近期收到了電子工業出版社贈送的一本網絡安全書籍《python黑帽子》,書中一共24個實驗,今天復現第16個實驗(burpsuite bing插件),我的測試環境是mbp電腦+kali虛擬機+baidu站點。同樣是python2環境,借助Bing API實現發現目標網站的所有子域名和同一IP地址的所有網站兩個功能,可惜Bing API搞不到注冊,需要visa信用卡進行身份驗證,有機會再研究吧~
1、點擊sending to bing
如何加載,可以在上一個實驗報告中學習:ailx10:python滲透測試入門之burpsuite載核生成器 ,這裡已經成功加載了插件,可以在proxy標簽頁的intercept子標簽頁中發現sending to bing功能~
2、單擊target標簽頁,選中scope子標簽頁,期望可以看到http://www.baidu.com的其他子域名被自動添加到目標范圍,我這裡的沒有Bing API,好像申請這個賬號需要visa銀行卡~
3、在extender標簽頁中,可以看到output輸出bing查詢結果,我這裡是空的
參考代碼:
# -*- coding: utf-8 -*-
# @Time : 2022/6/15 10:13 AM
# @Author : ailx10
# @File : bhp_bing.py
from burp import IBurpExtender
from burp import IContextMenuFactory
from java.net import URL
from java.util import ArrayList
from javax.swing import JMenuItem
from thread import start_new_thread
import json
import socket
import urllib
API_KEY = ""
API_HOST = "api.cognitive.microsoft.com"
class BurpExtender(IBurpExtender,IContextMenuFactory):
def registerExtenderCallbacks(self,callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
self.context = None
callbacks.setExtensionName("BHP Bing")
callbacks.registerContextMenuFactory(self)
return
def createMenuItems(self,context_menu):
self.context = context_menu
menu_list = ArrayList()
menu_list.add(JMenuItem("Sending to Bing",actionPerformed=self.bing_menu))
return menu_list
def bing_menu(self,event):
http_traffic = self.context.getSelectedMessages()
print("%d requests highlighted"%len(http_traffic))
for traffic in http_traffic:
http_service = traffic.getHttpService()
host = http_service.getHost()
print("User selected host:%s"%host)
self.bing_search(host)
return
def bing_search(self,host):
try:
is_ip = bool(socket.inet_aton(host))
except socket.error:
is_ip = False
if is_ip:
ip_address = host
domain = False
else:
ip_address = socket.gethostbyname(host)
domain = True
start_new_thread(self.bing_query,("ip:%s"%ip_address,))
if domain:
start_new_thread(self.bing_query,("domain:%s"%host,))
def bing_query(self,bing_query_string):
print("Performing Bing search:%s"%bing_query_string)
http_request = "Get https://%s/bing/v7.0/search?" % API_HOST
http_request += "q=%s HTTP/1.1\r\n" % urllib.quote(bing_query_string)
http_request += "Host:%s\r\n" % API_HOST
http_request += "Connection:close\r\n"
http_request += "Ocp-Apim-Subscription-Key:%s\r\n"%API_KEY
http_request += "User-Agent: Black Hat Python\r\n\r\n"
json_body = self._callbacks.makeHttpRequest(API_HOST,443,True,http_request).tostring()
json_body = json_body.split("\r\n\r\n",1)[1]
try:
response = json.loads(json_body)
except (TypeError,ValueError) as err:
print("No results from Bing:%s"%err)
else:
sites = list()
if response.get("webPages"):
sites = response["webPages"]["value"]
if len(sites):
for site in sites:
print("*"*100)
print("Name:%s "%site["name"])
print("URL:%s "%site["url"])
print("Description:%r"%site["snippet"])
print("*"*100)
java_url = URL(site["url"])
if not self._callbacks.isInScope(java_url):
print("Adding %s to Burp scope"%site["url"])
self._callbacks.includeInScope(java_url)
else:
print("Empty response from Bing:%s"%bing_query_string)
return