#!/usr/bin/env python#-*- coding:utf8 -*-
# 导入三个类，其中IBurpExtender类是编写扩展工具必须的类，后两个是Intruder的，我们就是要扩展它from burp import IBurpExtenderfrom burp import IIntruderPayloadGeneratorFactoryfrom burp import IIntruderPayloadGenerator
from java.util import List, ArrayList
import random
#定义自己的BurpExtender类，继承和扩展IBurpExtender和IIntruderPayloadGeneratorFactory类class BurpExtender(IBurpExtender, IIntruderPayloadGeneratorFactory):
    def registerExtenderCallbacks(self, callbacks):        self._callbacks = callbacks        self._helpers = callbacks.getHelpers()
        #用registerIntruderPayloadGeneratorFactory函数注册BurpExtender类，这样Intruder才能生成攻击载荷        callbacks.registerIntruderPayloadGeneratorFactory(self)
        return
    #返回载荷生成器的名称    def getGeneratorName(self):        return "BHP Payload Generator"
    # 接受攻击相关参数，返回IIntruderPayloadGenerator类型的实例，作者将他命名为BHPFuzzer    def createNewInstance(self, attack):        return BHPFuzzer(self, attack)
# 定义BHPFuzzer类，扩展了IIntruderPayloadGenerator类# 增加了max_payload(最大的payload), num_iterations(迭代次数)两个变量，用于控制模糊测试的次数class BHPFuzzer(IIntruderPayloadGenerator):    def __init__(self, extender, attack):        self._extender = extender        self._helpers = extender._helpers        self._attack = attack        self.max_payload = 1000        self.num_iterations = 0        return
    # 通过比较判断迭代是否达到上限    def hasMorePayloads(self):        if self.num_iterations == self.max_payload:            return False        else:            return True
    # 接受原始的HTTP负载，current_payload是数组，转化成字符串，传递给模糊测试函数mutate_payload    def getNextPayload(self, current_payload):        # 转换成字符串        payload = "".join(chr(x) for x in current_payload)        # 调用简单的变形器对POST请求进行模糊测试        payload = self.mutate_payload(payload)        # 增加FUZZ的次数        self.num_iterations += 1        return payload
    # 重置    def reset(self):        self.num_iterations = 0        return
    def mutate_payload(self, original_payload):        # 仅生成随机数或者调用一个外部脚本        picker = random.randint(1,3)
        # 再载荷中选取一个随机的偏移量去变形        offset = random.randint(0, len(original_payload)-1)        payload = original_payload[:offset]
        # 在随机偏移位置插入SQL注入尝试        if picker == 1:            payload += "'"
        # 插入跨站尝试        if picker == 2:            payload += "<script>alert('xss');</script>"
        # 随机重复原始载荷        if picker == 3:            chunk_length = random.randint(len(payload[offset:]), len(payload)-1)            repeater = random.randint(1,10)
            for i in range(repeater):                payload += original_payload[offset:offset+chunk_length]

        # 添加载荷中剩余的字节        payload += original_payload[offset:]
        return payload

#!/usr/bin/env python#-*- coding:utf8 -*-
from burp import IBurpExtenderfrom burp import IContextMenuFactory
from javax.swing import JMenuItemfrom java.util import List, ArrayListfrom java.net import URL
import socketimport urllibimport jsonimport reimport base64
bing_api_key = "你的密钥" #这里是Bing API秘钥
# 这个类部署了基本的接口class BurpExtender(IBurpExtender, IContextMenuFactory):    def registerExtenderCallbacks(self,callbacks):        self._callbacks = callbacks        self._helpers = callbacks.getHelpers()        self.context = None
        # 我们建立起扩展工具        callbacks.setExtensionName("Use Bing")        callbacks.registerContextMenuFactory(self)
        return
    # 创建菜单并处理点击事件，就是actionPerformed那里，点击调用bing_menu函数    def createMenuItems(self, context_menu):        self.context = context_menu        menu_list = ArrayList()        menu_list.add(JMenuItem("Send to Bing", actionPerformed=self.bing_menu))        return menu_list
    def bing_menu(self, event):        # 获取用户点击的详细信息        http_traffic = self.context.getSelectedMessages()
        print "%d requests highlighted" % len(http_traffic)
        # 获取ip或主机名(域名)        for traffic in http_traffic:            http_service = traffic.getHttpService()            host = http_service.getHost()
            print "User selected host: %s" % host
            self.bing_search(host)
        return
    def bing_search(self, host):        # 检查参数是否为ip地址或主机名(域名)------使用正则        is_ip = re.match("[0-9]+(?:.[0-9]+){3}", host)
        # 若为ip        if is_ip:            ip_address = host            domain = False        else:            ip_address = socket.gethostbyname(host)            domain = True
        # 查寻同一ip是否存在不同虚拟机        bing_query_string ="'ip:%s'" % ip_address        self.bing_query(bing_query_string)
        # 若为域名则执行二次搜索，搜索子域名        if domain:            bing_query_string = "'domain:%s'" % host            self.bing_query(bing_query_string)


    def bing_query(self, bing_query_string):        print "Performing Bing search: %s" % bing_query_string        # 编码我们的查询(如　urllib.quote('ab c')－－＞　'ab%20c')        quoted_query = urllib.quote(bing_query_string)
        http_request  = "GET https://api.datamarket.azure.com/Bing/Search/Web?$format=json&$top=20&Query=%s HTTP/1.1rn" % quoted_query        http_request += "Host: api.datamarket.azure.comrn"        http_request += "Connection: closern"        # 对API密钥使用base64编码        http_request += "Authorization: Basic %srn" % base64.b64encode(":%s" % bing_api_key)        http_request += "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36rnrn"
        json_body = self._callbacks.makeHttpRequest("api.datamarket.azure.com", 443, True, http_request).tostring()
        # 去掉HTTP响应头，只取正文        json_body = json_body.split("rnrn", 1)[1]
        #print json_body
        try:            # 传递给json解析器            r = json.loads(json_body)
            # 输出查询到的网站的相关信息            if len(r["d"]["results"]):                for site in r["d"]["results"]:
                    print "*" * 100                    print site['Title']                    print site['Url']                    print site['Description']                    print "*" * 100
                    j_url = URL(site['Url'])
            # 如果网站不在brup的目标列表中，就添加进去            if not self._callbacks.isInScope(j_url):                print "Adding to Burp scope"                self._callbacks.includeInScope(j_url)
        except:            print "No results from Bing"            pass
        return

#!/usr/bin/env python#-*- coding:utf8 -*-from burp import IBurpExtenderfrom burp import IContextMenuFactory
from javax.swing import JMenuItemfrom java.util import List, ArrayListfrom java.net import URL
import refrom datetime import datetimefrom HTMLParser import HTMLParser
#去掉HTTP响应包的HTML标签class TagStripper(HTMLParser):    def __init__(self):        HTMLParser.__init__(self)        self.page_text = []    # 遇到两个标签之间的数据时调用    def handle_data(self, data):        self.page_text.append(data)    # 遇到注释时调用    def handle_comment(self, data):        self.handle_data(data)
    def strip(self,html):        # 会调用上面的两个函数        self.feed(html)        return "".join(self.page_text)
class BurpExtender(IBurpExtender, IContextMenuFactory):    def registerExtenderCallbacks(self,callbacks):        self._callbacks = callbacks        self._helpers = callbacks.getHelpers()        self.context = None        self.hosts = set()
        # 按部就班,先设定一个非常常见的密码，因为是字典，不能重复最好，所以用集合        self.wordlist = set(["password"])
        # 建立起我们的扩展工具        callbacks.setExtensionName("Build Wordlist")        callbacks.registerContextMenuFactory(self)
        return
    # 添加菜单    def createMenuItems(self, context_menu):        self.context = context_menu        menu_list = ArrayList()        menu_list.add(JMenuItem("Bulid Wordlist", actionPerformed=self.wordlist_menu))
        return menu_list
    def wordlist_menu(self, event):
        # 抓取用户点击细节        http_traffic = self.context.getSelectedMessages()
        # 获取ip或主机名(域名)        for traffic in http_traffic:            http_service = traffic.getHttpService()            host = http_service.getHost()
            self.hosts.add(host)            # 获取网站的返回信息            http_response = traffic.getResponse()            # 若有回应就调用get_word            if http_response:                self.get_words(http_response)
        self.display_wordlist()        return
    def get_words(self, http_response):
        headers, body = http_response.tostring().split("rnrn", 1)
        # 忽略下一个请求        if headers.lower().find("content-type: text") == -1:            return
        # 获取标签中的文本        tag_stripper = TagStripper()        page_text = tag_stripper.strip(body)
        # 匹配第一个是字母的，后面跟着的是两个以上的字母，数字或下划线／        words = re.findall("[a-zA-Z]w{2,}", page_text)
        # 感觉这里的长度有点短啊,作者是12，我改成15了        for word in words:            # 过滤长字符串            if len(word) <= 15:                self.wordlist.add(word.lower())
        return
    # 再后面添加更多的猜测    def mangle(self, word):        year = datetime.now().year        suffixes = ["", "1", "!", year]        mangled = []
        for password in (word, word.capitalize()):            for suffix in suffixes:                mangled.append("%s%s" % (password, suffix))
        return mangled
    def display_wordlist(self):
        print "#!comment: BHP Wordlist for site(s) %s" % ", ".join(self.hosts)
        for word in sorted(self.wordlist):            for password in self.mangle(word):                print password
        return