Skip to content

Examples

Jump to bottom
bytebutcher edited this page Nov 27, 2022 · 17 revisions

Decoder++

Name: Decoder++
Group:
Command: dpp --dialog -f %F
[ ] Run in background
[ ] Run in terminal
[X] Output should replace selection
[ ] Show preview

Diff

The diff tool of Burp is quite nice. However, if you prefer an external tool e.g. meld you might find this setup quite interesting.

We define three send-to context menu entries.

  • One for writing the path of the file containing the selected request into burp-send-to.stack
  • One for starting meld to compare the files stored in burp-send-to.stack
  • One for clearing burp-send-to.stack
Name: add Request/Response
Group: stack
Command: echo %R >> $HOME/burp-send-to.stack
[X] Run in background
[ ] Run in terminal
[ ] Output should replace selection
[ ] Show preview

Name: clear
Group: stack
Command: echo -n '' > $HOME/burp-send-to.stack
[X] Run in background
[ ] Run in terminal
[ ] Output should replace selection
[ ] Show preview

Name: diff
Group: stack
Command: meld $(paste -sd' ' $HOME/burp-send-to.stack)
[X] Run in background
[ ] Run in terminal
[ ] Output should replace selection
[ ] Show preview

Header Format

Some tools require a specific header format which is not directly supported by the Burp Send-To extension. However, with a wrapper-script we can work around it:

Name: header format
Group: misc
Command: header_script.sh %U %E
[ ] Run in background
[X] Run in terminal
[ ] Output should replace selection
[X] Show preview

header_script_1.sh

#!/bin/bash
url="${1}"
headers="$(sed ':a;N;$!ba;s/\n/\\n/g' ${2})" # Replace newlines in header-file with a literal "\n"
/path/to/tool -u "${url}" --headers "${headers}"

header_script_2.sh

#!/bin/bash
url="${1}"
headers_file="${2}"
header_options=""
while read header || [ -n "${header}" ]; do
        header_options+=" -H '${header}'"
done< <(tail -n+2 "${headers_file}")
/path/to/tool -u "${url}" ${header_options}

Header Values

Sometimes you might require a specific header value which is not directly supported by the Burp Send-To extension. However, with a wrapper-script we can work around it:

Name: headers
Group: misc
Command: extract-header-value.sh %E "Content-Length"
[ ] Run in background
[X] Run in terminal
[ ] Output should replace selection
[X] Show preview

#!/bin/bash
function extract_header_value_by_key() {
        _header_file="${1}"
        _key="${2}"
        while read line; do
                key="$(echo "${line}" | cut -f1 -d':')"
                value="$(echo "${line}" | cut -f2- -d' ')"
                if [ "${key}" = "${_key}" ]; then
                        # Prints value on matching key ...
                        echo "${value}"
                        break
                fi
        done< "${_header_file}"
}
header_file="${1}"
key="${2}"
extract_header_value_by_key "${header_file}" "${key}"

WSL

If you are on Windows and you want to make use of the Linux Subsystem you may run into problems when you want to pass filenames (e.g. the %R placeholder).

To solve this issue you can use a wrapper script as described below:

  1. Place a file (e.g. named "ffuf-wrapper") into /home/yourname/work/bin/ with the following content:
#!/bin/bash
# 1. Transform windows path to wsl path 
# >>> wslpath -a 'C:\\aaa\\bbb\\ccc\\foo.zip'
# /mnt/c/aaa/bbb/ccc/foo.zip
request_path="$(wsl -a "${1}")"
# 2. Call ffuf with the correct request path
/home/yourname/work/bin/ffuf -w "${request_path}" -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401

Remember to set the executable-flag for this script:

chmod +x  /home/yourname/work/bin/ffuf-wrapper

Create a send-to context menu entry with the following parameters:

* name: wsl ffuf
* command: wsl /home/yourname/work/bin/ffuf-wrapper %R
* group:
* [ ] Run in background
* [X] Run in terminal
* [ ] Output should replace selection
* [X] Show preview prior to execution

URL Extract and Execute Script

#!/usr/bin/python3
import sys
import re
import argparse
from subprocess import Popen, PIPE, CalledProcessError

def eprint(*args, **kwargs):
    print(*args, file=sys.stderr, **kwargs)

try:
    from urlextract import URLExtract
except:
    eprint("ERROR: urlextract not found! Use the following command to fix this error:")
    eprint("       > pip3 install urlextract")
    sys.exit(1)

parser = argparse.ArgumentParser(description='Extract urls from file and execute user specified program to handle ')
parser.add_argument('-f','--filter', help='Regex filter for urls', required=False)
parser.add_argument('-v','--verbose', action='store_true', help='Verbosely output.', required=False)
parser.add_argument('-d','--dry-run', action='store_true', help='Prints commands instead of executing them.')
parser.add_argument('-c','--command', help='The command to execute. Use {{URL}} to specify where extracted URLs should be placed.', required=True)
parser.add_argument('input_file', help='The file to parse.')
args = vars(parser.parse_args())

input_file = args['input_file']
url_filter = re.compile(args['filter']) if 'filter' in args else ''
dry_run = True if args['dry_run'] else False
verbose = True if args['verbose'] else False

with open(input_file) as f: 
    data = " ".join(line.strip() for line in f)
    for url in URLExtract().find_urls(data):
        if verbose:
            eprint('URL: ' + url)
        if url_filter and not url_filter.match(url):
            continue
        command = args['command'].replace('{{URL}}', url)
        if verbose or dry_run:
            eprint('CMD: ' + command)
        if not dry_run:
            with Popen(command, shell=True, stdout=PIPE, bufsize=1, universal_newlines=True) as p:
                for line in p.stdout:
                    print(line, end='')

Example:

input.txt:

urls like http://example.com and http://more.info but also
things like abc.com and
other.stuff.

Execute:

# Process all urls in input.txt and execute 'echo {{URL}}'
python3 urlextract-and-execute.py -c 'echo {{URL}}' input.txt 
# Define a filter to only process certain types of urls
python3 urlextract-and-execute.py -f '^http(s)?://.*' -c 'echo {{URL}}' input.txt

Note: This script also includes a -d | --dry-run option which prints commands instead of executing them.

Create two send-to context menu entries with the following parameters:

* name: URL extract and execute (preview)
* command: python3 /path/to/urlextract-and-execute.py -d -c 'echo {{URL}}' %R
* group:
* [ ] Run in background
* [X] Run in terminal
* [ ] Output should replace selection
* [X] Show preview prior to execution

* name: URL extract and execute
* command: python3 /path/to/urlextract-and-execute.py -c 'echo {{URL}}' %R
* group:
* [ ] Run in background
* [X] Run in terminal
* [ ] Output should replace selection
* [X] Show preview prior to execution
Clone this wiki locally