优化

.gitignore

@@ -0,0 +1,38 @@
+target/
+!.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**/target/
+!**/src/test/**/target/
+
+### IntelliJ IDEA ###
+.idea/modules.xml
+.idea/jarRepositories.xml
+.idea/compiler.xml
+.idea/libraries/
+*.iws
+*.iml
+*.ipr
+
+### Eclipse ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### VS Code ###
+.vscode/
+
+### Mac OS ###
+.DS_Store

README.md

@@ -0,0 +1,104 @@
+# 项目说明
+
+1. 重新写了UI,表格自动更新
+2. 对各个模块的被动扫描做了去重,重复的数据不再扫描
+3. 优化json格式的参数解析
+4. 各个模块进行优化
+5. 数据库配置文件自动生成
+
+# 目前功能
+
+1. fastjson扫描
+2. 权限绕过
+3. 未授权检测
+4. sql注入检测
+5. 工具调用
+7. log4j检测
+8. 复杂数据提交
+
+# 使用说明
+
+请使用`mvn clean package`进行编译打包,生成的jar包在target/目录下
+
+请使用`mvn clean package`进行编译打包,生成的jar包在target/目录下
+
+请使用`mvn clean package`进行编译打包,生成的jar包在target/目录下
+
+皆可通过使用鼠标右键菜单,进行调用
+
+![tool-1.png](images%2Ftool-1.png)
+
+![tool-2.png](images%2Ftool-2.png)
+
+# 功能说明
+
+## fastjson扫描
+
+![](./images/fastjson.png)
+
+> 使用前请先在配置面板配置dns,ip并点击保存
+
+1. 通过鼠标右键菜单,扫描dns,jndi,回显,报错等
+2. dns扫描可以在数据库配置,type为dns,需要在替换dns域名的地方填写FUZZ,并在FUZZ前填写一个字符,如a.FUZZ,主要是为了区别
+3. jndi扫描可以在数据库配置,type为jndi,需要在替换jndi的地方填写FUZZ,jndi扫描会让你选择是使用dns还是ip
+4. 回显扫描可以在数据库配置,type为echo,需要你填写执行的命令,默认是在请求头加Accept-Cache字段,响应是在响应头Content-auth字段
+
+## 权限绕过
+
+![](./images/authcheck.png)
+
+1. 通过给uri中加入特殊字符绕过权限
+2. 通过给header中加入字段绕过权限
+3. 添加accept头进行绕过
+
+## 未授权检测
+
+![](./images/prem.png)
+
+> 使用前请先在面板设置相关参数值
+
+1. 通过替换低权限用户的cookie,来判断是否存在未授权
+2. 通过删除用户的cookie,来判断是否存在未授权
+3. 支持被动扫描
+
+## sql注入检测
+
+![](./images/sql.png)
+
+> 使用前请先在面板设置相关参数值
+
+1. 通过添加特殊字符,来判断是否存在sql注入
+2. sql注入支持get,post,cookie,json等多种方式
+
+## 工具调用
+
+![](./images/config.png)
+
+> 使用前请先在面板设置相关参数值,并点击保存
+
+1. 通过添加常用功能,来调用工具
+2. {host} 会被替换为当前请求的host
+3. {url} 会被替换为当前请求的url
+4. {request} 会保存当前数据包到用户名目录的./gather/目录下,进行调用
+
+
+
+## log4j检测
+
+1. 支持自定义payload,可通过勾选dns选择是dnslog地址,否则为ip,替换参数为dnslog-url
+2. 支持get,post,json,header等多种方式
+3. 支持被动扫描
+
+![img.png](images/log4j.png)
+
+## 复杂数据提交
+
+1. 此功能主要是为了解决burp提交如序列化数据时,解析不出来的问题
+2. 请将数据进行base64后,放在`<datab64></datab64>`中,然后点击提交即可
+
+![img.png](images/base64file.png)
+
+# 后期计划
+
+
+1. 如有想法,可以提issue

pom.xml

@@ -0,0 +1,86 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>org.xm17</groupId>
+  <artifactId>gatherBurp</artifactId>
+  <version>1.0.1-SNAPSHOT</version>
+  <packaging>jar</packaging>
+
+  <name>gatherBurp</name>
+  <url>http://maven.apache.org</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+
+  <dependencies>
+    <!-- https://mvnrepository.com/artifact/com.intellij/forms_rt -->
+    <dependency>
+      <groupId>com.intellij</groupId>
+      <artifactId>forms_rt</artifactId>
+      <version>7.0.3</version>
+    </dependency>
+
+    <!-- https://mvnrepository.com/artifact/org.xerial/sqlite-jdbc -->
+    <dependency>
+      <groupId>org.xerial</groupId>
+      <artifactId>sqlite-jdbc</artifactId>
+      <version>3.43.2.2</version>
+    </dependency>
+    <!-- https://mvnrepository.com/artifact/org.json/json -->
+    <!-- https://mvnrepository.com/artifact/com.alibaba/fastjson -->
+    <dependency>
+      <groupId>com.alibaba</groupId>
+      <artifactId>fastjson</artifactId>
+      <version>1.2.83</version>
+    </dependency>
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <version>2.11.0</version>
+    </dependency>
+
+    <dependency>
+      <groupId>net.portswigger.burp.extender</groupId>
+      <artifactId>burp-extender-api</artifactId>
+      <version>2.3</version>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-expression</artifactId>
+      <version>4.3.22.RELEASE</version>
+    </dependency>
+
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <artifactId>maven-assembly-plugin</artifactId>
+        <configuration>
+          <archive>
+            <manifest>
+              <mainClass>burp.BurpExtender</mainClass>
+            </manifest>
+            <manifestEntries>
+              <Class-Path>.</Class-Path>
+            </manifestEntries>
+          </archive>
+          <descriptorRefs>
+            <descriptorRef>jar-with-dependencies</descriptorRef>
+          </descriptorRefs>
+        </configuration>
+        <executions>
+          <execution>
+            <id>make-assembly</id>
+            <phase>package</phase>
+            <goals>
+              <goal>single</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+</project>

src/main/java/burp/BurpExtender.java

@@ -0,0 +1,115 @@
+package burp;
+
+import burp.bean.ConfigBean;
+import burp.menu.*;
+import burp.ui.MainUI;
+import burp.utils.RobotInput;
+import burp.utils.Utils;
+
+import javax.swing.*;
+import java.awt.event.ActionEvent;
+import java.io.PrintWriter;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.List;
+import java.util.Objects;
+
+import static burp.dao.ConfigDao.getToolConfig;
+import static burp.utils.Utils.writeReqFile;
+
+public class BurpExtender implements IBurpExtender, IContextMenuFactory, IHttpListener {
+    @Override
+    public void registerExtenderCallbacks(IBurpExtenderCallbacks iBurpExtenderCallbacks) {
+        Utils.callbacks = iBurpExtenderCallbacks;
+        Utils.helpers = iBurpExtenderCallbacks.getHelpers();
+        Utils.stdout = new PrintWriter(iBurpExtenderCallbacks.getStdout(), true);
+        Utils.stderr = new PrintWriter(iBurpExtenderCallbacks.getStderr(), true);
+        Utils.callbacks.setExtensionName(Utils.name);
+        Utils.callbacks.registerContextMenuFactory(this);
+        Utils.callbacks.registerHttpListener(this);
+        MainUI mainUI = new MainUI(Utils.callbacks);
+        Utils.callbacks.addSuiteTab(mainUI);
+        SwingUtilities.invokeLater(new Runnable() {
+            @Override
+            public void run() {
+                Utils.callbacks.customizeUiComponent(mainUI);
+            }
+        });
+        Utils.stdout.println("Loaded " + Utils.name + " v" + Utils.version + " by " + Utils.author);
+
+    }
+
+    @Override
+    public List<JMenuItem> createMenuItems(IContextMenuInvocation iContextMenuInvocation) {
+        List<JMenuItem> listMenuItems = new ArrayList<JMenuItem>(1);
+        IHttpRequestResponse[] requestResponses = iContextMenuInvocation.getSelectedMessages();
+        IHttpRequestResponse baseRequestResponse = iContextMenuInvocation.getSelectedMessages()[0];
+
+        List<ConfigBean> toolParam = getToolConfig();
+        for (ConfigBean config : toolParam) {
+            if (!Objects.equals(config.getType(), "") && !Objects.equals(config.getValue(), "")) {
+                listMenuItems.add(new JMenuItem(new AbstractAction(config.getType()) {
+                    @Override
+                    public void actionPerformed(ActionEvent e) {
+                        Runnable toolRunner = new Runnable() {
+                            @Override
+                            public void run() {
+                                try {
+                                    RobotInput ri = new RobotInput();
+                                    if (requestResponses != null) {
+                                        String cmd = config.getValue();
+                                        if (cmd.contains("{url}")) {
+                                            String url = Utils.helpers.analyzeRequest(baseRequestResponse).getUrl().toString();
+                                            cmd = cmd.replace("{url}", url);
+                                        } else if (cmd.contains("{request}")) {
+                                            String requestFilePath = writeReqFile(baseRequestResponse);
+                                            assert requestFilePath != null;
+                                            cmd = cmd.replace("{request}", requestFilePath);
+                                        } else if (cmd.contains("{host}")) {
+                                            String host = baseRequestResponse.getHttpService().getHost();
+                                            cmd = cmd.replace("{host}", host);
+                                        }
+                                        ri.inputString(cmd);
+                                    }
+                                } catch (Exception e1) {
+                                    Utils.stderr.println(e1.getMessage());
+                                }
+                            }
+                        };
+                        new Thread(toolRunner).start();
+                    }
+                }));
+            }
+        }
+        JMenu fastjson = new JMenu("FastJson");
+        fastjson.add(new FastjsonMenu().FastjsonDnslogMenu(requestResponses));
+        fastjson.add(new FastjsonMenu().FastjsonEchoMenu(requestResponses));
+        fastjson.add(new FastjsonMenu().FastjsonJNDIMenu(requestResponses));
+        fastjson.add(new FastjsonMenu().FastjsonVersionMenu(requestResponses));
+        listMenuItems.add(fastjson);
+        listMenuItems.add(new AuthMenu(requestResponses));
+        listMenuItems.add(new Log4jMenu(requestResponses));
+        listMenuItems.add(new PermMenu(requestResponses));
+        listMenuItems.add(new SqlMenu(requestResponses));
+        listMenuItems.add(new Base64DataMenu(requestResponses));
+        listMenuItems.add(new NucleiMenu(requestResponses));
+        return listMenuItems;
+    }
+
+    @Override
+    public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
+        if (toolFlag == IBurpExtenderCallbacks.TOOL_REPEATER && messageIsRequest) {
+            byte[] request = messageInfo.getRequest();
+            String requestStr = Utils.helpers.bytesToString(request);
+            if (requestStr.contains("<datab64>")) {
+                String data = requestStr.substring(requestStr.indexOf("<datab64>") + 9, requestStr.indexOf("</datab64>"));
+                byte[] decodedData = Base64.getDecoder().decode(data);
+                byte[] newBytes = new byte[request.length - data.length() + decodedData.length];
+                System.arraycopy(request, 0, newBytes, 0, requestStr.indexOf("<datab64>"));
+                System.arraycopy(decodedData, 0, newBytes, requestStr.indexOf("<datab64>"), decodedData.length);
+                System.arraycopy(request, requestStr.indexOf("</datab64>") + 10, newBytes, requestStr.indexOf("<datab64>") + decodedData.length, request.length - requestStr.indexOf("</datab64>") - 10);
+                messageInfo.setRequest(newBytes);
+            }
+        }
+    }
+}

src/main/java/burp/bean/AuthBean.java

@@ -0,0 +1,40 @@
+package burp.bean;
+
+public class AuthBean {
+    private String method;
+    private String path;
+    private String headers;
+
+    public AuthBean() {
+    }
+
+    public AuthBean(String method, String path, String headers) {
+        this.method = method;
+        this.path = path;
+        this.headers = headers;
+    }
+
+    public String getMethod() {
+        return method;
+    }
+
+    public void setMethod(String method) {
+        this.method = method;
+    }
+
+    public String getPath() {
+        return path;
+    }
+
+    public void setPath(String path) {
+        this.path = path;
+    }
+
+    public String getHeaders() {
+        return headers;
+    }
+
+    public void setHeaders(String headers) {
+        this.headers = headers;
+    }
+}