Burp中的currentPayload和originalPayload

c0ny1

2017-11-13

编程开发

在学习burp suite APIs中的Intruder payload处理器的过程中，一直搞不明白IIntruderPayloadProcess接口中processPayload方法的currentPayload和originalPayload参数有啥区别。虽说从名字上看currentPayload就是当前paylaod，originalPayload是原始payload的意思。翻了一下文档，大概知道了它们的区别，但总感觉还是没弄清其本质区别，很不舒服！

/**
     * This method is invoked by Burp each time the processor should be applied
     * to an Intruder payload.
     *
     * @param currentPayload The value of the payload to be processed.
     * @param originalPayload The value of the original payload prior to
     * processing by any already-applied processing rules.
     * 
     * @param baseValue The base value of the payload position, which will be
     * replaced with the current payload.
     * @return The value of the processed payload. This may be
     * <code>null</code> to indicate that the current payload should be skipped,
     * and the attack will move directly to the next payload.
     */
    byte[] processPayload(
            byte[] currentPayload,
            byte[] originalPayload,
            byte[] baseValue);

0x01编码

我们来写两个Payload处理器插件来理解其中的区别，处理器1对payload的处理是在payload后面添加一个1，
处理器2对payload的处理是在payload后面添加一个2。处理前会输出currentPayload和originalPayload以供我们研究。具体代码如下：

intruder-payload-1

package burp;

import java.io.PrintWriter;

public class BurpExtender implements IBurpExtender,IIntruderPayloadProcessor {

	private IExtensionHelpers helper;
	private IBurpExtenderCallbacks callbacks;
	private PrintWriter stdout;
	private PrintWriter stderr;

	@Override
	public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
		this.helper = callbacks.getHelpers();
		this.callbacks = callbacks;
		this.stdout = new PrintWriter(callbacks.getStdout(),true);
		callbacks.setExtensionName("intruder-payload-1");
		callbacks.registerIntruderPayloadProcessor(this);
	}

	@Override
	public String getProcessorName() {
		return "Processor1";
	}

	@Override
	public byte[] processPayload(byte[] currentPayload, byte[] originalPayload, byte[] baseValue) {
		stdout.println(getProcessorName());
		stdout.println("currentPayload:"+helper.bytesToString(currentPayload));
		stdout.println("originalPayload:"+helper.bytesToString(originalPayload));
		stdout.println("-------------------------");
		
		String newPayload;
		newPayload = helper.bytesToString(currentPayload) + "1";
		return helper.stringToBytes(newPayload);
	}	
}

intruder-payload-2

package burp;

import java.io.PrintWriter;

public class BurpExtender implements IBurpExtender,IIntruderPayloadProcessor {

	private IExtensionHelpers helper;
	private IBurpExtenderCallbacks callbacks;
	private PrintWriter stdout;
	private PrintWriter stderr;

	@Override
	public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
		this.helper = callbacks.getHelpers();
		this.callbacks = callbacks;
		this.stdout = new PrintWriter(callbacks.getStdout(),true);
		callbacks.setExtensionName("intruder-payload-2");
		callbacks.registerIntruderPayloadProcessor(this);
	}

	@Override
	public String getProcessorName() {
		return "Processor2";
	}

	@Override
	public byte[] processPayload(byte[] currentPayload, byte[] originalPayload, byte[] baseValue) {
		// TODO Auto-generated method stub
		stdout.println(getProcessorName());
		stdout.println("currentPayload:"+helper.bytesToString(currentPayload));
		stdout.println("originalPayload:"+helper.bytesToString(originalPayload));
		stdout.println("-------------------------");
		
		String newPayload;
		newPayload = helper.bytesToString(currentPayload) + "2";
		return helper.stringToBytes(newPayload);
	}	
}

0x2测试

编译后使用burp安装好这两个插件，并随便找一个post包进行测试

图1-Intruder payloads设置

图2-Intruder attack

去查看了一下Extension中两个插件的Show in UI的信息分别如下：

intruder-payload-1

Processor1
currentPayload: a
originalPayload: a
-------------------------
Processor1
currentPayload: b
originalPayload: b
-------------------------
Processor1
currentPayload: c
originalPayload: c
-------------------------
Processor1
currentPayload: d
originalPayload: d
-------------------------
Processor1
currentPayload: e
originalPayload: e
-------------------------

intruder-payload-2

Processor2
currentPayload: a1
originalPayload: a
-------------------------
Processor2
currentPayload: b1
originalPayload: b
-------------------------
Processor2
currentPayload: c1
originalPayload: c
-------------------------
Processor2
currentPayload: d1
originalPayload: d
-------------------------
Processor2
currentPayload: e1
originalPayload: e
-------------------------

0x03总结

综上我们就可以分析出：

处理器	a	b	c	d	e	f
Processor1	a,a	b,b	c,c	d,d	e,e	f,f
Processor1	a1,a	b1,b	c1,c	d1,d	e1,e	f1,f

所以现在再来理解这两个参数是不是就明了多了， currentPayload参数是当前payload（原始payload被上一个或多个处理器处理过的）,originalPayload参数是原始payload