add ex-request.

whwlsfb · whwlsfb · commit e4bf1d31cd2a · 2022-09-01T16:04:14.000+08:00
diff --git a/src/main/java/burp/scanner/Log4j2Scanner.java b/src/main/java/burp/scanner/Log4j2Scanner.java
@@ -319,15 +319,15 @@ private Map<String, ScanItem> crazyFuzz(IHttpRequestResponse baseRequestResponse
                     domainParamMap.put(tmpDomain, param);
                 }
                 tmpRawRequest = helper.buildHttpMessage(helper.analyzeRequest(tmpRawRequest).getHeaders(), updateParams(rawBody, paramMap));
-                IHttpRequestResponse tmpReq = parent.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), tmpRawRequest);
+                IHttpRequestResponse tmpReq = sendRequest(baseRequestResponse.getHttpService(), tmpRawRequest);
                 for (Map.Entry<String, String> domainHeader : domainHeaderMap.entrySet()) {
-                    domainMap.put(domainHeader.getValue(), new ScanItem(domainHeader.getKey(), tmpReq));
+                    domainMap.put(domainHeader.getValue(), new ScanItem(domainHeader.getKey(), tmpReq, tmpRawRequest));
                 }
                 for (Map.Entry<String, IParameter> domainParam : domainParamMap.entrySet()) {
-                    domainMap.put(domainParam.getKey(), new ScanItem(domainParam.getValue(), tmpReq));
+                    domainMap.put(domainParam.getKey(), new ScanItem(domainParam.getValue(), tmpReq, tmpRawRequest));
                 }
             } catch (Exception ex) {
-                parent.stdout.println(ex);
+                ex.printStackTrace(parent.stderr);
             }
         }
 
@@ -361,8 +361,8 @@ private Map<String, ScanItem> headerFuzz(IHttpRequestResponse baseRequestRespons
                         header.Value = poc.generate(tmpDomain);
                         tmpHeaders.set(i, header.toString());
                         byte[] tmpRawRequest = helper.buildHttpMessage(tmpHeaders, Arrays.copyOfRange(rawRequest, req.getBodyOffset(), rawRequest.length));
-                        IHttpRequestResponse tmpReq = parent.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), tmpRawRequest);
-                        domainMap.put(tmpDomain, new ScanItem(header.Name, tmpReq));
+                        IHttpRequestResponse tmpReq = sendRequest(baseRequestResponse.getHttpService(), tmpRawRequest);
+                        domainMap.put(tmpDomain, new ScanItem(header.Name, tmpReq, tmpRawRequest));
                     }
                 }
             }
@@ -375,14 +375,14 @@ private Map<String, ScanItem> headerFuzz(IHttpRequestResponse baseRequestRespons
                     domainHeaderMap.put(headerName, tmpDomain);
                 }
                 byte[] tmpRawRequest = helper.buildHttpMessage(tmpHeaders, Arrays.copyOfRange(rawRequest, req.getBodyOffset(), rawRequest.length));
-                IHttpRequestResponse tmpReq = parent.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), tmpRawRequest);
+                IHttpRequestResponse tmpReq = sendRequest(baseRequestResponse.getHttpService(), tmpRawRequest);
                 for (Map.Entry<String, String> domainHeader : domainHeaderMap.entrySet()) {
-                    domainMap.put(domainHeader.getValue(), new ScanItem(domainHeader.getKey(), tmpReq));
+                    domainMap.put(domainHeader.getValue(), new ScanItem(domainHeader.getKey(), tmpReq, tmpRawRequest));
                 }
             }
 
         } catch (Exception ex) {
-            parent.stdout.println(ex);
+            ex.printStackTrace(parent.stderr);
         }
         return domainMap;
     }
@@ -411,8 +411,8 @@ private Map<String, ScanItem> badJsonFuzz(IHttpRequestResponse baseRequestRespon
                         Utils.GetRandomNumber(100, Integer.MAX_VALUE));
                 IParameter fakeParam = helper.buildParameter("Bad-json Fuzz", exp, IParameter.PARAM_JSON);
                 byte[] newRequest = helper.buildHttpMessage(tmpHeaders, finalPaylad.getBytes(StandardCharsets.UTF_8));
-                IHttpRequestResponse tmpReq = parent.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), newRequest);
-                domainMap.put(tmpDomain, new ScanItem(fakeParam, tmpReq));
+                IHttpRequestResponse tmpReq = sendRequest(baseRequestResponse.getHttpService(), newRequest);
+                domainMap.put(tmpDomain, new ScanItem(fakeParam, tmpReq, newRequest));
             }
         }
         return domainMap;
@@ -475,8 +475,8 @@ private Map<String, ScanItem> paramsFuzz(IHttpRequestResponse baseRequestRespons
                         byte[] newBody = Utils.Replace(body, new int[]{param.getValueStart() - req.getBodyOffset(), param.getValueEnd() - req.getBodyOffset()}, exp.getBytes(StandardCharsets.UTF_8));
                         tmpRawRequest = helper.buildHttpMessage(req.getHeaders(), newBody);
                     }
-                    IHttpRequestResponse tmpReq = parent.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), tmpRawRequest);
-                    domainMap.put(tmpDomain, new ScanItem(param, tmpReq));
+                    IHttpRequestResponse tmpReq = sendRequest(baseRequestResponse.getHttpService(), tmpRawRequest);
+                    domainMap.put(tmpDomain, new ScanItem(param, tmpReq, tmpRawRequest));
                 } catch (Exception ex) {
                     parent.stdout.println(ex);
                 }
@@ -511,14 +511,30 @@ private List<IScanIssue> finalCheck(IHttpRequestResponse baseRequestResponse, IR
     }
 
     private Log4j2Issue getIssue(IHttpRequestResponse baseRequestResponse, IRequestInfo req, ScanItem item) {
+        List<IHttpRequestResponse> requestResponses = new ArrayList<>();
+        requestResponses.add(baseRequestResponse);
+        String desp = String.format("Vulnerable param is \"%s\" in %s.", item.IsHeader ? item.HeaderName : item.Param.getName(), item.IsHeader ? "Header" : getTypeName(item.Param.getType()));
+        if (item.TmpRequest != null) {
+            requestResponses.add(item.TmpRequest);
+        } else {
+            desp += "<br/><br/>RawRequest:<br/><br/><pre>" + new String(item.RawRequest) + "</pre>";
+        }
         return new Log4j2Issue(baseRequestResponse.getHttpService(),
                 req.getUrl(),
-                new IHttpRequestResponse[]{baseRequestResponse, item.TmpRequest},
+                requestResponses.toArray(new IHttpRequestResponse[0]),
                 "Log4j2 RCE Detected",
-                String.format("Vulnerable param is \"%s\" in %s.", item.IsHeader ? item.HeaderName : item.Param.getName(), item.IsHeader ? "Header" : getTypeName(item.Param.getType())),
+                desp,
                 "High");
     }
 
+    private IHttpRequestResponse sendRequest(IHttpService httpService, byte[] rawRequest) {
+        if (Config.getBoolean(Config.ENABLE_EX_REQUEST, true)) {
+            HttpUtils.RawRequest(httpService, rawRequest, parent.helpers.analyzeRequest(httpService, rawRequest));
+            return null;
+        }
+        return parent.callbacks.makeHttpRequest(httpService, rawRequest);
+    }
+
     private String getTypeName(int typeId) {
         switch (typeId) {
             case IParameter.PARAM_URL:
diff --git a/src/main/java/burp/ui/tabs/FuzzUIHandler.java b/src/main/java/burp/ui/tabs/FuzzUIHandler.java
@@ -16,6 +16,7 @@ public class FuzzUIHandler {
 
     private JComboBox fuzzModeSelector;
     private JComboBox scanModeSelector;
+    private JCheckBox enabled_ex_request;
     private JCheckBox enabled_fuzz_header;
     private JCheckBox enabled_fuzz_url;
     private JCheckBox enabled_fuzz_body;
@@ -64,6 +65,11 @@ public JPanel getFuzzSettingPanel() {
         subPanel10.add(new JLabel("Scan Mode: "));
         subPanel10.add(scanModeSelector);
 
+
+        JPanel subPanel11 = UIUtil.GetXJPanel();
+        enabled_ex_request = new JCheckBox("Enable Ex-request");
+        subPanel11.add(enabled_ex_request);
+
         JPanel subPanel1 = UIUtil.GetXJPanel();
         enabled_fuzz_header = new JCheckBox("Enable Header Fuzz");
         subPanel1.add(enabled_fuzz_header);
@@ -128,6 +134,7 @@ public JPanel getFuzzSettingPanel() {
 
         panel1.add(subPanel0);
         panel1.add(subPanel10);
+        panel1.add(subPanel11);
         panel1.add(subPanel1);
         panel1.add(subPanel2);
         panel1.add(subPanel3);
@@ -153,6 +160,7 @@ private void loadConfig() {
         enabled_fuzz_body_multipart.setSelected(Config.getBoolean(Config.ENABLED_FUZZ_BODY_MULTIPART, true));
         enabled_fuzz_body_xml.setSelected(Config.getBoolean(Config.ENABLED_FUZZ_BODY_XML, true));
         enabled_fuzz_bad_json.setSelected(Config.getBoolean(Config.ENABLED_FUZZ_BAD_JSON, false));
+        enabled_ex_request.setSelected(Config.getBoolean(Config.ENABLE_EX_REQUEST, true));
     }
 
     private void saveConfig() {
@@ -167,6 +175,7 @@ private void saveConfig() {
         Config.setBoolean(Config.ENABLED_FUZZ_BODY_MULTIPART, enabled_fuzz_body_multipart.isSelected());
         Config.setBoolean(Config.ENABLED_FUZZ_BODY_XML, enabled_fuzz_body_xml.isSelected());
         Config.setBoolean(Config.ENABLED_FUZZ_BAD_JSON, enabled_fuzz_bad_json.isSelected());
+        Config.setBoolean(Config.ENABLE_EX_REQUEST, enabled_ex_request.isSelected());
         JOptionPane.showMessageDialog(mainPanel, "Apply success!");
     }
 
diff --git a/src/main/java/burp/utils/Config.java b/src/main/java/burp/utils/Config.java
@@ -33,6 +33,7 @@ public enum ScanMode {
     public static final String ENABLED_FUZZ_BAD_JSON = "enabled_fuzz_bad_json";
     public static final String FUZZ_MODE = "fuzz_mode";
     public static final String SCAN_MODE = "scan_mode";
+    public static final String ENABLE_EX_REQUEST = "enabled_ex_request";
 
     public static String get(String name) {
         return Utils.Callback.loadExtensionSetting(name);
diff --git a/src/main/java/burp/utils/HttpUtils.java b/src/main/java/burp/utils/HttpUtils.java
@@ -1,12 +1,21 @@
 package burp.utils;
 
-import okhttp3.CacheControl;
-import okhttp3.Request;
+import burp.BurpExtender;
+import burp.IHttpService;
+import burp.IRequestInfo;
+import okhttp3.*;
 
+import java.io.PrintStream;
+import java.util.Arrays;
 import java.util.Calendar;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
 
 public class HttpUtils {
     public static CacheControl NoCache = new CacheControl.Builder().noCache().noStore().build();
+    static OkHttpClient client = new OkHttpClient().newBuilder().
+            connectTimeout(3000, TimeUnit.MILLISECONDS).
+            callTimeout(500, TimeUnit.MILLISECONDS).build();
 
     public static Request.Builder GetDefaultRequest(String url) {
         int fakeFirefoxVersion = Utils.GetRandomNumber(45, 94 + Calendar.getInstance().get(Calendar.YEAR) - 2021);
@@ -20,4 +29,23 @@ public static String getUrlFileExt(String url) {
         String pureUrl = url.substring(0, url.contains("?") ? url.indexOf("?") : url.length());
         return (pureUrl.lastIndexOf(".") > -1 ? pureUrl.substring(pureUrl.lastIndexOf(".") + 1) : "").toLowerCase();
     }
+
+    public static void RawRequest(IHttpService httpService, byte[] rawRequest, IRequestInfo req) {
+        byte[] body = Arrays.copyOfRange(rawRequest, req.getBodyOffset(), rawRequest.length);
+        List<String> headers = req.getHeaders();
+        new PrintStream(Utils.Callback.getStderr()).println(req.getUrl());
+        Request.Builder requestBuilder = new Request.Builder()
+                .url(req.getUrl());
+        for (int i = 1; i < headers.size(); i++) {
+            HttpHeader header = new HttpHeader(headers.get(i));
+            requestBuilder.header(header.Name, header.Value);
+        }
+        requestBuilder.method(req.getMethod(), RequestBody.create(body));
+        requestBuilder.cacheControl(NoCache);
+        try {
+            client.newCall(requestBuilder.build()).execute();
+        } catch (Exception ex) {
+            ex.printStackTrace(new PrintStream(Utils.Callback.getStderr()));
+        }
+    }
 }
diff --git a/src/main/java/burp/utils/ScanItem.java b/src/main/java/burp/utils/ScanItem.java
@@ -4,19 +4,22 @@
 import burp.IParameter;
 
 public class ScanItem {
-    public ScanItem(IParameter param, IHttpRequestResponse tmpreq) {
+    public ScanItem(IParameter param, IHttpRequestResponse tmpreq, byte[] rawRequest) {
         this.Param = param;
         this.TmpRequest = tmpreq;
+        this.RawRequest = rawRequest;
     }
 
-    public ScanItem(String headerName, IHttpRequestResponse tmpreq) {
+    public ScanItem(String headerName, IHttpRequestResponse tmpreq, byte[] rawRequest) {
         this.IsHeader = true;
         this.HeaderName = headerName;
         this.TmpRequest = tmpreq;
+        this.RawRequest = rawRequest;
     }
 
     public String HeaderName;
     public boolean IsHeader;
     public IParameter Param;
     public IHttpRequestResponse TmpRequest;
+    public byte[] RawRequest;
 }

Original file line number	Diff line number	Diff line change
`@@ -319,15 +319,15 @@ private Map<String, ScanItem> crazyFuzz(IHttpRequestResponse baseRequestResponse`
`319`	`319`	`domainParamMap.put(tmpDomain, param);`
`320`	`320`	`}`
`321`	`321`	`tmpRawRequest = helper.buildHttpMessage(helper.analyzeRequest(tmpRawRequest).getHeaders(), updateParams(rawBody, paramMap));`
`322`		`- IHttpRequestResponse tmpReq = parent.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), tmpRawRequest);`
	`322`	`+ IHttpRequestResponse tmpReq = sendRequest(baseRequestResponse.getHttpService(), tmpRawRequest);`
`323`	`323`	`for (Map.Entry<String, String> domainHeader : domainHeaderMap.entrySet()) {`
`324`		`- domainMap.put(domainHeader.getValue(), new ScanItem(domainHeader.getKey(), tmpReq));`
	`324`	`+ domainMap.put(domainHeader.getValue(), new ScanItem(domainHeader.getKey(), tmpReq, tmpRawRequest));`
`325`	`325`	`}`
`326`	`326`	`for (Map.Entry<String, IParameter> domainParam : domainParamMap.entrySet()) {`
`327`		`- domainMap.put(domainParam.getKey(), new ScanItem(domainParam.getValue(), tmpReq));`
	`327`	`+ domainMap.put(domainParam.getKey(), new ScanItem(domainParam.getValue(), tmpReq, tmpRawRequest));`
`328`	`328`	`}`
`329`	`329`	`} catch (Exception ex) {`
`330`		`- parent.stdout.println(ex);`
	`330`	`+ ex.printStackTrace(parent.stderr);`
`331`	`331`	`}`
`332`	`332`	`}`
`333`	`333`
`@@ -361,8 +361,8 @@ private Map<String, ScanItem> headerFuzz(IHttpRequestResponse baseRequestRespons`
`361`	`361`	`header.Value = poc.generate(tmpDomain);`
`362`	`362`	`tmpHeaders.set(i, header.toString());`
`363`	`363`	`byte[] tmpRawRequest = helper.buildHttpMessage(tmpHeaders, Arrays.copyOfRange(rawRequest, req.getBodyOffset(), rawRequest.length));`
`364`		`- IHttpRequestResponse tmpReq = parent.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), tmpRawRequest);`
`365`		`- domainMap.put(tmpDomain, new ScanItem(header.Name, tmpReq));`
	`364`	`+ IHttpRequestResponse tmpReq = sendRequest(baseRequestResponse.getHttpService(), tmpRawRequest);`
	`365`	`+ domainMap.put(tmpDomain, new ScanItem(header.Name, tmpReq, tmpRawRequest));`
`366`	`366`	`}`
`367`	`367`	`}`
`368`	`368`	`}`
`@@ -375,14 +375,14 @@ private Map<String, ScanItem> headerFuzz(IHttpRequestResponse baseRequestRespons`
`375`	`375`	`domainHeaderMap.put(headerName, tmpDomain);`
`376`	`376`	`}`
`377`	`377`	`byte[] tmpRawRequest = helper.buildHttpMessage(tmpHeaders, Arrays.copyOfRange(rawRequest, req.getBodyOffset(), rawRequest.length));`
`378`		`- IHttpRequestResponse tmpReq = parent.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), tmpRawRequest);`
	`378`	`+ IHttpRequestResponse tmpReq = sendRequest(baseRequestResponse.getHttpService(), tmpRawRequest);`
`379`	`379`	`for (Map.Entry<String, String> domainHeader : domainHeaderMap.entrySet()) {`
`380`		`- domainMap.put(domainHeader.getValue(), new ScanItem(domainHeader.getKey(), tmpReq));`
	`380`	`+ domainMap.put(domainHeader.getValue(), new ScanItem(domainHeader.getKey(), tmpReq, tmpRawRequest));`
`381`	`381`	`}`
`382`	`382`	`}`
`383`	`383`
`384`	`384`	`} catch (Exception ex) {`
`385`		`- parent.stdout.println(ex);`
	`385`	`+ ex.printStackTrace(parent.stderr);`
`386`	`386`	`}`
`387`	`387`	`return domainMap;`
`388`	`388`	`}`
`@@ -411,8 +411,8 @@ private Map<String, ScanItem> badJsonFuzz(IHttpRequestResponse baseRequestRespon`
`411`	`411`	`Utils.GetRandomNumber(100, Integer.MAX_VALUE));`
`412`	`412`	`IParameter fakeParam = helper.buildParameter("Bad-json Fuzz", exp, IParameter.PARAM_JSON);`
`413`	`413`	`byte[] newRequest = helper.buildHttpMessage(tmpHeaders, finalPaylad.getBytes(StandardCharsets.UTF_8));`
`414`		`- IHttpRequestResponse tmpReq = parent.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), newRequest);`
`415`		`- domainMap.put(tmpDomain, new ScanItem(fakeParam, tmpReq));`
	`414`	`+ IHttpRequestResponse tmpReq = sendRequest(baseRequestResponse.getHttpService(), newRequest);`
	`415`	`+ domainMap.put(tmpDomain, new ScanItem(fakeParam, tmpReq, newRequest));`
`416`	`416`	`}`
`417`	`417`	`}`
`418`	`418`	`return domainMap;`
`@@ -475,8 +475,8 @@ private Map<String, ScanItem> paramsFuzz(IHttpRequestResponse baseRequestRespons`
`475`	`475`	`byte[] newBody = Utils.Replace(body, new int[]{param.getValueStart() - req.getBodyOffset(), param.getValueEnd() - req.getBodyOffset()}, exp.getBytes(StandardCharsets.UTF_8));`
`476`	`476`	`tmpRawRequest = helper.buildHttpMessage(req.getHeaders(), newBody);`
`477`	`477`	`}`
`478`		`- IHttpRequestResponse tmpReq = parent.callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), tmpRawRequest);`
`479`		`- domainMap.put(tmpDomain, new ScanItem(param, tmpReq));`
	`478`	`+ IHttpRequestResponse tmpReq = sendRequest(baseRequestResponse.getHttpService(), tmpRawRequest);`
	`479`	`+ domainMap.put(tmpDomain, new ScanItem(param, tmpReq, tmpRawRequest));`
`480`	`480`	`} catch (Exception ex) {`
`481`	`481`	`parent.stdout.println(ex);`
`482`	`482`	`}`
`@@ -511,14 +511,30 @@ private List<IScanIssue> finalCheck(IHttpRequestResponse baseRequestResponse, IR`
`511`	`511`	`}`
`512`	`512`
`513`	`513`	`private Log4j2Issue getIssue(IHttpRequestResponse baseRequestResponse, IRequestInfo req, ScanItem item) {`
	`514`	`+ List<IHttpRequestResponse> requestResponses = new ArrayList<>();`
	`515`	`+ requestResponses.add(baseRequestResponse);`
	`516`	`+ String desp = String.format("Vulnerable param is \"%s\" in %s.", item.IsHeader ? item.HeaderName : item.Param.getName(), item.IsHeader ? "Header" : getTypeName(item.Param.getType()));`
	`517`	`+ if (item.TmpRequest != null) {`
	`518`	`+ requestResponses.add(item.TmpRequest);`
	`519`	`+ } else {`
	`520`	`+ desp += "<br/><br/>RawRequest:<br/><br/><pre>" + new String(item.RawRequest) + "</pre>";`
	`521`	`+ }`
`514`	`522`	`return new Log4j2Issue(baseRequestResponse.getHttpService(),`
`515`	`523`	`req.getUrl(),`
`516`		`- new IHttpRequestResponse[]{baseRequestResponse, item.TmpRequest},`
	`524`	`+ requestResponses.toArray(new IHttpRequestResponse[0]),`
`517`	`525`	`"Log4j2 RCE Detected",`
`518`		`- String.format("Vulnerable param is \"%s\" in %s.", item.IsHeader ? item.HeaderName : item.Param.getName(), item.IsHeader ? "Header" : getTypeName(item.Param.getType())),`
	`526`	`+ desp,`
`519`	`527`	`"High");`
`520`	`528`	`}`
`521`	`529`
	`530`	`+ private IHttpRequestResponse sendRequest(IHttpService httpService, byte[] rawRequest) {`
	`531`	`+ if (Config.getBoolean(Config.ENABLE_EX_REQUEST, true)) {`
	`532`	`+ HttpUtils.RawRequest(httpService, rawRequest, parent.helpers.analyzeRequest(httpService, rawRequest));`
	`533`	`+ return null;`
	`534`	`+ }`
	`535`	`+ return parent.callbacks.makeHttpRequest(httpService, rawRequest);`
	`536`	`+ }`
	`537`	`+`
`522`	`538`	`private String getTypeName(int typeId) {`
`523`	`539`	`switch (typeId) {`
`524`	`540`	`case IParameter.PARAM_URL:`