近期收到了电子工业出版社赠送的一本网络安全书籍《python黑帽子》,书中一共24个实验,今天复现第16个实验(burpsuite bing插件),我的测试环境是mbp电脑+kali虚拟机+baidu站点。同样是python2环境,借助Bing API实现发现目标网站的所有子域名和同一IP地址的所有网站两个功能,可惜Bing API搞不到注册,需要visa信用卡进行身份验证,有机会再研究吧~
ailx10
网络安全优秀回答者
网络安全硕士
去咨询
1、点击sending to bing
如何加载,可以在上一个实验报告中学习:ailx10:python渗透测试入门之burpsuite载核生成器 ,这里已经成功加载了插件,可以在proxy标签页的intercept子标签页中发现sending to bing功能~
2、单击target标签页,选中scope子标签页,期望可以看到http://www.baidu.com的其他子域名被自动添加到目标范围,我这里的没有Bing API,好像申请这个账号需要visa银行卡~
3、在extender标签页中,可以看到output输出bing查询结果,我这里是空的
参考代码:
# -*- coding: utf-8 -*-
# @Time : 2022/6/15 10:13 AM
# @Author : ailx10
# @File : bhp_bing.py
from burp import IBurpExtender
from burp import IContextMenuFactory
from java.net import URL
from java.util import ArrayList
from javax.swing import JMenuItem
from thread import start_new_thread
import json
import socket
import urllib
API_KEY = ""
API_HOST = "api.cognitive.microsoft.com"
class BurpExtender(IBurpExtender,IContextMenuFactory):
def registerExtenderCallbacks(self,callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
self.context = None
callbacks.setExtensionName("BHP Bing")
callbacks.registerContextMenuFactory(self)
return
def createMenuItems(self,context_menu):
self.context = context_menu
menu_list = ArrayList()
menu_list.add(JMenuItem("Sending to Bing",actionPerformed=self.bing_menu))
return menu_list
def bing_menu(self,event):
http_traffic = self.context.getSelectedMessages()
print("%d requests highlighted"%len(http_traffic))
for traffic in http_traffic:
http_service = traffic.getHttpService()
host = http_service.getHost()
print("User selected host:%s"%host)
self.bing_search(host)
return
def bing_search(self,host):
try:
is_ip = bool(socket.inet_aton(host))
except socket.error:
is_ip = False
if is_ip:
ip_address = host
domain = False
else:
ip_address = socket.gethostbyname(host)
domain = True
start_new_thread(self.bing_query,("ip:%s"%ip_address,))
if domain:
start_new_thread(self.bing_query,("domain:%s"%host,))
def bing_query(self,bing_query_string):
print("Performing Bing search:%s"%bing_query_string)
http_request = "Get https://%s/bing/v7.0/search?" % API_HOST
http_request += "q=%s HTTP/1.1\r\n" % urllib.quote(bing_query_string)
http_request += "Host:%s\r\n" % API_HOST
http_request += "Connection:close\r\n"
http_request += "Ocp-Apim-Subscription-Key:%s\r\n"%API_KEY
http_request += "User-Agent: Black Hat Python\r\n\r\n"
json_body = self._callbacks.makeHttpRequest(API_HOST,443,True,http_request).tostring()
json_body = json_body.split("\r\n\r\n",1)[1]
try:
response = json.loads(json_body)
except (TypeError,ValueError) as err:
print("No results from Bing:%s"%err)
else:
sites = list()
if response.get("webPages"):
sites = response["webPages"]["value"]
if len(sites):
for site in sites:
print("*"*100)
print("Name:%s "%site["name"])
print("URL:%s "%site["url"])
print("Description:%r"%site["snippet"])
print("*"*100)
java_url = URL(site["url"])
if not self._callbacks.isInScope(java_url):
print("Adding %s to Burp scope"%site["url"])
self._callbacks.includeInScope(java_url)
else:
print("Empty response from Bing:%s"%bing_query_string)
return
发布于 2022-06-15 11:10