GET/POST) are saved?

HTTP history

#7Defined in RFC 6455 as a low-latency communication protocol that doesn’t require HTTP encapsulation, what is the name of the second section of our saved history in Burp Suite? These are commonly used in collaborate application which require real-time updates (Google Docs is an excellent example here).

WebSockets history

#8Before we move onto exploring our target definition, let’s take a look at some of the advanced customization we can utilize in the Burp proxy. Move over to the Options section of the Proxy tab and scroll down to Intercept Client Requests. Here we can apply further fine-grained rules to define which requests we would like to intercept. Perhaps the most useful out of the default rules is our only AND rule. What is it’s match type?

URL

#9How about it’s ‘Relationship’? In this situation, enabling this match rule can be incredibly useful following target definition as we can effectively leave intercept on permanently (unless we need to navigate without intercept) as it won’t disturb sites which are outside of our scope - something which is particularly nice if we need to Google something in the same browser.

is in target scope

*Target Definition

在BurpSuite的Target选项卡中,我们可以执行Web应用渗透测试中的一些最重要的部分:定义我们的范围,查看站点地图并指定我们问题的定义。

通常在进行建立范围时,先从特权最低的用户(包括未经身份验证的访问)开始,以普通用户的身份浏览网站,这与浏览以发现网站的整个范围被称为”快乐路径“。在得到”快乐路径“创建的站点地图之后,我们可以遍历并开始从范围中删除一些符合以下条件的项目:

  • 在渗透要求中,该项目已被指定超出范围。
  • 会造成巨大混乱的项目。
  • 会导致Web应用损坏并有可能兵溃的项目。

那么可以以靶机的Web应用为例,先将Proxy -> Intercept 中的Intercept设置成off,以便能够站点地图的获取,

image-20200618105806722.png

然后在Target -> Site map中找到靶机Web应用的URL,并将其添加至范围中,

image-20200618105929769.png

确保该URL出现在Scope选项卡中,

image-20200618110044634.png

此时再访问其他页面时,Site map就不会更新,

image-20200618110242319.png

而在Issue Definitions中则可以看到BurpSuite收录的有关漏洞的文档,这些是给Scanner使用的,不过也可以当作漏洞定义文档来看,

image-20200618110450418.png

问题答案:

#5Browse around the rest of the application to build out our page structure in the target tab. Once you’ve visited most of the pages of the site return to Burp Suite and expand the various levels of the application directory. What do we call this representation of the collective web application?

Site map

#6What is the term for browsing the application as a normal user prior to examining it further?

happy path

#8The issue definitions found here are how Burp Suite defines issues within reporting. While getting started, these issue definitions can be particularly helpful for understanding and categorizing various findings we might have. Which poisoning issue arises when an application behind a cache process input that is not included in the cache key?

web cache poisoning

*Puttin’ it on Repeat[er]

BurpSuite中的Repeater工具是一个非常实用的工具,它可以直接对发送的请求进行编辑和重发,也可以很方便地看到回应。

首先来到渗透站点的登录页面,随便输入一些数据,点击登录,发现错误提示,

image-20200618111818457.png

在确保Proxy -> Intercept 中 Intercept为on的同时,点击登录,

image-20200618110921355.png

可以看到已经成功拦截到了客户端的请求信息,实用Ctrl+R/I将请求信息分别发送到BurpSuite的Repeater和Intruder工具中,

image-20200618111057768.png

然后在Repeater中将email的内容改成单引号 ‘ ,再点击Send,查看回应,出现了SQLITE错误,

image-20200618111209674.png

此时将Proxy -> Intercept中的Intercept设置成off,可以看到成功通过的提示,

image-20200618111307455.png

接着进入反馈页面,

image-20200618111334364.png

随便填一些信息,在确保Proxy -> Intercept中的Intercept设置成on的同时,点击提交,

image-20200618111458122.png

可以发现星星数量对应的是rating的值,那么将1改成0,再点击Forward直到没有请求显示,

image-20200618111548514.png

这个时候,出现了成功提示,

image-20200618111638002.png

问题答案:

#2Try logging in with invalid credentials. What error is generated when login fails?

invalid email or password

#4Now that we’ve sent the request to Repeater, let’s try adjusting the request such that we are sending a single quote (‘) as both the email and password. What error is generated from this request?

SQLITE_ERROR

#8What field do we have to modify in order to submit a zero-star review?

rating

*Help! There’s an Intruder!

Intruder可以说是BurpSuite功能强大的工具了,它可以用于从事模糊测试到暴力破解等,核心目的之一是:自动化。

一些常用的方法如下:

  • 枚举标识符,比如用户名,在可预测的会话/密码令牌中循环以尝试简单的密码猜测
  • 通过重复回复从用户个人资料或其他页面中搜集有用的数据
  • 模糊检测漏洞,例如SQL注入,XSS和文件路径遍历等

Intruder有4种不同的攻击类型:

  • Sniper:这个仅会使用一个字典列表去循环尝试一个爆破点。
  • Battering Ram:与Sniper相似,仅使用一个字典列表,但会将字典的有效载荷对应到多个爆破点中,简单来说一个字典对应多个爆破点。
  • Pitchfork:同时遍历多个有效载荷集,比如选择两个爆破点(用户名字段和密码字段),则可以使用两个字典(内容分别为用户名和密码),进行一一对应的爆破。
  • Cluster Bomb:可以使用多个有效载荷集,遍历提供的有效载荷列表的所有组合,类似暴力破解。

这里先下载给的字典文件,将其上传至thm内网机,

image-20200618113601791.png

image-20200618113627392.png

打开之前放入Intruder中的内容,将爆破点选定在用户名上,同时确认Sniper爆破方式,

image-20200618113939882.png

在Payload选项卡中,Load上传的字典,

image-20200618114044612.png

再将自动URL编码取消,以便形成SQL注入正常,

image-20200618114128159.png

点击Start attack,当200状态码出现,则表示成功,

image-20200618114318270.png

问题答案:

#1Which attack type allows us to select multiple payload sets (one per position) and iterate through them simultaneously?

Pitchfork

#2How about the attack type which allows us to use one payload set in every single position we’ve selected simultaneously?

Battering Ram

#3Which attack type allows us to select multiple payload sets (one per position) and iterate through all possible combinations?

Cluster bomb

#4Perhaps the most commonly used, which attack type allows us to cycle through our payload set, putting the next available payload in each position in turn?

Sniper

#12Finally, click ‘Start attack’. What is the first payload that returns a 200 status code, showing that we have successfully bypassed authentication?

a' or 1=1--

*As it turns out the machines are better at math than us

BurpSuite的Sequencer是一种用于分析应用会话令牌和其他重要数据项中的随机性的质量,一些经常分析的项目包括:

  • 会话令牌
  • 反CSRF令牌
  • 密码重置、修改令牌等

这里先从HTTP history找到包含set-cookie头标回应信息的记录,

image-20200618120425771.png

将其发送到Sequencer中,点击Start live capture以及Analyze now进行分析,

image-20200618120701041.png

得到结果,

image-20200618120757066.png

通过结果可以看出,这个令牌的随机性是非常好的,在1%的水平下,随机有效熵值达到了86bits,意味着这令牌有86位的数据为有效随机。

再看一下每个令牌分析的方式,

image-20200618122014519.png

这里可以得到事先将令牌扩展到110bits,然后再分析,这也就说明110bits中能有86bits为有效随机,随机性是很好的。

问题答案:

#6Parse through the results. What is the effective estimated entropy measured in?

bits

#7In order to find the usable bits of entropy we often have to make some adjustments to have a normalized dataset. What item is converted in this process?

token

*Decoder and Comparer

这里简单的说明一下BurpSuite中的Decoder以及Comparer工具。

Decoder,顾名思义,就是将数据加密和解码的工具。

Comparer则和Linux的diff相似,旨在比较请求/回应内容或站点地图等信息的差异,比如说可以通过比较登录用户时细微的差距来判断是否存在SQL盲注、根据服务器回应信息的长度查看导致差异的原因进而利用等。

先从Decoder看起,从Site map找到一个包含URL编码的网站,将标识行发送至Decoder工具,

image-20200618123126328.png

选择Decode as … 为URL,

image-20200618123221150.png

得到解码后的内容,

image-20200618123310443.png

也可以直接点Smart decode自动解码,

image-20200618123455567.png

然后到Comparer,这里随便选两个站点的请求信息,并将其发送给Comparer工具,

image-20200618123822384.png

再通过右下角的选项决定比较的单位(字符/字节),

image-20200618123928068.png

按字符比较,

image-20200618123943614.png

按字节比较,

image-20200618124012553.png

问题答案:

#3What character does the %20 in the request we copied into Decoder decode as?

space

#4Similar to CyberChef, Decoder also has a ‘Magic’ mode where it will automatically attempt to decode the input it is provided. What is this mode called?

smart decode

#5What can we load into Comparer to see differences in what various user roles can access? This is very useful to check for access control issues.

site maps

#6Comparer can perform a diff against two different metrics, which one allows us to examine the data loaded in as-is rather than breaking it down into bytes?

Words

*Installing some Mods [Extender]

接下来是关于BurpSuite扩展的安装,比较有用的扩展:

  • Logger++:将增强的日志记录功能应用到所有BurpSuite工具的所有请求和响应中。
  • Request Smuggler:使得可以将请求直接与后端服务器互动。
  • Autorize:这对测试Web应用中测试身份验证很有用,比如尝试自动导航到受限页面或使用低特权用户的会话Cookie发出受限的GET请求。
  • Burp Teams Server:允许团队成员之间对BurpSuite项目协作,项目详细信息以类似聊天室的格式共享。
  • Retire.js:为包含漏洞内容JavaScript库添加扫描程序。
  • J2EEScan:为J2EE(用于Web开发的Java平台)应用程序添加扫描程序的测试范围。
  • Request Timer:捕获BurpSuite工具发出的请求的响应时间,这对基于时间的攻击非常有用。

而在为BurpSuite提供扩展的依赖是Jython,这里先进行Jython(Python的Java实现)的安装。

首先在以下网站下载独立的Jython包:

https://search.maven.org/artifact/org.python/jython-standalone

将下载好的Jython包传到内网机上,

image-20200618125553834.png

在BuripSuite的Extender -> Options将Jython路径配置好,

image-20200618125729461.png

此时,Jython就配置好了,可以从BApp Store商店安装一些扩展,

image-20200618125858833.png

问题答案:

#6Which extension allows us too bookmark various requests?

Bookmarks

*But wait, there’s more!

在BurpSuite的专业版中,可以通过Scanner功能自动分析站点中可能存在的漏洞,扫描得到的数据报告可以成为渗透的参考点。

这里简单地生成一下分析报告,

image-20200618132014395.png

一直点next,然后选择写入的文件名称,

image-20200618132057270.png

得到结果,

image-20200618132128008.png

查看题目给的生成报告,

image-20200618132711899.png

问题答案:

#1Download the report attached to this task. What is the only critical issue?

Cross-origin resource sharing: arbitrary origin trusted

#2How many ‘Certain’ low issues did Burp find?

12

*Extra Credit

可以从BurpSuite的制造商Port Swigger提供给的免费在线Web安全学院学习:

https://portswigger.net/web-security

也可以进入TryHackMe的下一个课程。