打造高度自定义的渗透工具-Burp插件开发(一)
字数 1500 2025-08-25 22:58:20
Burp插件开发完全指南
1. Burp插件开发基础
1.1 开发环境准备
- Burp插件支持多种语言开发:Python、Java、Ruby等
- 需要安装Jython环境(Python开发时)
- 官方API文档:Generated Documentation
- 官方示例代码:Burp Suite Extensibility
1.2 核心接口
所有Burp插件都必须实现IBurpExtender接口,该接口只有一个必须实现的方法:
from burp import IBurpExtender
class BurpExtender(IBurpExtender):
def registerExtenderCallbacks(self, callbacks):
# 初始化代码
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
callbacks.setExtensionName('My Extension')
2. 核心API详解
2.1 IBurpExtenderCallbacks接口
这是最重要的接口,提供了与Burp交互的所有方法。
常用方法:
addScanIssue(IScanIssue issue): 添加自定义扫描问题addSuiteTab(ITab tab): 添加自定义选项卡createBurpCollaboratorClientContext(): 创建Collaborator客户端getHelpers(): 获取辅助工具实例registerHttpListener(IHttpListener listener): 注册HTTP监听器makeHttpRequest(): 发送HTTP请求
示例:添加自定义扫描问题
from burp import IScanIssue
class CustomIssue(IScanIssue):
def __init__(self, BasePair, IssueName='Custom Issue', IssueDetail='Detail'):
self.HttpMessages = [BasePair]
self.HttpService = BasePair.getHttpService()
self.Url = BasePair.getUrl()
self.IssueName = IssueName
self.IssueDetail = IssueDetail
self.Severity = "High"
# 实现所有IScanIssue接口方法...
# 使用方式
issue = CustomIssue(messageInfo)
self._callbacks.addScanIssue(issue)
2.2 IExtensionHelpers接口
通过callbacks.getHelpers()获取,提供数据处理方法。
常用方法:
analyzeRequest(): 分析请求analyzeResponse(): 分析响应buildHttpMessage(): 构建HTTP消息urlEncode()/urlDecode(): URL编解码addParameter()/removeParameter()/updateParameter(): 参数操作
示例:修改请求参数
analyzedReq = self._helpers.analyzeRequest(messageInfo.getRequest())
headers = analyzedReq.getHeaders()
body = messageInfo.getRequest()[analyzedReq.getBodyOffset():]
# 修改参数
newParams = []
for param in analyzedReq.getParameters():
if param.getName() == "test":
newParams.append(self._helpers.buildParameter("test", "newvalue", param.getType()))
else:
newParams.append(param)
newRequest = self._helpers.buildHttpMessage(headers, self._helpers.buildParameters(newParams))
2.3 IBurpCollaboratorClientContext接口
用于实现类似DNSLOG的功能。
核心方法:
generatePayload(): 生成Collaborator payloadfetchAllCollaboratorInteractions(): 获取所有交互fetchCollaboratorInteractionsFor(): 获取特定payload的交互
示例:Blind XXE检测
collaboratorContext = callbacks.createBurpCollaboratorClientContext()
payload = collaboratorContext.generatePayload(True)
xxe_payload = f"""<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % remote SYSTEM "http://{payload}/">
%remote;
]><test>test</test>"""
# 发送XXE payload后检查交互
interactions = collaboratorContext.fetchCollaboratorInteractionsFor(payload)
if interactions:
print("XXE漏洞存在!")
3. 高级功能实现
3.1 自定义UI开发
通过addSuiteTab()添加自定义选项卡。
示例:简单UI
from javax.swing import JPanel, JButton, JTextField
from java.awt import BorderLayout
from burp import ITab
class CustomTab(ITab):
def __init__(self, callbacks):
self._callbacks = callbacks
self._panel = JPanel()
self._textField = JTextField(20)
self._button = JButton("Click me", actionPerformed=self.buttonClicked)
self._panel.add(self._textField, BorderLayout.NORTH)
self._panel.add(self._button, BorderLayout.SOUTH)
def getTabCaption(self):
return "My Tab"
def getUiComponent(self):
return self._panel
def buttonClicked(self, event):
print("Button clicked:", self._textField.getText())
# 注册选项卡
tab = CustomTab(callbacks)
callbacks.addSuiteTab(tab)
3.2 上下文菜单
通过IContextMenuFactory实现右键菜单功能。
示例:发送到Repeater
from burp import IContextMenuFactory
from javax.swing import JMenuItem
from java.util import ArrayList
class MenuFactory(IContextMenuFactory):
def createMenuItems(self, invocation):
menuList = ArrayList()
menuItem = JMenuItem("Send to Repeater",
actionPerformed=lambda x: self.sendToRepeater(invocation))
menuList.add(menuItem)
return menuList
def sendToRepeater(self, invocation):
message = invocation.getSelectedMessages()[0]
service = message.getHttpService()
self._callbacks.sendToRepeater(
service.getHost(),
service.getPort(),
service.getProtocol() == "https",
message.getRequest(),
None)
# 注册菜单
callbacks.registerContextMenuFactory(MenuFactory())
3.3 HTTP流量监听
通过IHttpListener接口监听所有HTTP流量。
示例:修改响应
from burp import IHttpListener
class HttpListener(IHttpListener):
def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
if not messageIsRequest: # 只处理响应
response = messageInfo.getResponse()
analyzed = self._helpers.analyzeResponse(response)
headers = analyzed.getHeaders()
body = response[analyzed.getBodyOffset():]
# 修改响应体
newBody = body.tostring().replace("old", "new")
messageInfo.setResponse(self._helpers.buildHttpMessage(headers, newBody))
# 注册监听器
callbacks.registerHttpListener(HttpListener())
4. 实战案例
4.1 被动扫描插件
from burp import IScannerCheck
class PassiveScanner(IScannerCheck):
def doPassiveScan(self, baseRequestResponse):
response = baseRequestResponse.getResponse()
analyzed = self._helpers.analyzeResponse(response)
# 检查敏感信息泄露
if "password" in self._helpers.bytesToString(response).lower():
return [CustomIssue(baseRequestResponse,
"Sensitive Data Exposure",
"Password found in response")]
return None
# 注册扫描器
callbacks.registerScannerCheck(PassiveScanner())
4.2 主动扫描插件
from burp import IScannerInsertionPoint, IScannerCheck
class ActiveScanner(IScannerCheck):
def doActiveScan(self, baseRequestResponse, insertionPoint):
testPayloads = ["'", "\"", "<>"]
issues = []
for payload in testPayloads:
checkRequest = insertionPoint.buildRequest(payload)
checkResponse = self._callbacks.makeHttpRequest(
baseRequestResponse.getHttpService(), checkRequest)
if "error" in self._helpers.bytesToString(checkResponse).lower():
issues.append(CustomIssue(baseRequestResponse,
"SQL Injection",
f"Vulnerable to SQLi with {payload}"))
return issues if issues else None
# 注册扫描器
callbacks.registerScannerCheck(ActiveScanner())
5. 调试与优化技巧
-
调试输出:
self._callbacks.printOutput("Debug message") self._callbacks.printError("Error message") -
性能优化:
- 避免在
processHttpMessage中执行耗时操作 - 使用缓存减少重复计算
- 对于大量数据处理考虑异步执行
- 避免在
-
异常处理:
try: # 插件代码 except Exception as e: self._callbacks.printError(f"Error: {str(e)}") -
发布准备:
- 添加详细的帮助文档
- 测试不同Burp版本兼容性
- 考虑发布到BApp Store
6. 学习资源
- 官方文档:Burp Extender API
- 示例代码:Burp Extensibility Examples
- 社区插件:BApp Store
- 开发工具:Jython, Java
通过掌握这些核心API和开发模式,您可以创建功能强大的Burp插件来自动化渗透测试工作流程,提高测试效率。