mr-m0nst3r / burpy Goto Github PK
View Code? Open in Web Editor NEWA plugin that allows you execute python and get return to BurpSuite.
License: MIT License
A plugin that allows you execute python and get return to BurpSuite.
License: MIT License
我看了2.7 importlib文件夹的确没有util. py,但是python3.6有,是不是只能用python2,但是没有util啊,求解答
每个都试了报错,求大佬回复
Describe the bug
在porxy的history中可以解密,但是在repeaater不能使用
To Reproduce
在porxy的history中可以正常解密,但是在repeaater不能使用
'UnicodeDecodeError' object has no attribute 'encode'
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Burpy Scripts
class MyCipher():
def __init__(self, key='', iv=''):
BS = 24
if len(key) > 0:
self.key = key.encode()
if len(iv) > 0:
self.iv = iv.encode()
self.pad = lambda s: s + (BS - len(s.encode()) % BS) * chr(BS - len(s.encode()) % BS)
self.unpad = lambda s: s[0:-ord(s[-1])]
def decrypt(self, decryptText, cipher, mode=''):
try:
if cipher == 'des3':
cipherX = DES3.new(self.key, DES3.MODE_CBC, self.iv)
if mode == 'base64':
decryptText = base64.b64decode(decryptText)
return self.unpad(cipherX.decrypt(decryptText).decode())
except Exception as e:
return e
def decrypt(self, header, body):
key = ''
iv = ''
destest = MyCipher(key, iv)
_new_body = destest.decrypt(body, 'des3', 'base64')
Additional context
报错语句
rypt in BurpyService failed
'UnicodeDecodeError' object has no attribute 'encode'
Burpy版本:master 分支上的最新版
burp版本:2020.07
python环境:python3
操作系统:10.15.5 (19F101)
1、点击 "start server" 按钮时 "Server status" 显示 starting up ... starting up ... starting up ... starting up ... NOT running(同时内容显示不全), "start server" 上的状态显示 Server stopped
2、点击 "kill server" 按钮时 "Server status" 依然显示 starting up "start server" 上的状态显示 Server stopped
大大大大大佬你好!勾上了autoenc和autodec功能,可是还是得我手动去点那个tab才会进行编码和解码。这个功能不是自动编码后发包并自动解码响应的么?
下下载的是最新2.2版本,爆破时添加这个负载处理没有效果burpsuite是2.1版本
假设原请求为
GET /upload/request.php?id=1&sign=abcde HTTP/1.1
Host: www.baidu.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Connection: close
我想改为
GET /upload/request.php?id=1&sign=edcba HTTP/1.1
Host: www.baidu.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Connection: close
很有意思的一个项目,这里提一个建议
burpy貌似开启Enable Auto Enc/Dec无法影响到 Intrude的流量,而用户密码加密暴破场景很常见,对于这种场景的设计初衷是准备在暴破场景中在processor函数中调用encryptor加密数据吗?
以你的修改Cookie代码为例,即使开启Enable Auto Enc/Dec进行repeat发送,cookie仍然保持不变,但是如果右键选中Extensions->Burpy ->Burpy encrypt能够正常修改Cookie值。不知道是我的bp版本(2021.8.1)问题还是,如果是版本问题的话还麻烦提供下你的burpsuite版本号
def encrypt(self, header, body):
'''
Auto Enc/Dec feature require this function
'''
header["Cookie"] = "admin=1"
return header, body
问一下为什么repeater的流量可以自动加解密,但是proxy的流量不可以。也没找到设置的地方。
我python3启动的时候,有两个问题:
1、server状态一直卡在starting up
2、右键没有burpy的相关选项。。。其他插件都没问题,我在burp1.7和burp2020上都试过了。。。
麻烦解决一下,谢谢~
Burpy版本:master 分支上的最新版
burp版本:2020.07
操作系统:10.15.5 (19F101)
commit 8b4e001
👍 大表哥项目不错!
🌐 你写一份中文的呗 虽然能看懂,看起来更好点 🙈
➜ Burpy git:(master) mvn package -U
[INFO] Scanning for projects...
[INFO]
[INFO] --------------------------< me.m0nst3r:burpy >--------------------------
[INFO] Building burpy 2.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
Downloading from central: https://repo.maven.apache.org/maven2/com/fifesoft/rsyntaxtextarea/2.6.1.edited/rsyntaxtextarea-2.6.1.edited.pom
[WARNING] The POM for com.fifesoft:rsyntaxtextarea:jar:2.6.1.edited is missing, no dependency information available
Downloading from central: https://repo.maven.apache.org/maven2/com/fifesoft/rsyntaxtextarea/2.6.1.edited/rsyntaxtextarea-2.6.1.edited.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.839 s
[INFO] Finished at: 2020-07-18T01:03:43+08:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project burpy: Could not resolve dependencies for project me.m0nst3r:burpy:jar:2.0-SNAPSHOT: Could not find artifact com.fifesoft:rsyntaxtextarea:jar:2.6.1.edited in central (https://repo.maven.apache.org/maven2) -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
网上找了下,好像是提交参数的问题。
报错信息如下:
Exception with custom context application net.razorvine.pyro.PyroException: [builtins.OSError] 22 net.razorvine.pyro.serializer.PyroExceptionSerpent.FromSerpentDict(PyroExceptionSerpent.java:32) net.razorvine.pyro.serializer.SerpentSerializer$DictConverter.convert(SerpentSerializer.java:54) net.razorvine.serpent.ObjectifyVisitor.visit(ObjectifyVisitor.java:69) net.razorvine.serpent.ast.DictNode.accept(DictNode.java:8) net.razorvine.serpent.ast.Ast.accept(Ast.java:51) net.razorvine.serpent.ast.Ast.getData(Ast.java:45) net.razorvine.pyro.serializer.SerpentSerializer.deserializeData(SerpentSerializer.java:43) net.razorvine.pyro.PyroProxy.internal_call(PyroProxy.java:270) net.razorvine.pyro.PyroProxy.call(PyroProxy.java:180) burp.BurpExtender.actionPerformed(BurpExtender.java:641) java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1967) java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2308) java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405) java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262) java.desktop/javax.swing.AbstractButton.doClick(AbstractButton.java:369) java.desktop/javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:1020) java.desktop/javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:1064) java.desktop/java.awt.Component.processMouseEvent(Component.java:6631) java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3342) java.desktop/java.awt.Component.processEvent(Component.java:6396) java.desktop/java.awt.Container.processEvent(Container.java:2263) java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5007) java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2321) java.desktop/java.awt.Component.dispatchEvent(Component.java:4839) java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4918) java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4547) java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4488) java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2307) java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2772) java.desktop/java.awt.Component.dispatchEvent(Component.java:4839) java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:772) java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721) java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715) java.base/java.security.AccessController.doPrivileged(Native Method) java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85) java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:95) java.desktop/java.awt.EventQueue$5.run(EventQueue.java:745) java.desktop/java.awt.EventQueue$5.run(EventQueue.java:743) java.base/java.security.AccessController.doPrivileged(Native Method) java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85) java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:742) java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203) java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124) java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113) java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109) java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
测试脚本如下:
class Burpy:
'''
header is list, append as your need
body is string, modify as your need
'''
def __init__(self):
'''
here goes some code that will be kept since "start server" clicked, for example, webdriver, which usually takes long time to init
'''
pass
def main(self, header, body):
header.append("Main: SAAAA")
print("head:", header)
print("body:", body)
return header, body
def encrypt(self, header, body):
header.append("Enc: AAA")
return header, body
def decrypt(self, header, body):
header.append("Dec: AAA")
return header, body
def sign(self, header, body):
header.append("Sign: AAA")
return header, body
def processor(self, payload):
return payload+"burpyed"
本地直接运行测试脚本不会报错,python版本是Python 3.9.13,Pyro4-4.82,Pyro5-5.14
but burpsuite maybe UTF-8 encoding which will cause ERROR on repeater on response text.
use Extension to decrypt:
use Auto ENC/DEC to decrypt,it's GBK encoding so it has display error:
change encoding to GBK and use Auto ENC/DEC to decrypt:
maybe we can consider read burp's configuration to fix this?
当POST表单中,字段值中包含<>时,�经过burpy处理后,这段内容会被替换为空,导致异常。
比如Body中内容是这样的
UserId=4577866&nickName=<aaabbb>&countryId=59&birthday=2000%2F03%2F03&userSign=
当我Print到Burpy中时就成了:
UserId=4577866&nickName= &countryId=59&birthday=2000%2F03%2F03&userSign=
<>及其中间的部分去哪里了?
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Burpy Scripts
Add your script here for others to help with. DONT FORGET TO DELETE SENSITIVE INFO.
(脚本请脱敏后提供)
Additional context
Add any other context about the problem here.
python3点击启动没有反应
python2启动提示
*** Burpy Console *** Traceback (most recent call last): File "C:\Users\JuiceWoo\AppData\Local\Temp\burpyServicePyro3.py", line 9, in import importlib.util ImportError: No module named util
python2的importlin本身就没有util
感谢大佬,想问下是否可以批量加解密HTTP History里的报文?
2.2版本
ImportError: dlopen(/Users/crystal/Library/Python/3.8/lib/python/site-packages/_frida.cpython-38-darwin.so, 2): no suitable image found. Did find: /Users/crystal/Library/Python/3.8/lib/python/site-packages/_frida.cpython-38-darwin.so: no matching architecture in universal wrapper /Users/crystal/Library/Python/3.8/lib/python/site-packages/_frida.cpython-38-darwin.so: no matching architecture in universal wrapper
Burpsuite:2020.05
Burpy:2.1
系统:Windows10
python:3.7
Node:14.7.0
JS脚本中有b = new Uint8Array([74, 67, 55, 50, 77, 71, 97, 82]);,burpy运行时提示TypeError: 'Uint8Array' 未定义,直接运行python调用脚本时正常运行。
使用print(execjs.get().name)打印,发现在burpy中使用的是JScript,直接python运行时是node。
使用os.environ["EXECJS_RUNTIME"] = "Node"
node = execjs.get(execjs.runtime_names.Node)
强制指定NODE,在burpy中提示 Node.js (V8) runtime is not available on this system
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.