Saturday, May 14, 2011

Buby Script Basics Part 5


√ evt_http_message     
√ evt_scan_issue         
doActiveScan         
√ doPassiveScan         
√ excludeFromScope 
√ includeInScope       
√ isInScope
√ issueAlert   
√ sendToIntruder
√ sendToRepeater
   sendToSpider
   makeHttpRequest


In this portion of the Buby Script Basics series (Part 5), we will cover all but two of the remaining methods (methods without lines through them) on our checklist.


As always, you can find sample scripts for each of these under the examples directory of the buby-script repo located Here.


The three methods we will cover are issueAlert, sendToIntruder, and sendToRepeater. The example script is called sendto_and_issue_alert.rb and encompasses all three.


The purpose of this script is to check the body of post messages to see if one of the parameters matches our list of interesting parameters (FUZZ_PARAMS) which deserve manual analysis. We'll perform the manual analysis with intruder/repeater and then issue an alert when the request has been sent over.


Unlike the previous tutorials, this script will be ran by invoking the method via the command line. 


Example of how to run this script (covered in Part 1 of this series:


$ jruby -S buby -i -B burp_pro.jar -r sendto_and_issue_alert.rb


This script is going to be run against the proxy history, it's going to search the proxy history looking for the interesting requests. After you've interacted with the site type "$burp.run".






If the parameters in the body of the POST message match our interesting params, you should see the following:


Request sent to repeater, notice the name of the tab (it is our fuzz param "Price")



The request has been sent to intruder


Lastly, an alert will appear notifying you that the previously mentioned actions have been taken.


Time to discuss the code that does all this :-)

First we establish parameters that could be interesting to us in terms of performing manual analysis.


This method '$burp.run' is the catalyst for everything that comes next. When the user types $burp.run at the console they are invoking this method. 

Line 2 instantiates the proxy_hist object ($burp.get_proxy_history). The fourth line determines if the length is greater than 0. If so, start iterating thru each obj in the get_proxy_history array. Line 7 invokes the hmeth method (passes it the 'obj' object). Line 8 calls extract_str with the result of Line 7 (hmeth...which is the HTTP Method) and the 'obj' object.



The req_meth takes the request_headers, takes the first line and converts it to a string. The '[0..3]' method extracts the first 4 characters of the first line of the request headers. The method returns this value.










Part 1 of extract_str

The extract_str method is where the FUZZ_PARAMS are searched against the request message and sent to repeater/intruder (along with the alert). 

The second line splits objs into the http_meth and req objects. 

The third line ensures that we do not execute any further code unless the http_meth is a POST method. 

Then we instantiate the bparams object as a Hash on line 4.

On line 5, the request_body gets split by the ampersand (so that we break up all the params and their values into key/value pairs (ex: Price=2099.00).

Next, we split these pairs up by the '=' (equal sign) and place each param/value (key/value) into the bparam hash. Conceptually the bparam hash would look like

bparam = {'Price' => '2099.00}

The last line assigns either true or false to the proto object based on whether or not the protocol is https.


Part 2 of extract_str

Here we begin iterating thru each item in the FUZZ_PARAM array. If the bparam hash has as key which matches on of the items in FUZZ_PARAM, we send it to intruder/repeater and issue our alerts.

Explanation of methods:


sendToIntruder(host, port, https, req)
-host
-port
-true/false (for http/https)
-request string

sendToRepeater(host, port, https, req, tab = nil)
-host
-port
-true/false (for http/https)
-request string
-the name of the tab (String value) )


issueAlert(msg)
- Takes only one parameter, a string value. This is what shows up in the alert.

*We will cover the remaining two methods in the next portion of the series. This post turned into a rather long one so it was postponed.

Happy Hacking,

~cktricky
cktricky

No comments: