modzero / mod0burpuploadscanner Goto Github PK

View Code? Open in Web Editor NEW

479.0 16.0 138.0 9.03 MB

HTTP file upload scanner for Burp Proxy

License: Other

HTML 0.05% Python 6.10% Perl 93.85%

fileupload burp scanner security uploadscanner extension multipart

mod0burpuploadscanner's People

Contributors

Stargazers

Watchers

mod0burpuploadscanner's Issues

UploadScanner bug

Traceback (most recent call last):
  File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 903, in doActiveScan
    self.do_checks(injector)
  File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1029, in do_checks
    colab_tests.extend(self._xxe_xmp(injector, burp_colab))
  File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1029, in do_checks
    colab_tests.extend(self._xxe_xmp(injector, burp_colab))
  File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 2417, in _xxe_xmp
    return x.do_collaborator_tests(injector, burp_colab, injector.opts.get_enabled_file_formats())
  File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 5398, in do_collaborator_tests
    c = self._send_collab(injector, burp_colab, types, basename, content, old_xmp, new_xmp, issue)
  File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 5438, in _send_collab
    urr = self._make_http_request(injector, req, redownload_filename=filename)
  File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4097, in _make_http_request
    attack = self._callbacks.makeHttpRequest(service, req)
byc: burp.byc

Upload Scanner Version: 1.0.4

Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_112

Feature request: sortable STATUS column in DONE UPLOADS

Hi, and congrats for the amazing extension. As the subject implies, that would be immensely useful.
Thanks again!

Option to set static collaborator URL

We are currently testing an application that resides behind a client VPN. From behind their VPN, we are unable to poll our private collaborator instance. If we were able to set a static collaborator URL, we could deploy a collaborator client on a box that is able to poll our instance, and listen there once the scan starts. Is there currently a way to do this? Googling for such a feature didn't turn up much.

Feature request: Add payloads highlights

Hello,

First of, thank you for that useful extension.
Knowing how difficult it could be, would it be possible to add the payload highlights in the issues generated for the simple cases ?

Thank you,

Potential false positive results

I was shown a Certain confidence finding with "Malicious Excel upload/download". However, the Response 2 is basically showing only pdf:

HTTP/1.1 200 OK
connection: close
content-length: 26112
content-type: application/pdf;charset=UTF-8
x-content-type-options: nosniff
content-disposition: inline; filename="test.pdf"

Even though I understand this (and other) findings which were shown, I can't picture a usecase (apart from forcing user to change the file extension to something else after downloading) where this could be exploited. True, it should not be possible and the server should perform some content-based validations for PDF files, but still. Apart from Excel, other types were malicious CSV, IQY, and few others which requires opening file with some special software (not pdf reader).
I don't know about the definition of False Positive here, and maybe you are aware, maybe it is a bug, so I rather point it out loud for you to have a look.

Marker across multiple lines

Hi,

I've got a case, where the uploaded file will get an ID that needs to be used for getting it afterwards.

<td class="textdata">
  <a href="attachment.do?reportId=1588&amp;attachmentId=852&amp;action=1">
	DwldzhALBfRceiptckeywordsJSP3fHP.jsp.pdf
  </a>
</td>

What needs to be parsed is the attachmentId. Getting that in a single upload is easy.
But since multiple files can be uploaded and the order of display is a bit random, it would be very helpful to be able set a marker that can contain newlines.

The following is a related but not really the same issue. If you want me to put this into a separate issue, let me know, and I'll put it there.

In the same case, it would be really nice to use ${FILENAME} already in the marker, like when building the URL. For obvious reasons if you see the response above :)

implementing zip-shotgun

is it possible to implement if this is not existing ?

https://github.com/jpiechowka/zip-shotgun

Utility script to test zip file upload functionality (and possible extraction of zip files) for vulnerabilities. Idea for this script comes from this post on Silent Signal Techblog - Compressed File Upload And Command Execution and from OWASP - Test Upload of Malicious Files

This script will create archive which contains files with "../" in filename. When extracting this could cause files to be extracted to preceding directories. It can allow attacker to extract shells to directories which can be accessed from web browser.

Evaluation of start and end marker

Not sure this qualifies as a bug. I get a situation where the output contains the uploaded files like this

<tr>
					<td class="textdata">
						<a href="attachment.do?reportId=3760&amp;attachmentId=1337&amp;action=1">
							1${IFS}-write${IFS}|sleep${IFS}6.0|a0Xkd.pdf
						</a>
					</td>
					<td class="textdata">
						<input type="button" value="Delete" id="deleteAttachment" onclick="deleteAttachmentFile(1337)"/>
					</td>
				</tr>
			
				<tr>
					<td class="textdata">
						<a href="attachment.do?reportId=3760&amp;attachmentId=1338&amp;action=1">
							|ping -n 12.0 localhost|a0LAR.pdf
						</a>
					</td>
					<td class="textdata">
						<input type="button" value="Delete" id="deleteAttachment" onclick="deleteAttachmentFile(1338)"/>
					</td>
				</tr>

So it is clear, that the part that is interesting is the attachmentId. It is also obvious, that it can be identified by the name that is right below it.

So it makes sense to set
start marker to:

attachment.do?reportId=3760&amp;attachmentId=

end marker to:

${PYTHONSTR:'&amp;action=1">\n							${FILENAME}'}

What currently now happens is that it will not select 1338 if filename was |ping -n 12.0 localhost|a0LAR.pdf but rather

1337&amp;action=1">
							1${IFS}-write${IFS}|sleep${IFS}6.0|a0Xkd.pdf
						</a>
					</td>
					<td class="textdata">
						<input type="button" value="Delete" id="deleteAttachment" onclick="deleteAttachmentFile(1337)"/>
					</td>
				</tr>
			
				<tr>
					<td class="textdata">
						<a href="attachment.do?reportId=3760&amp;attachmentId=1338

So it matches the first occurrence of both statements. Since there is only one identifying data, I was wondering if it would make sense to select the first occurrence of the one with the file marker (if there is one) and chose the other one as closest preceding or following one (depending of the filename marker was in the end or start marker).

feature request - content view in-video exploit/ ffmpeg exploit

https://github.com/neex/ffmpeg-avi-m3u-xbin

https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit#slide=id.g2239eb85ba_0_20

UploadScanner bug when loosing connection

Traceback (most recent call last):
  File "/home/work/Dokumente/Tools/UploadScanner/UploadScanner.py", line 875, in doActiveScan
    self.do_checks(injector)
  File "/home/work/Dokumente/Tools/UploadScanner/UploadScanner.py", line 960, in do_checks
    self._jsp_rce(injector)
  File "/home/work/Dokumente/Tools/UploadScanner/UploadScanner.py", line 960, in do_checks
    self._jsp_rce(injector)
  File "/home/work/Dokumente/Tools/UploadScanner/UploadScanner.py", line 1594, in _jsp_rce
    self._servercode_rce_backdoored_file(injector, self._jsp_gen_payload_expression_lang, self._jsp_rce_params,
  File "/home/work/Dokumente/Tools/UploadScanner/UploadScanner.py", line 1696, in _servercode_rce_backdoored_file
    self._send_simple(injector, types, basename, content, redownload=True)
  File "/home/work/Dokumente/Tools/UploadScanner/UploadScanner.py", line 3843, in _send_simple
    urrs.append(self._make_http_request(injector, req, redownload_filename=x))
  File "/home/work/Dokumente/Tools/UploadScanner/UploadScanner.py", line 3991, in _make_http_request
    attack = self._callbacks.makeHttpRequest(service, req)
RuntimeException: java.lang.RuntimeException: <URL redacted>

Bug

Traceback (most recent call last):
  File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 981, in doActiveScan
    self.do_checks(injector)
  File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1186, in do_checks
    self._recursive_upload_files(injector, burp_colab)
  File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1186, in do_checks
    self._recursive_upload_files(injector, burp_colab)
  File "/root/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 3679, in _recursive_upload_files
    content = file(os.path.join(path, filename), "rb").read()
IOError: [Errno 2] No such file or directory: '/root/Desktop/IntruderPayloads/Uploads/Link to svg-xss-xml.svg'

Upload Scanner Version: 1.0.8

Extension code location: doActiveScan
Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[OpenJDK 64-Bit Server VM (Oracle Corporation)]
Java version: 11.0.2
Burp version: Burp Suite Professional 2.0 20beta
Command line arguments: 
Was loaded from BApp: True
Request: 'POST /webgoat.net/Content/UploadPathManipulation.aspx HTTP/1.1\r\nHost: 192.168.1.120\r\nUser-
Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\r\nAccept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r
\nAccept-Encoding: gzip, deflate\r\nReferer:
http://192.168.1.120/webgoat.net/Content/UploadPathManipulation.aspx\r\nContent-Type: multipart
/form-data; boundary=---------------------------31770911913195265771604502722\r\nContent-Length:
9103\r\nCookie: ASP.NET_SessionId=43CAFDB93D22792281F562F8; PHPSESSID=etofpc042dd3082drbrmkcgkr4;
security_level=0; Server=b3dhc3Bid2E=\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\n
-----------------------------31770911913195265771604502722\r\nContent-Disposition: form-data; name="
__VIEWSTATE"\r\n\r\nDAwNEAIAAA4BBQAOAQ0QAgAADgEFAQ4BDRACDwEBB2VuY3R5cGUBE211bHRpcGFydC9mb3JtLWRhdGEA
AAAOAgEbY3RsMDAkSGVhZExvZ2luU3RhdHVzJGN0bDAxARtjdGwwMCRIZWFkTG9naW5TdGF0dXMkY3R...

UploadScanner bug

Traceback (most recent call last):
  File "/Users/apple/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 813, in processHttpMessage
    url = FloydsHelpers.u2s(iRequestInfo.getUrl().toString())
AttributeError: 'NoneType' object has no attribute 'toString'

Upload Scanner Version: 1.0.3

Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_112

OSError: [Errno 1] Operation not permitted:

Here's the stderr tab while loading the UploadScanner.py

Traceback (most recent call last):
  File "C:\Program Files\BurpSuitePro\Burp New Out of Plugins\mod0BurpUploadScanner-master\UploadScanner.py", line 514, in registerExtenderCallbacks
    self._create_ui()
  File "C:\Program Files\BurpSuitePro\Burp New Out of Plugins\mod0BurpUploadScanner-master\UploadScanner.py", line 559, in _create_ui
    self._global_opts = OptionsPanel(self, self._callbacks, self._helpers, global_options=True)
  File "C:\Program Files\BurpSuitePro\Burp New Out of Plugins\mod0BurpUploadScanner-master\UploadScanner.py", line 8451, in __init__
    os.chmod(path, st.st_mode | stat.S_IEXEC)
OSError: [Errno 1] Operation not permitted: 'C:\\Program Files\\BurpSuitePro\\Burp New Out of Plugins\\mod0BurpUploadScanner-master\\bin\\exiftool.pl'

	at org.python.core.Py.OSError(Py.java:162)
	at org.python.modules.posix.PosixModule.chmod(PosixModule.java:314)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186)
	at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204)
	at org.python.core.PyObject.__call__(PyObject.java:478)
	at org.python.core.PyObject.__call__(PyObject.java:482)
	at org.python.pycode._pyx5.__init__$437(C:\Program Files\BurpSuitePro\Burp New Out of Plugins\mod0BurpUploadScanner-master\UploadScanner.py:8488)
	at org.python.pycode._pyx5.call_function(C:\Program Files\BurpSuitePro\Burp New Out of Plugins\mod0BurpUploadScanner-master\UploadScanner.py)
	at org.python.core.PyTableCode.call(PyTableCode.java:167)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
	at org.python.core.PyFunction.__call__(PyFunction.java:482)
	at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
	at org.python.core.PyMethod.__call__(PyMethod.java:228)
	at org.python.core.PyMethod.__call__(PyMethod.java:223)
	at org.python.core.Deriveds.dispatch__init__(Deriveds.java:19)
	at org.python.core.PyObjectDerived.dispatch__init__(PyObjectDerived.java:1112)
	at org.python.core.PyType.type___call__(PyType.java:1713)
	at org.python.core.PyType.__call__(PyType.java:1696)
	at org.python.core.PyObject.__call__(PyObject.java:394)
	at org.python.pycode._pyx5._create_ui$3(C:\Program Files\BurpSuitePro\Burp New Out of Plugins\mod0BurpUploadScanner-master\UploadScanner.py:573)
	at org.python.pycode._pyx5.call_function(C:\Program Files\BurpSuitePro\Burp New Out of Plugins\mod0BurpUploadScanner-master\UploadScanner.py)
	at org.python.core.PyTableCode.call(PyTableCode.java:167)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:138)
	at org.python.core.PyFunction.__call__(PyFunction.java:413)
	at org.python.core.PyMethod.__call__(PyMethod.java:126)
	at org.python.pycode._pyx5.registerExtenderCallbacks$2(C:\Program Files\BurpSuitePro\Burp New Out of Plugins\mod0BurpUploadScanner-master\UploadScanner.py:536)
	at org.python.pycode._pyx5.call_function(C:\Program Files\BurpSuitePro\Burp New Out of Plugins\mod0BurpUploadScanner-master\UploadScanner.py)
	at org.python.core.PyTableCode.call(PyTableCode.java:167)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
	at org.python.core.PyFunction.__call__(PyFunction.java:482)
	at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
	at org.python.core.PyMethod.__call__(PyMethod.java:228)
	at org.python.core.PyMethod.__call__(PyMethod.java:218)
	at org.python.core.PyMethod.__call__(PyMethod.java:213)
	at org.python.core.PyObject._jcallexc(PyObject.java:3626)
	at org.python.core.PyObject._jcall(PyObject.java:3658)
	at org.python.proxies.__main__$BurpExtender$8.registerExtenderCallbacks(Unknown Source)
	at burp.b0h.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)

OS: Windows 10 x64
Burp Version : v1.7.37

While installing it from BApp store works fine.

Request 1 not showing the testing payload

I've noticed that when Issue is generated, the Request 1 is always identical to the one sent into the Upload Scanner in the first place.

Would it be possible to instead have the actual request with the particular payload used? Which would be identical to the one on the Done uploads, but as there are usually hundreds and no search, it gets tricky to find something...

UploadScanner bug

Traceback (most recent call last):
  File "C:\Users\b4sm\Desktop\mod0BurpUploadScanner-master\UploadScanner.py", line 914, in run_flexiinjector
    self.do_checks(fi)
  File "C:\Users\b4sm\Desktop\mod0BurpUploadScanner-master\UploadScanner.py", line 928, in do_checks
    burp_colab = BurpCollaborator(self._callbacks)
  File "C:\Users\b4sm\Desktop\mod0BurpUploadScanner-master\UploadScanner.py", line 4142, in __init__
    self.is_ip_collaborator = '/' in FloydsHelpers.u2s(callbacks.createBurpCollaboratorClientContext().generatePayload(True))
AttributeError: 'NoneType' object has no attribute 'generatePayload'

UploadScanner bug

Traceback (most recent call last):
  File "\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 813, in processHttpMessage
    url = FloydsHelpers.u2s(iRequestInfo.getUrl().toString())
AttributeError: 'NoneType' object has no attribute 'toString'

Upload Scanner Version: 1.0.3

Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_131

Infinite horizontal scrolling - Burp v2020.1

We’ve just released a new version of Burp that has some big changes to the HTTP message editor.

Notably, a scroll pane is now implemented inside the message editor.

Unfortunately, this has caused an infinite scrolling issue with your extension. This was reported to us by a user of your BApp, who provided a video of the issue (https://monosnap.com/file/Gqw1tXkXKupRRSAsBSEN3rcjbAYyDw).

If possible, could you remove the scroll pane instance you have implemented, and create a pull request against the PortSwigger branch of your repository so that we can review the changes and update the BApp?

Any way to configure ReDownloader a bit more flexible?

Hello! First of all thank you for this great extension. I apprechiate this huge amount of work you've done.
Today I faced a trivial problem: I need to download uploaded file, but upload link contains Hash instead of ${FILENAME}, I see this hash in response after succesfull uploading. Unfortunately, I still didn't know all the features of the module, there is any way to fix this problem without touching the code? Thank you!

UploadScanner bug

Traceback (most recent call last):
  File "C:\Users\yuji\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 4818, in getInsertionPoints
    injector = MultipartInjector(base_request_response, self._global_opts, insertionPoint, self._helpers, BurpExtender.NEWLINE)
  File "C:\Users\yuji\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 4580, in __init__
    self._default_file_extension = FloydsHelpers.u2s(os.path.splitext(self._insertionPoint.getBaseValue())[1]) or ''
  File "C:\Users\yuji\Downloads\jython-standalone-2.7.0.jar\Lib\ntpath.py", line 190, in splitext
    return genericpath._splitext(p, sep, altsep, extsep)
  File "C:\Users\yuji\Downloads\jython-standalone-2.7.0.jar\Lib\genericpath.py", line 91, in _splitext
    sepIndex = p.rfind(sep)
AttributeError: 'NoneType' object has no attribute 'rfind'

Upload Scanner Version: 1.0.5

Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_112
Burp version: Burp Suite Professional 2.0 06beta
Command line arguments: 
Was loaded from BApp: True

Bug

Traceback (most recent call last):
  File "C:\Users\Mantis\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 981, in doActiveScan
    self.do_checks(injector)
  File "C:\Users\Mantis\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 1055, in do_checks
    self._sanity_check(injector)
  File "C:\Users\Mantis\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 1055, in do_checks
    self._sanity_check(injector)
  File "C:\Users\Mantis\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 1225, in _sanity_check
    self._send_simple(injector, types, "SanityCheck", content, redownload=False, randomize=False)
  File "C:\Users\Mantis\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 4227, in _send_simple
    urrs.append(self._make_http_request(injector, req))
  File "C:\Users\Mantis\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 4380, in _make_http_request
    attack = self._callbacks.makeHttpRequest(service, req)
RuntimeException: java.lang.RuntimeException: Extension generated task deleted

Upload Scanner Version: 1.0.8

Extension code location: doActiveScan
Jython version: 2.7.1 (default:0df7adb1b397, Jun 30 2017, 19:02:43) 
[OpenJDK 64-Bit Server VM (Oracle Corporation)]
Java version: 12.0.2
Burp version: Burp Suite Professional 2.1 07
Command line arguments: 
Was loaded from BApp: True
Request: 'POST /api/instance-management/v1/import HTTP/1.1\r\nHost: example.com\r\nUser-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0\r\nAccept:
application/json, text/plain, */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip,
deflate\r\nContent-Type: multipart/form-data; boundary=---------------------------4833311154639\r
\nContent-Length: 75458\r\nOrigin: https://pentest.qlearsite.com\r\nConnection: close\r\nReferer:
https://pentest.qlearsite.com/\r\nCookie:
JSESSIONID=redacted.node0\r\n\r\n-----------------------------
4833311154639\r\nContent-Disposition: form-data; name="file"; filename="Main import all idps.xlsx"\r
\nContent-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\r\n\r\nPK\x03\x04\
x14\x00\x08\x08\x08\x00Ox4PREDACTED

Bug

Traceback (most recent call last):
  File "/home/debby/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 981, in doActiveScan
    self.do_checks(injector)
  File "/home/debby/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1073, in do_checks
    colab_tests.extend(self._magick(injector, burp_colab))
  File "/home/debby/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1073, in do_checks
    colab_tests.extend(self._magick(injector, burp_colab))
  File "/home/debby/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1439, in _magick
    self._send_sleep_based(injector, basename, content, types, injector.opts.sleep_time, issue)
  File "/home/debby/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4322, in _send_sleep_based
    resp = self._make_http_request(injector, req, throttle=False)
  File "/home/debby/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4380, in _make_http_request
    attack = self._callbacks.makeHttpRequest(service, req)
ffn: burp.ffn

Upload Scanner Version: 1.0.8

Extension code location: doActiveScan
Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[OpenJDK 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_181
Burp version: Burp Suite Professional 2.0 beta
Command line arguments: 
Was loaded from BApp: True
Request: 'POST /users/photo_upload HTTP/1.1\r\nHost: cougarlife.com\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu;
Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0\r\nAccept: */*\r\nAccept-Language: en-
US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://cougarlife.com/search/public\r
\nContent-Type: multipart/form-data;
boundary=---------------------------19294246521380533560987720335\r\nContent-Length:
300759\r\nCookie: __cfduid=dc89051f60508e2163028a0ce7fe0dbe21550484404;
r2=eJyrrgUAAXUA%2BQ%3D%3D%0A; locale=en_US; ajaxim_token=; _em_session_id=BAh7C0kiC2xvY2FsZQY6BkVGSS
IKZW5fVVMGOwBUSSIMY291bnRyeQY7AEZJ%250AIgdJRAY7AEZJIgxsYW5kaW5nBjsARkkiFWluZGV4X2FuZGVyc29uX2IGOwBU%
250ASSIQX2NzcmZfdG9rZW4GOwBGSSIxZXN1NlZyazhwTGhzVFNEdnBqU09yUGZ2%250AYk1WY1FpNE9UN3lKclAyNkVVQT0GOwB
GSSIUdHJhY2tpbmdfcGl4ZWxzBjsA%250ARjBJIgxyZWZlcmVyBjsARiIcaHR0cHM6Ly9jb3VnYXJsaWZlLmNvbS8%253D--
3d0023126c41dd53474be584be00cfb926bbd0f1; c___vid=43cbf0ade8d045098241adb38cf401e4;
timezone=420\r\nDNT: 1\r\nConnectio...

UploadScanner bug

Traceback (most recent call last):
  File "C:\Users\test\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 798, in processHttpMessage
    matchers = self.dl_matchers.get_matchers_for_url(url)
  File "C:\Users\test\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 6581, in get_matchers_for_url
    hostport = self._get_host(url)
  File "C:\Users\test\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 6608, in _get_host
    x = urlparse.urlparse(url)
  File "C:\Users\test\Downloads\jython-standalone-2.7.0.jar\Lib\urlparse.py", line 140, in urlparse
    tuple = urlsplit(url, scheme, allow_fragments)
  File "C:\Users\test\Downloads\jython-standalone-2.7.0.jar\Lib\urlparse.py", line 202, in urlsplit
    rest = url[i+1:]
OutOfMemoryError: java.lang.OutOfMemoryError: GC overhead limit exceeded

Java Exception

I'm running Burp 1.7.34 and it has completely frozen. I checked the jstack, and I can see the trance for an exception coming from your extender:

Full thread dump Java HotSpot(TM) 64-Bit Server VM (25.112-b15 mixed mode):


"pool-7-thread-3596616" #3596830 prio=5 os_prio=0 tid=0x0000000041d14000 nid=0x78dc waiting for monitor entry [0x000000005047e000]
   java.lang.Thread.State: BLOCKED (on object monitor)
	at burp.o7h.a(Unknown Source)
	at burp.o7h.a(Unknown Source)
	at burp.alg.b(Unknown Source)
	at burp.cdg.a(Unknown Source)
	at burp.hpf.a(Unknown Source)
	at burp.hpf.next(Unknown Source)
	at burp.n1g.a(Unknown Source)
	at burp.n1g.b(Unknown Source)
	- locked <0x00000007465fe988> (a java.lang.Object)
	at burp.bgc.a(Unknown Source)
	at burp.a4c.analyzeRequest(Unknown Source)
	at burp.a4c.analyzeRequest(Unknown Source)
	at burp.jqh.analyzeRequest(Unknown Source)
	at sun.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:186)
	at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:204)
	at org.python.core.PyObject.__call__(PyObject.java:478)
	at org.python.core.PyObject.__call__(PyObject.java:482)
	at org.python.core.PyMethod.__call__(PyMethod.java:141)
	at org.python.pycode._pyx4.processHttpMessage$22(E:\BurpSuite Settings and Extensions\Extenders\Upload_Scanner\UploadScanner.py:838)
	at org.python.pycode._pyx4.call_function(E:\BurpSuite Settings and Extensions\Extenders\Upload_Scanner\UploadScanner.py)
	at org.python.core.PyTableCode.call(PyTableCode.java:167)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
	at org.python.core.PyFunction.__call__(PyFunction.java:482)
	at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
	at org.python.core.PyMethod.__call__(PyMethod.java:228)
	at org.python.core.PyMethod.__call__(PyMethod.java:218)
	at org.python.core.PyMethod.__call__(PyMethod.java:213)
	at org.python.core.PyObject._jcallexc(PyObject.java:3626)
	at org.python.core.PyObject._jcall(PyObject.java:3658)
	at org.python.proxies.__main__$BurpExtender$8.processHttpMessage(Unknown Source)
	at burp.drd.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)

I'm not entirely certain if the problem is on your side, but I can't access the Alerts view of Burp, nor Error view in extenders because it froze, so I can't check if something appears in those logs.

Button "Stop scan" not working

Hello,

after launching a basic UploadScanner scan, I tried to stop it via the corresponding button. The GUI looks OK (scan running -> stopping scan -> scan stopped) but I still see a lot of traffic in Logger++. I'm sure the traffic comes from the Upload Scanner extension, as the UA that I customized is visible.

Note that this behaviour persists even after the extension was unloaded. Tested with v1.0.8 from the BAppStore.

Combine with Intruder

Hello
Excuse me if it is a silly question, but I do not know nothing about Burp extensions and their code.

I like the tests that the extension do, but due to how some web applications work, I have found some limitations.
For example, I have found one file upload request where one of the parameters it is a unique id, so the same request does not work twice.

How complicated would be to add an option to create a Intruder-like functionality that for each request, besides the file upload test, it modifies some parameter, so this unique id is different for each request?

I could try to code it, but to be honest, I would need some guidance or it would take me a while.

Thanks

UploadScanner bug

Traceback (most recent call last):
  File "/Users/bo0om/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 794, in processHttpMessage
    url = FloydsHelpers.u2s(iRequestInfo.getUrl().toString())
AttributeError: 'NoneType' object has no attribute 'toString'

🤔

Bug

Traceback (most recent call last):
  File "/Users/lin/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 981, in doActiveScan
    self.do_checks(injector)
  File "/Users/lin/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1078, in do_checks
    colab_tests.extend(self._ghostscript(injector, burp_colab))
  File "/Users/lin/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1078, in do_checks
    colab_tests.extend(self._ghostscript(injector, burp_colab))
  File "/Users/lin/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1587, in _ghostscript
    self._send_sleep_based(injector, basename + cmd_name, sleep_content, self.GS_TYPES, injector.opts.sleep_time, issue)
  File "/Users/lin/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4322, in _send_sleep_based
    resp = self._make_http_request(injector, req, throttle=False)
  File "/Users/lin/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4380, in _make_http_request
    attack = self._callbacks.makeHttpRequest(service, req)
ffn: burp.ffn

Upload Scanner Version: 1.0.8

Extension code location: doActiveScan
Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_121
Burp version: Burp Suite Professional 2.0 beta
Command line arguments: 
Was loaded from BApp: True
Request: 'POST /sandbox/fileupload?env=10r9&time=2&analyzer=1 HTTP/1.1\r\nHost: sandbox.ti.360.net\r\nUser-
Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0\r\nAccept:
*/*\r\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\r\nAccept-
Encoding: gzip, deflate\r\nReferer: https://sandbox.ti.360.net/sandbox/page\r\nContent-Type:
multipart/form-data; boundary=---------------------------9373175712441266482135785744\r\nContent-
Length: 737\r\nConnection: close\r\nCookie: session=5cfb1597-26cb-4a43-bf1d-048889c7608d\r\n\r\n
-----------------------------9373175712441266482135785744\r\nContent-Disposition: form-data;
name="file"; filename="333"\r\nContent-Type: application/octet-stream\r\n\r\nGET /sandbox/page/detai
l?type=file&sha1=4e449d8bd80631c3e294e0d1a1845db7a7cb06b8&id=AWhUhRPbNoqRgONUvpW9&env=&time=
HTTP/1.1\r\nHost: sandbox.ti.360.net\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14;
rv:64.0) Gecko/20100101 Firefox/...

Unable to use send to upload scanner.

Hy,

I'm Unable to use send to upload scanner options. Whenever I click on it nothing happens , sometimes it does many times it doesn't

Let me know.

add CVE 2018-15982

POC
https://app.any.run/tasks/eaf25500-3e11-40f0-a2b4-b4f1c8a185c9

Improper Edge Side Include (ESI) Injection detection

Hi, I reviewed your implementation of ESI detection (https://github.com/modzero/mod0BurpUploadScanner/blob/master/UploadScanner.py#L2146) and unfortunately, it's not effective against 99% of ESI-enabled surrogates. While SSRF is theoretically possible using ESI includes, the chance of includes being enabled for wildcard domains is near-nil, only Squid comes to mind right now. Most vendors will require manual domain whitelisting for ESI includes to work, and even the DNS won't get resolved (string compare is preferred over DNS resolution comparisons).

A more worthwhile approach is one comparable to the Burp Extension ActiveScanner++ (https://github.com/albinowax/ActiveScanPlusPlus/blob/master/activeScan%2B%2B.py#L381) where two ESI comment tags are inserted, one syntactically incorrect, and comparing to see if the correct one is stripped from the HTTP response. If the incorrect ESI tag is reflected and the proper one is not, then your backend is most likely ESI-enabled and injection is possible.

Example:

ESI Enabled:
foobarbaz → foobarbaz
Not ESI Enabled:
foobarbaz → foobarbaz

ReDownloader Last Match

When uploading files I almost always end in a situation where I have to match the last in the list, however Upload Scanner always uses the first. There are situations where it is not possible to create an appropriate marker (even when using $PYTHONSTR). So I'd like to be able to use wild cards (as in RegEx) or search "backward" for the markers instead of forward.

Default parallelism?

Hello,

in the extension's config, I see a way to configure a delay between requests (which defaults to 1s) but nothing related to parallelism (i.e number of threads). For a complex scenario where Preflight + ReDownload + macros are needed, I need to have no parallelism, aka use a single thread.

What is the default number of threads? And if it's not mono-threaded by default, hwo can I configure the extension to behave this way? Thanks in advance!

Feature request: Removing files

Hi,

first of all, it's an amazing extensions, and great documentation - you rarely see these 2 hand in hand:)

I've tried to scan a couple of file uploads, where you were only able to upload a specific amount (3 in my case) of files at a time. Meaning, if I run this extension, first 3 files are uploaded, but afterwards I get errors.

Would it be possible to implement a file removal? After the file is successfully uploaded and then downloaded by the tool, and inspected, it could visit yet another URL to remove the file.

Such cleanup would also be very good for regular pentests, not to overflow client with hundreds of different files:)

Many thanks,

Andrej

UploadScanner bug

Traceback (most recent call last):
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 919, in doActiveScan
    self.do_checks(injector)
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1031, in do_checks
    colab_tests.extend(self._htaccess(injector, burp_colab))
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1031, in do_checks
    colab_tests.extend(self._htaccess(injector, burp_colab))
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1978, in _htaccess
    if urr.download_rr:
AttributeError: 'NoneType' object has no attribute 'download_rr'

Upload Scanner Version: 1.0.5

Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_112
Burp version: Burp Suite Professional 2.0 08beta
Command line arguments: 
Was loaded from BApp: True

The full one

  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 6878, in get_matchers_for_url
    return self.with_global(hostport, self._collection[hostport])
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 6851, in with_global
    for alt_name in self._scope_mapping[name]:
KeyError: 'some.domain.tld'

	at org.python.core.PyException.doRaise(PyException.java:226)
	at org.python.core.Py.makeException(Py.java:1337)
	at org.python.pycode._pyx4.processHttpMessage$22(/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py:880)
	at org.python.pycode._pyx4.call_function(/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py)
	at org.python.core.PyTableCode.call(PyTableCode.java:167)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
	at org.python.core.PyFunction.__call__(PyFunction.java:482)
	at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
	at org.python.core.PyMethod.__call__(PyMethod.java:228)
	at org.python.core.PyMethod.__call__(PyMethod.java:218)
	at org.python.core.PyMethod.__call__(PyMethod.java:213)
	at org.python.core.PyObject._jcallexc(PyObject.java:3626)
	at org.python.core.PyObject._jcall(PyObject.java:3658)
	at org.python.proxies.__main__$BurpExtender$8.processHttpMessage(Unknown Source)
	at burp.cdz.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
Traceback (most recent call last):
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 838, in processHttpMessage
    matchers = self.dl_matchers.get_matchers_for_url(url)
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 6878, in get_matchers_for_url
    return self.with_global(hostport, self._collection[hostport])
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 6851, in with_global
    for alt_name in self._scope_mapping[name]:
KeyError: 'some.domain.tld'

	at org.python.core.PyException.doRaise(PyException.java:226)
	at org.python.core.Py.makeException(Py.java:1337)
	at org.python.pycode._pyx4.processHttpMessage$22(/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py:880)
	at org.python.pycode._pyx4.call_function(/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py)
	at org.python.core.PyTableCode.call(PyTableCode.java:167)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
	at org.python.core.PyFunction.__call__(PyFunction.java:482)
	at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
	at org.python.core.PyMethod.__call__(PyMethod.java:228)
	at org.python.core.PyMethod.__call__(PyMethod.java:218)
	at org.python.core.PyMethod.__call__(PyMethod.java:213)
	at org.python.core.PyObject._jcallexc(PyObject.java:3626)
	at org.python.core.PyObject._jcall(PyObject.java:3658)
	at org.python.proxies.__main__$BurpExtender$8.processHttpMessage(Unknown Source)
	at burp.cdz.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
Traceback (most recent call last):
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 838, in processHttpMessage
    matchers = self.dl_matchers.get_matchers_for_url(url)
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 6878, in get_matchers_for_url
    return self.with_global(hostport, self._collection[hostport])
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 6851, in with_global
    for alt_name in self._scope_mapping[name]:
KeyError: 'some.domain.tld'

	at org.python.core.PyException.doRaise(PyException.java:226)
	at org.python.core.Py.makeException(Py.java:1337)
	at org.python.pycode._pyx4.processHttpMessage$22(/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py:880)
	at org.python.pycode._pyx4.call_function(/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py)
	at org.python.core.PyTableCode.call(PyTableCode.java:167)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
	at org.python.core.PyFunction.__call__(PyFunction.java:482)
	at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
	at org.python.core.PyMethod.__call__(PyMethod.java:228)
	at org.python.core.PyMethod.__call__(PyMethod.java:218)
	at org.python.core.PyMethod.__call__(PyMethod.java:213)
	at org.python.core.PyObject._jcallexc(PyObject.java:3626)
	at org.python.core.PyObject._jcall(PyObject.java:3658)
	at org.python.proxies.__main__$BurpExtender$8.processHttpMessage(Unknown Source)
	at burp.cdz.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
Traceback (most recent call last):
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 838, in processHttpMessage
    matchers = self.dl_matchers.get_matchers_for_url(url)
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 6878, in get_matchers_for_url
    return self.with_global(hostport, self._collection[hostport])
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 6851, in with_global
    for alt_name in self._scope_mapping[name]:
KeyError: 'some.domain.tld'

	at org.python.core.PyException.doRaise(PyException.java:226)
	at org.python.core.Py.makeException(Py.java:1337)
	at org.python.pycode._pyx4.processHttpMessage$22(/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py:880)
	at org.python.pycode._pyx4.call_function(/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py)
	at org.python.core.PyTableCode.call(PyTableCode.java:167)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
	at org.python.core.PyFunction.__call__(PyFunction.java:482)
	at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
	at org.python.core.PyMethod.__call__(PyMethod.java:228)
	at org.python.core.PyMethod.__call__(PyMethod.java:218)
	at org.python.core.PyMethod.__call__(PyMethod.java:213)
	at org.python.core.PyObject._jcallexc(PyObject.java:3626)
	at org.python.core.PyObject._jcall(PyObject.java:3658)
	at org.python.proxies.__main__$BurpExtender$8.processHttpMessage(Unknown Source)
	at burp.cdz.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
Traceback (most recent call last):
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 919, in doActiveScan
    self.do_checks(injector)
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1031, in do_checks
    colab_tests.extend(self._htaccess(injector, burp_colab))
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1031, in do_checks
    colab_tests.extend(self._htaccess(injector, burp_colab))
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1978, in _htaccess
    if urr.download_rr:
AttributeError: 'NoneType' object has no attribute 'download_rr'

	at org.python.core.PyException.doRaise(PyException.java:226)
	at org.python.core.Py.makeException(Py.java:1337)
	at org.python.pycode._pyx4.doActiveScan$27(/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py:926)
	at org.python.pycode._pyx4.call_function(/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py)
	at org.python.core.PyTableCode.call(PyTableCode.java:167)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
	at org.python.core.PyFunction.__call__(PyFunction.java:482)
	at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
	at org.python.core.PyMethod.__call__(PyMethod.java:228)
	at org.python.core.PyMethod.__call__(PyMethod.java:218)
	at org.python.core.PyMethod.__call__(PyMethod.java:213)
	at org.python.core.PyObject._jcallexc(PyObject.java:3626)
	at org.python.core.PyObject._jcall(PyObject.java:3658)
	at org.python.proxies.__main__$BurpExtender$8.doActiveScan(Unknown Source)
	at burp.cld.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)
Traceback (most recent call last):
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 7482, in run
    self.func()
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 8911, in _start_scan_thread
    self._burp_extender.doActiveScan(self.scan_controler.brr, insertionPoint, options=self)
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 919, in doActiveScan
    self.do_checks(injector)
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1031, in do_checks
    colab_tests.extend(self._htaccess(injector, burp_colab))
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1031, in do_checks
    colab_tests.extend(self._htaccess(injector, burp_colab))
  File "/home/fpe/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1978, in _htaccess
    if urr.download_rr:
AttributeError: 'NoneType' object has no attribute 'download_rr'

How to parse filename from request instead of response

Hi,

I'm working on a project where the filename of the uploaded file is generated in the upload request instead of the response. How can I parse the filename via the start and end marker in the request instead of the response ?

add cve 2018-16323

repo to exploit
https://github.com/ttffdd/XBadManners

Feature Request: Improve Audit Strategy

Hi,

Currently, when a scan is started, it will use the default audit strategy in Burp 2.0 which has everything in it, not just the extension generated requests. It would be nice if it uses a default audit strategy that only scans for extension generated issues.

"Replace filename in requests" disabled but still replaces "filename" content

I'm scanning upload multipart form which blocks requests with svg and php extensions. If such extensions are submitted the server refuses any other upload requests and returns error 500.

svg extension can be disabled in Show file format checkboxes.
However there is no checkbox for php.

Potential workaround should be to uncheck the Replace filename in requests but even if unchecked the scanner still changes the filename field ie. in the first 3 requests filename field value in multi-part post is:

filename="SanityCheck.png
filename="ZsJOIm18Colab0Jvz.png"
filename="ZsJOIm18Colab1wBH.png"
....
....
filename="randomname.php"  <----- blocks any subsequent uploads

Any ideas how to fix it?

Unable to see Send To Upload Scanner

Hey,

I've been using upload scanner for a while now but all of a sudden i'm unable to see the send to upload scanner but now.

SS attached

Some Bug, fam

Traceback (most recent call last):
  File "C:\Users\scumd\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 981, in doActiveScan
    self.do_checks(injector)
  File "C:\Users\scumd\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 1073, in do_checks
    colab_tests.extend(self._magick(injector, burp_colab))
  File "C:\Users\scumd\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 1073, in do_checks
    colab_tests.extend(self._magick(injector, burp_colab))
  File "C:\Users\scumd\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 1457, in _magick
    colabs.extend(self._send_collaborator(injector, burp_colab, types, basename, content, issue, replace=replace))
  File "C:\Users\scumd\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 4296, in _send_collaborator
    urr = self._make_http_request(injector, req)
  File "C:\Users\scumd\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 4380, in _make_http_request
    attack = self._callbacks.makeHttpRequest(service, req)
RuntimeException: java.lang.RuntimeException: timbanbonphuong.vn

Upload Scanner Version: 1.0.8

Extension code location: doActiveScan
Jython version: 2.7.1 (default:0df7adb1b397, Jun 30 2017, 19:02:43) 
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_221
Burp version: Burp Suite Professional 2.0 11beta
Command line arguments: 
Was loaded from BApp: True
Request: 'POST /requests.php?f=update_user_avatar_picture HTTP/1.1\r\nHost: timbanbonphuong.vn\r\nUser-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0\r\nAccept: */*\r
\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nX-Requested-With:
XMLHttpRequest\r\nContent-Type: multipart/form-data;
boundary=---------------------------18467633426500\r\nContent-Length: 656869\r\nOrigin:
https://timbanbonphuong.vn\r\nConnection: close\r\nReferer:
https://timbanbonphuong.vn/timbothedarkrider/activities\r\nCookie:
PHPSESSID=c8ec512421cf8a3849358ed6d00a1a14; ad-con=a%3A2%3A%7Bs%3A4%3A%26quot%3Bdate%26quot%3B%3Bs%3
A10%3A%26quot%3B2019-10-31%26quot%3B%3Bs%3A3%3A%26quot%3Bads%26quot%3B%3Ba%3A0%3A%7B%7D%7D;
_us=1572609598; mode=night; access=1; src=1; _ga=GA1.2.1244557395.1572521717;
_gid=GA1.2.1772378144.1572521717; cookieconsent_status=dismiss; user_id=bce559e36595551f0e8b344d280e
2b99b111a2d4fca6d27ee85743738d6b9ece9f993a8c38364111680390c55bbd9ce416d1d6...

UploadScanner bug when Collaborator is disabled

I have the Burp Collaborator disabled by default, as it is not reachable from the testing environment. If I understand it correctly, some payloads does not require Collaborator, but rather re-download of the files, which I configured. Is it possible to make it work without collaborator? Trace follows:

Traceback (most recent call last):
  File "E:\BurpSuite Settings and Extensions\Extenders\Upload_Scanner\UploadScanner.py", line 877, in doActiveScan
    self.do_checks(injector)
  File "E:\BurpSuite Settings and Extensions\Extenders\Upload_Scanner\UploadScanner.py", line 928, in do_checks
    burp_colab = BurpCollaborator(self._callbacks)
  File "E:\BurpSuite Settings and Extensions\Extenders\Upload_Scanner\UploadScanner.py", line 4142, in __init__
    self.is_ip_collaborator = '/' in FloydsHelpers.u2s(callbacks.createBurpCollaboratorClientContext().generatePayload(True))
IllegalStateException: java.lang.IllegalStateException: Burp Collaborator is disabled in the Project options

UploadScanner bug

Traceback (most recent call last):
  File "C:\Users\richard.clifford\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 813, in processHttpMessage
    url = FloydsHelpers.u2s(iRequestInfo.getUrl().toString())
AttributeError: 'NoneType' object has no attribute 'toString'

Upload Scanner Version: 1.0.3

Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_112

SSL cert. issue in burp collaborator

upload scanner is using https://NN.random_name.burpcollaborator.net/, but the SSL certificate is only valid for *.burpcollaborator.net which will throw a ssl error and the will got connection got interrupted. So instead of using https protocol, it need http

UploadScanner bug

Traceback (most recent call last):
  File "/home/xml/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 804, in processHttpMessage
    body = FloydsHelpers.jb2ps(base_request_response.getResponse())[iResponseInfo.getBodyOffset():]
  File "/home/xml/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4085, in jb2ps
    return ''.join(map(lambda x: chr(x % 256), arr))
OutOfMemoryError: java.lang.OutOfMemoryError: GC overhead limit exceeded

UploadScanner bug

Traceback (most recent call last):
  File "C:\Users\example\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 919, in doActiveScan
    self.do_checks(injector)
  File "C:\Users\example\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 985, in do_checks
    self._sanity_check(injector)
  File "C:\Users\example\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 985, in do_checks
    self._sanity_check(injector)
  File "C:\Users\example\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 1154, in _sanity_check
    self._send_simple(injector, types, "SanityCheck", content, redownload=False, randomize=False)
  File "C:\Users\example\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 4028, in _send_simple
    urrs.append(self._make_http_request(injector, req))
  File "C:\Users\example\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 4181, in _make_http_request
    attack = self._callbacks.makeHttpRequest(service, req)
RuntimeException: java.lang.RuntimeException

Upload Scanner Version: 1.0.5

Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[Java HotSpot(TM) 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_77
Burp version: Burp Suite Professional 1.7 30
Command line arguments: -Xmx1G
Was loaded from BApp: True

The default "sleep" payloads argument (6) is too short, causing loads of false positives

It would be great to have the ability to manually set the delay used for the "sleep" command injection payloads to avoid false positives in environments whereas the standard responses are a bit lengthy. Also, would be nice to actually check the standard response time first and then calculate the delta to establish the eventual execution indicator delay. Currently getting false positives with the hardcoded 6-second delay while the app takes between 3 to 15 seconds to respond to the upload request, without any correlation with the payload. Could avoid this if I were able to set the delay to like 20 seconds, which would be the minimum response time to raise an issue.

flexinjector configured but file content not found in upload request

I was testing a site profile, so i select a .png file and then sended the request to uploadscanner
and set everything but i m getting this error

"flexinjector configured but file content not found in upload request, rare case of javascript changes? aborting

here is how request look like

POST /api/content HTTP/1.1
Host: example.com
User-Agent: Firefox/62.0
Accept: application/vnd.zinc+json;level=17
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: image/png
Authorization: Basic
Timestamp: 2018-11-29T20:34:56.551+05:30
X-Requested-With: XMLHttpRequest
Content-Length: 77643
Cookie: some cookies here ..
Connection: close

‰PNG
...

Bug

Traceback (most recent call last):
  File "/home/bb/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1026, in run_flexiinjector
    self.do_checks(fi)
  File "/home/bb/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1143, in do_checks
    colab_tests.extend(self._ssrf(injector, burp_colab))
  File "/home/bb/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1143, in do_checks
    colab_tests.extend(self._ssrf(injector, burp_colab))
  File "/home/bb/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 2996, in _ssrf
    self._send_simple(injector, self.URL_TYPES, basename + "Mal", content, redownload=True)
  File "/home/bb/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4225, in _send_simple
    urrs.append(self._make_http_request(injector, req, redownload_filename=x))
  File "/home/bb/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4380, in _make_http_request
    attack = self._callbacks.makeHttpRequest(service, req)
RuntimeException: java.lang.RuntimeException

Upload Scanner Version: 1.0.8

Extension code location: run_flexiinjector
Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[OpenJDK 64-Bit Server VM (Oracle Corporation)]
Java version: 1.8.0_191
Burp version: Burp Suite Professional 1.7 32
Command line arguments: 
Was loaded from BApp: True
Request: 'POST /v1_1/dedpsogvz/upload HTTP/1.1\r\nHost: api.cloudinary.com\r\nConnection: close\r\nContent-
Length: 23281\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nX-Requested-With: XMLHttpRequest\r\nX-Unique-Upload-Id:
16e7c4038.de12a\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/70.0.3538.77 Safari/537.36\r\nContent-Type: multipart/form-data;
boundary=----WebKitFormBoundaryaUA27ND0r4frjqCN\r\nAccept-Encoding: gzip,
deflate\r\nAccept-Language: en-US,en;q=0.9,ne;q=0.8\r\n\r\n------
WebKitFormBoundaryaUA27ND0r4frjqCN\r\nContent-Disposition: form-data;
name="use_filename"\r\n\r\ntrue\r\n------WebKitFormBoundaryaUA27ND0r4frjqCN\r\nContent-Disposition:
form-data; name="unique_filename"\r\n\r\nfalse\r\n------WebKitFormBoundaryaUA27ND0r4frjqCN\r
\nContent-Disposition: form...

UploadScanner bug

Traceback (most recent call last):
  File "C:\Users\d.vailati\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 798, in processHttpMessage
    matchers = self.dl_matchers.get_matchers_for_url(url)
  File "C:\Users\d.vailati\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 6595, in get_matchers_for_url
    hostport = self._get_host(url)
  File "C:\Users\d.vailati\AppData\Roaming\BurpSuite\bapps\b2244cbb6953442cb3c82fa0a0d908fa\UploadScanner.py", line 6622, in _get_host
    x = urlparse.urlparse(url)
  File "C:\Users\d.vailati\Desktop\SecurityTesting\jython-standalone-2.7.0.jar\Lib\urlparse.py", line 140, in urlparse
    tuple = urlsplit(url, scheme, allow_fragments)
  File "C:\Users\d.vailati\Desktop\SecurityTesting\jython-standalone-2.7.0.jar\Lib\urlparse.py", line 188, in urlsplit
    raise ValueError("Invalid IPv6 URL")
ValueError: Invalid IPv6 URL

modzero / mod0burpuploadscanner Goto Github PK

mod0burpuploadscanner's People

Contributors

Stargazers

Watchers

Forkers

mod0burpuploadscanner's Issues

Recommend Projects

Recommend Topics

Recommend Org