HaE是基于 BurpSuite Java插件API 开发的请求高亮标记与信息提取的辅助型框架式插件,该插件可以通过自定义正则的方式匹配响应报文或请求报文,并对满足正则匹配的报文进行信息高亮与提取。
使用方法
插件装载:
Extender - Extensions - Add - Select File - Next。
初次装载HaE会自动获取官方规则库https://raw.githubusercontent.com/gh0stkey/HaE/gh-pages/Rules.yml。配置文件(Config.yml)和规则文件(Rules.yml)会放在固定目录下:Linux/Mac用户的配置文件目录:~/.config/HaE/ Windows用户的配置文件目录:%USERPROFILE%/.config/HaE/ 除此之外,您也可以选择将配置文件存放在HaE Jar包的同级目录下的/.config/HaE/中,以便于离线携带。
注意事项
如果想灵活使用HaE,需要掌握正则表达式阅读、编写、修改能力。因为Java正则表达式的库并没有Python的优雅或方便,所以HaE要求使用者必须用()将所需提取的表达式内容包含。
工具亮点
如果我们在输入某个关键字时看不到联想词,那么表明 Google 的算法可能检测到:
-
• 精细配置:高度自由的配置选项,以满足各类精细化场景需求。
-
• 分类标签:使用标签对规则进行分类,便于管理和组织规则。
-
• 高亮标记:在HTTP History页面,通过颜色高亮和注释判断请求的价值。
-
• 易读配置:使用易读的YAML格式存储配置文件,方便阅读和修改。
-
• 数据集合:将匹配到的数据、请求和响应集中在数据面板中,提高测试和梳理效率。
-
• 简洁可视:清晰可视的界面设计,更轻松地了解和配置HaE,操作简单、使用便捷。
-
• 颜色升级:内置颜色升级算法,避免“屠龙者终成恶龙”场景,突出最具价值的请求。
-
• 实战规则:官方规则库是基于实战化场景总结输出,提升数据发现的有效性、精准性。
rules代码
rules:
- group: Fingerprint
rule:
- name: Shiro
loaded: true
f_regex: (=deleteMe|rememberMe=)
s_regex: ''
format: '{0}'
color: green
scope: any header
engine: dfa
sensitive: true
- name: JSON Web Token
loaded: true
f_regex: (eyJ[A-Za-z0-9_-]{10,}.[A-Za-z0-9._-]{10,}|eyJ[A-Za-z0-9_/+-]{10,}.[A-Za-z0-9._/+-]{10,})
s_regex: ''
format: '{0}'
color: green
scope: any
engine: dfa
sensitive: true
- name: Swagger UI
loaded: true
f_regex: ((swagger-ui.html)|("swagger":)|(Swagger UI)|(swaggerUi)|(swaggerVersion))
s_regex: ''
format: '{0}'
color: red
scope: response body
engine: dfa
sensitive: false
- name: Ueditor
loaded: true
f_regex: (ueditor.(config|all).js)
s_regex: ''
format: '{0}'
color: green
scope: response body
engine: dfa
sensitive: false
- name: Druid
loaded: true
f_regex: (Druid Stat Index)
s_regex: ''
format: '{0}'
color: orange
scope: response body
engine: dfa
sensitive: false
- group: Maybe Vulnerability
rule:
- name: Java Deserialization
loaded: true
f_regex: (javax.faces.ViewState)
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: dfa
sensitive: false
- name: Debug Logic Parameters
loaded: true
f_regex: ((access=)|(adm=)|(admin=)|(alter=)|(cfg=)|(clone=)|(config=)|(create=)|(dbg=)|(debug=)|(delete=)|(disable=)|(edit=)|(enable=)|(exec=)|(execute=)|(grant=)|(load=)|(make=)|(modify=)|(rename=)|(reset=)|(root=)|(shell=)|(test=)|(toggl=))
s_regex: ''
format: '{0}'
color: cyan
scope: request
engine: dfa
sensitive: false
- name: URL As A Value
loaded: true
f_regex: (=(https?)(://|%3a%2f%2f))
s_regex: ''
format: '{0}'
color: cyan
scope: any
engine: nfa
sensitive: false
- name: Upload Form
loaded: true
f_regex: (type="file")
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: dfa
sensitive: false
- name: DoS Paramters
loaded: true
f_regex: ((size=)|(page=)|(num=)|(limit=)|(start=)|(end=)|(count=))
s_regex: ''
format: '{0}'
color: cyan
scope: request
engine: dfa
sensitive: false
- group: Basic Information
rule:
- name: Email
loaded: true
f_regex: (([a-z0-9]+[_|.])*[a-z0-9]+@([a-z0-9]+[-|_|.])*[a-z0-9]+.((?!js|css|jpg|jpeg|png|ico)[a-z]{2,5}))
s_regex: ''
format: '{0}'
color: yellow
scope: response
engine: nfa
sensitive: false
- name: Chinese IDCard
loaded: true
f_regex: '[^0-9]((d{8}(0d|10|11|12)([0-2]d|30|31)d{3}$)|(d{6}(18|19|20)d{2}(0[1-9]|10|11|12)([0-2]d|30|31)d{3}(d|X|x)))[^0-9]'
s_regex: ''
format: '{0}'
color: orange
scope: response body
engine: nfa
sensitive: true
- name: Chinese Mobile Number
loaded: true
f_regex: '[^w]((?:(?:+|00)86)?1(?:(?:3[d])|(?:4[5-79])|(?:5[0-35-9])|(?:6[5-7])|(?:7[0-8])|(?:8[d])|(?:9[189]))d{8})[^w]'
s_regex: ''
format: '{0}'
color: orange
scope: response body
engine: nfa
sensitive: false
- name: Internal IP Address
loaded: true
f_regex: '[^0-9]((127.0.0.1)|(10.d{1,3}.d{1,3}.d{1,3})|(172.((1[6-9])|(2d)|(3[01])).d{1,3}.d{1,3})|(192.168.d{1,3}.d{1,3}))'
s_regex: ''
format: '{0}'
color: cyan
scope: response
engine: nfa
sensitive: true
- name: MAC Address
loaded: true
f_regex: (^([a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5})|[^a-zA-Z0-9]([a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5}))
s_regex: ''
format: '{0}'
color: green
scope: response
engine: nfa
sensitive: true
- group: Sensitive Information
rule:
- name: Cloud Key
loaded: true
f_regex: (((access)(|-|_)(key)(|-|_)(id|secret))|(LTAI[a-z0-9]{12,20}))
s_regex: ''
format: '{0}'
color: yellow
scope: any
engine: nfa
sensitive: false
- name: Windows File/Dir Path
loaded: true
f_regex: '[^w](([a-zA-Z]:\(?:w+\?)*)|([a-zA-Z]:\(?:w+\)*w+.w+))'
s_regex: ''
format: '{0}'
color: green
scope: response
engine: nfa
sensitive: true
- name: Password Field
loaded: true
f_regex: ((|'|")(|[w]{1,10})((ass|wd|asswd|assword))(|[w]{1,10})(|'|")(:|=)(
|)('|")(.*?)('|")(|,))
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: false
- name: Username Field
loaded: true
f_regex: ((|'|")(|[w]{1,10})(([u](ser|name|sername))|(account)|((creat|updat)(|ed|or|er)(|by|on|at)))(|[w]{1,10})(|'|")(:|=)(
|)('|")(.*?)('|")(|,))
s_regex: ''
format: '{0}'
color: green
scope: response body
engine: nfa
sensitive: false
- name: WeCom Key
loaded: true
f_regex: ((corp)(id|secret))
s_regex: ''
format: '{0}'
color: green
scope: response body
engine: dfa
sensitive: false
- name: JDBC Connection
loaded: true
f_regex: (jdbc:[a-z:]+://[a-z0-9.-_:;=/@?,&]+)
s_regex: ''
format: '{0}'
color: yellow
scope: any
engine: nfa
sensitive: false
- name: Authorization Header
loaded: true
f_regex: ((basic [a-z0-9=:_+/-]{5,100})|(bearer [a-z0-9_.=:_+/-]{5,100}))
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: false
- name: Sensitive Field
loaded: true
f_regex: (([)?('|")?([w]{0,10})((key)|(secret)|(token)|(config)|(auth)|(access)|(admin))([w]{0,10})('|")?(])?(
|)(:|=)( |)('|")(.*?)('|")(|,))
s_regex: ''
format: '{0}'
color: yellow
scope: response
engine: nfa
sensitive: false
- group: Other
rule:
- name: Linkfinder
loaded: true
f_regex: (?:"|')(((?:[a-zA-Z]{1,10}://|//)[^"'/]{1,}.[a-zA-Z]{2,}[^"']{0,})|((?:/|../|./)[^"'><,;|*()(%%$^/\[]][^"'><,;|()]{1,})|([a-zA-Z0-9_-/]{1,}/[a-zA-Z0-9_-/]{1,}.(?:[a-zA-Z]{1,4}|action)(?:[?|#][^"|']{0,}|))|([a-zA-Z0-9_-/]{1,}/[a-zA-Z0-9_-/]{3,}(?:[?|#][^"|']{0,}|))|([a-zA-Z0-9_-]{1,}.(?:w)(?:[?|#][^"|']{0,}|)))(?:"|')
s_regex: ''
format: '{0}'
color: gray
scope: response body
engine: nfa
sensitive: true
- name: Source Map
loaded: true
f_regex: (.js.map)
s_regex: ''
format: '{0}'
color: pink
scope: response body
engine: dfa
sensitive: false
- name: HTML Notes
loaded: true
f_regex: (<!--.*?-->)
s_regex: ''
format: '{0}'
color: magenta
scope: response body
engine: nfa
sensitive: false
- name: Create Script
loaded: true
f_regex: (+{.*?}[[a-zA-Z]]+".*?.js")
s_regex: '"?([w].*?)"?:"(.*?)"'
format: '{0}.{1}'
color: green
scope: response body
engine: nfa
sensitive: false
- name: URL Schemes
loaded: true
f_regex: ((?![http]|[https])(([-A-Za-z0-9]{1,20})://[-A-Za-z0-9+&@#/%?=~_|!:,.;]+[-A-Za-z0-9+&@#/%=~_|]))
s_regex: ''
format: '{0}'
color: yellow
scope: response body
engine: nfa
sensitive: false
- name: Router Push
loaded: true
f_regex: ($router.push)
s_regex: ''
format: '{0}'
color: magenta
scope: response body
engine: dfa
sensitive: false
- name: Vue Route
loaded: true
f_regex: path:"(.*?)"
s_regex: ''
format: '{0}'
color: gray
scope: response body
engine: nfa
sensitive: false
项目地址
https://github.com/gh0stkey/HaE/原文始发于微信公众号(Eonian Sharp):【刻刀】赋能Burp高效挖洞扩展工具-HaE
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论