403ByPass_BaiZeSEC-1.0

Author: aaaahuia

README.md

@@ -1,2 +1,27 @@
 # 403ByPass
-403ByPass-Burp Extensions_java
+
+**403绕过-BurpSuite插件 by 白泽Sec-ahui**
+
+联系方式：aaaahuia@163.com
+
+#### 工具简述：
+
+基于常见的框架漏洞或IP伪造尝试绕过网页403限制
+
+#### 使用方法：
+
+`BurpSuite -> Extender -> Extensions -> Add -> Extension Type: Java -> Select file: 403ByPass_BaiZeSEC-1.0.jar -> Next till Finish`
+
+#### 测试代码：
+
+```php
+<?php
+if($_SERVER['HTTP_X_FORWARDED_FOR']=="127.0.0.1"){
+	http_response_code(200);
+	print("200 success");
+}else{
+	http_response_code(403);
+	print("403 error");
+}
+```
+

pom.xml

@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>org.Baize</groupId>
+  <artifactId>403ByPass_BaizeSEC</artifactId>
+  <version>1.0</version>
+
+  <name>403bypass_BaiZeSEC</name>
+  <!-- FIXME change it to the project's website -->
+  <url>http://www.example.com</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.source>1.7</maven.compiler.source>
+    <maven.compiler.target>1.7</maven.compiler.target>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.11</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>net.portswigger.burp.extender</groupId>
+      <artifactId>burp-extender-api</artifactId>
+      <version>1.7.22</version>
+    </dependency>
+
+    <!-- https://mvnrepository.com/artifact/com.google.code.gson/gson -->
+    <dependency>
+      <groupId>com.google.code.gson</groupId>
+      <artifactId>gson</artifactId>
+      <version>2.8.6</version>
+    </dependency>
+
+    <!-- to get root domain -->
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+      <version>30.1-jre</version>
+    </dependency>
+
+    <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-text -->
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-text</artifactId>
+      <version>1.9</version>
+    </dependency>
+
+    <!-- https://mvnrepository.com/artifact/org.beanshell/bsh -->
+    <dependency>
+      <groupId>org.beanshell</groupId>
+      <artifactId>bsh</artifactId>
+      <version>2.0b5</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <sourceDirectory>src</sourceDirectory>
+    <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
+      <plugins>
+
+        <plugin>
+          <artifactId>maven-assembly-plugin</artifactId>
+          <configuration>
+            <descriptorRefs>
+              <descriptorRef>jar-with-dependencies</descriptorRef>
+            </descriptorRefs>
+            <archive>
+              <manifest>
+                <addDefaultImplementationEntries>
+                  true<!--to get Version from pom.xml -->
+                </addDefaultImplementationEntries>
+              </manifest>
+            </archive>
+          </configuration>
+          <executions>
+            <execution>
+              <id>make-assembly</id>
+              <phase>package</phase>
+              <goals>
+                <goal>single</goal>
+              </goals>
+            </execution>
+          </executions>
+        </plugin>
+        <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
+        <plugin>
+          <artifactId>maven-clean-plugin</artifactId>
+          <version>3.1.0</version>
+        </plugin>
+        <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
+        <plugin>
+          <artifactId>maven-resources-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-compiler-plugin</artifactId>
+          <version>3.8.0</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-surefire-plugin</artifactId>
+          <version>2.22.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-jar-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-install-plugin</artifactId>
+          <version>2.5.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-deploy-plugin</artifactId>
+          <version>2.8.2</version>
+        </plugin>
+        <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
+        <plugin>
+          <artifactId>maven-site-plugin</artifactId>
+          <version>3.7.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-project-info-reports-plugin</artifactId>
+          <version>3.0.0</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
+  </build>
+</project>

src/burp/BurpExtender.java

@@ -0,0 +1,136 @@
+package burp;
+
+import java.io.PrintWriter;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+public class BurpExtender implements IBurpExtender,IScannerCheck
+{
+    private IExtensionHelpers _helpers;
+    private PrintWriter stdout;
+    private PrintWriter stderr;
+    private IBurpExtenderCallbacks _callbacks;
+    public static String NAME = "403ByPass_BaizeSEC";
+    public static String VERSION = "1.0";
+
+    @Override
+    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks)
+    {
+        // 设置插件的名称
+        callbacks.setExtensionName(NAME);
+        this._callbacks = callbacks;
+
+        // 获取burp提供的标准输出流和错误输出流
+        stdout = new PrintWriter(callbacks.getStdout(), true);
+        stderr = new PrintWriter(callbacks.getStderr(), true);
+
+        _helpers = callbacks.getHelpers();
+
+        callbacks.registerScannerCheck(this);
+        this.stdout.println(basicInformationOutput());
+
+    }
+
+
+    @Override
+    public List<IScanIssue> doPassiveScan(IHttpRequestResponse baseRequestResponse) {
+
+        List<String> results = new ArrayList<>();
+
+
+        IRequestInfo iRequestInfo = _helpers.analyzeRequest(baseRequestResponse);
+
+
+        IResponseInfo iResponseInfo = _helpers.analyzeResponse(baseRequestResponse.getResponse());
+
+        if(iResponseInfo.getStatusCode()!=403) return null;
+        String oldReq = _helpers.bytesToString(baseRequestResponse.getRequest());
+        String oldUrl = iRequestInfo.getUrl().getPath();
+        while(oldUrl!="/" && oldUrl.endsWith("/")){
+            oldUrl=oldUrl.substring(0,oldUrl.length()-1);
+        }
+        String previousPath = oldUrl.substring(0,oldUrl.lastIndexOf("/"));
+        String lastPath = oldUrl.substring(oldUrl.lastIndexOf("/")+1);
+
+
+        stdout.println("Scanning: "+iRequestInfo.getUrl());
+
+        String[] payloads = new String[]{"%2e/"+lastPath, lastPath+"/.", "./"+lastPath+"/./", lastPath+"%20/", "%20"+lastPath+"%20/", lastPath+"..;/",lastPath+"?",lastPath+"??","/"+lastPath+"//",lastPath+"/",lastPath+"/.randomstring"};
+        String[] hpayloads = new String[]{"X-Rewrite-URL: "+oldUrl, "X-Original-URL: "+oldUrl,"Referer: /"+lastPath, "X-Custom-IP-Authorization: 127.0.0.1","X-Originating-IP: 127.0.0.1","X-Forwarded-For: 127.0.0.1","X-Remote-IP: 127.0.0.1","X-Client-IP: 127.0.0.1","X-Host: 127.0.0.1","X-Forwarded-Host: 127.0.0.1"};
+
+        for(String p:payloads){
+            String newReq = oldReq.replace(oldUrl,previousPath+"/"+p);
+            IHttpRequestResponse checkRequestResponse = _callbacks.makeHttpRequest(baseRequestResponse.getHttpService(),_helpers.stringToBytes(newReq));
+            short STT_CODE = _helpers.analyzeResponse(checkRequestResponse.getResponse()).getStatusCode();
+            if(STT_CODE == 200) {
+                results.add("Url payload: "+_helpers.analyzeRequest(checkRequestResponse).getUrl()+" | Status code: "+STT_CODE);
+            }
+        }
+
+        for(String hp:hpayloads){
+            String newReq="";
+            if(hp.startsWith("Referer:") && oldReq.contains("Referer:")){
+                newReq = oldReq.replace("^Referer:.*?$",hp);
+            }else{
+                newReq = oldReq.replace("User-Agent: ",hp+"\r\n"+"User-Agent: ");
+            }
+
+            IHttpRequestResponse checkRequestResponse = _callbacks.makeHttpRequest(baseRequestResponse.getHttpService(),_helpers.stringToBytes(newReq));
+            short STT_CODE = _helpers.analyzeResponse(checkRequestResponse.getResponse()).getStatusCode();
+            if(STT_CODE == 200) {
+                results.add("Header payload: "+hp+" | Status code: "+STT_CODE);
+            }
+
+        }
+        if(results.toString().equals("[]")) return null;
+        CustomScanIssue customScanIssue =  new CustomScanIssue(
+                _helpers.analyzeRequest(baseRequestResponse).getUrl(),
+                "403 ByPass Vuln",
+                0,
+                "High",
+                "Certain",
+                null,
+                null,
+                results.toString(),
+                null,
+                new IHttpRequestResponseWithMarkers[]{_callbacks.applyMarkers(baseRequestResponse, null, null)},
+                baseRequestResponse.getHttpService()
+                );
+
+        List<IScanIssue> issues = new ArrayList<>();
+        issues.add(customScanIssue);
+        stdout.println("===================================");
+        stdout.println("恭喜！有一个漏洞被发现，漏洞信息为: "+_helpers.analyzeRequest(baseRequestResponse).getUrl()+" "+results);
+        stdout.println("===================================");
+        return issues;
+    }
+
+    @Override
+    public List<IScanIssue> doActiveScan(IHttpRequestResponse baseRequestResponse, IScannerInsertionPoint insertionPoint) {
+        return null;
+    }
+
+    @Override
+    public int consolidateDuplicateIssues(IScanIssue existingIssue, IScanIssue newIssue) {
+        if (existingIssue.getUrl()==newIssue.getUrl())  return -1;
+        return 0;
+    }
+
+    /**
+     * 基本信息输出
+     */
+    private static String basicInformationOutput() {
+
+        String str1 = "===================================\n";
+        String str2 = String.format("%s 加载成功\n", NAME);
+        String str3 = String.format("版本: %s\n", VERSION);
+        String str4 = "作者: BaiZeSec_ahui\n";
+        String str5 = "邮箱: aaaahuia@163.com\n";
+        String str6 = "===================================\n";
+        String detail = str1 + str2 + str3 + str4  + str5 + str6;
+        return detail;
+    }
+
+
+}