在学习burp suite APIs中的Intruder payload处理器的过程中,一直搞不明白IIntruderPayloadProcess接口中processPayload方法的currentPayload和originalPayload参数有啥区别。虽说从名字上看currentPayload就是当前paylaod,originalPayload是原始payload的意思。翻了一下文档,大概知道了它们的区别,但总感觉还是没弄清其本质区别,很不舒服!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/**
* This method is invoked by Burp each time the processor should be applied
* to an Intruder payload.
*
* @param currentPayload The value of the payload to be processed.
* @param originalPayload The value of the original payload prior to
* processing by any already-applied processing rules.
*
* @param baseValue The base value of the payload position, which will be
* replaced with the current payload.
* @return The value of the processed payload. This may be
* <code>null</code> to indicate that the current payload should be skipped,
* and the attack will move directly to the next payload.
*/
byte[] processPayload(
byte[] currentPayload,
byte[] originalPayload,
byte[] baseValue);

0x01编码

我们来写两个Payload处理器插件来理解其中的区别,处理器1对payload的处理是在payload后面添加一个1,
处理器2对payload的处理是在payload后面添加一个2。处理前会输出currentPayload和originalPayload以供我们研究。具体代码如下:

intruder-payload-1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
package burp;
import java.io.PrintWriter;
public class BurpExtender implements IBurpExtender,IIntruderPayloadProcessor {
private IExtensionHelpers helper;
private IBurpExtenderCallbacks callbacks;
private PrintWriter stdout;
private PrintWriter stderr;
@Override
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
this.helper = callbacks.getHelpers();
this.callbacks = callbacks;
this.stdout = new PrintWriter(callbacks.getStdout(),true);
callbacks.setExtensionName("intruder-payload-1");
callbacks.registerIntruderPayloadProcessor(this);
}
@Override
public String getProcessorName() {
return "Processor1";
}
@Override
public byte[] processPayload(byte[] currentPayload, byte[] originalPayload, byte[] baseValue) {
stdout.println(getProcessorName());
stdout.println("currentPayload:"+helper.bytesToString(currentPayload));
stdout.println("originalPayload:"+helper.bytesToString(originalPayload));
stdout.println("-------------------------");
String newPayload;
newPayload = helper.bytesToString(currentPayload) + "1";
return helper.stringToBytes(newPayload);
}
}

intruder-payload-2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
package burp;
import java.io.PrintWriter;
public class BurpExtender implements IBurpExtender,IIntruderPayloadProcessor {
private IExtensionHelpers helper;
private IBurpExtenderCallbacks callbacks;
private PrintWriter stdout;
private PrintWriter stderr;
@Override
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
this.helper = callbacks.getHelpers();
this.callbacks = callbacks;
this.stdout = new PrintWriter(callbacks.getStdout(),true);
callbacks.setExtensionName("intruder-payload-2");
callbacks.registerIntruderPayloadProcessor(this);
}
@Override
public String getProcessorName() {
return "Processor2";
}
@Override
public byte[] processPayload(byte[] currentPayload, byte[] originalPayload, byte[] baseValue) {
// TODO Auto-generated method stub
stdout.println(getProcessorName());
stdout.println("currentPayload:"+helper.bytesToString(currentPayload));
stdout.println("originalPayload:"+helper.bytesToString(originalPayload));
stdout.println("-------------------------");
String newPayload;
newPayload = helper.bytesToString(currentPayload) + "2";
return helper.stringToBytes(newPayload);
}
}

0x2测试

编译后使用burp安装好这两个插件,并随便找一个post包进行测试

图1-Intruder payloads设置

图2-Intruder attack

去查看了一下Extension中两个插件的Show in UI的信息分别如下:

intruder-payload-1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Processor1
currentPayload: a
originalPayload: a
-------------------------
Processor1
currentPayload: b
originalPayload: b
-------------------------
Processor1
currentPayload: c
originalPayload: c
-------------------------
Processor1
currentPayload: d
originalPayload: d
-------------------------
Processor1
currentPayload: e
originalPayload: e
-------------------------

intruder-payload-2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Processor2
currentPayload: a1
originalPayload: a
-------------------------
Processor2
currentPayload: b1
originalPayload: b
-------------------------
Processor2
currentPayload: c1
originalPayload: c
-------------------------
Processor2
currentPayload: d1
originalPayload: d
-------------------------
Processor2
currentPayload: e1
originalPayload: e
-------------------------

0x03总结

综上我们就可以分析出:

处理器 a b c d e f
Processor1 a,a b,b c,c d,d e,e f,f
Processor1 a1,a b1,b c1,c d1,d e1,e f1,f

所以现在再来理解这两个参数是不是就明了多了, currentPayload参数是当前payload(原始payload被上一个或多个处理器处理过的),originalPayload参数是原始payload