Skip to content

Instantly share code, notes, and snippets.

@defparam
Last active July 22, 2024 20:09
Show Gist options
  • Save defparam/840f7d9e31f77b3c5460c5921e0787ef to your computer and use it in GitHub Desktop.
Save defparam/840f7d9e31f77b3c5460c5921e0787ef to your computer and use it in GitHub Desktop.
Example of using Turbo Intruder in a "listen and attack" mode. Because turbo intruder's jython interpreter is technically inside burp you can have turbo intruder scripts use the plugin API. Here we use burp.IProxyListener to intercept requests and reissue them inside turbo intruder mutating the method.
from threading import Thread
import time
class TrafficMagnet(burp.IProxyListener):
def __init__(self):
callbacks.registerProxyListener(self)
self._helpers = callbacks.getHelpers()
self._callbacks = callbacks
def listen(self):
while True:
time.sleep(1)
if (not handler.running):
callbacks.removeProxyListener(self)
return
def _issueAndShow(self, httpService, request):
def AddToTable(req, rsp, lbl=""):
x = burp.Request(req,[],False,lbl)
x.response = rsp
table.add(x)
RequestResponse = self._callbacks.makeHttpRequest(httpService, request)
response = RequestResponse.getResponse()
AddToTable(self._helpers.bytesToString(request), self._helpers.bytesToString(response), lbl="Test Label")
def issueRequest(self, httpService, headers, body):
newRequest = self._helpers.buildHttpMessage(headers, self._helpers.stringToBytes(body))
thread = Thread(target=self._issueAndShow, args=(httpService, newRequest,))
thread.start()
def processProxyMessage(self, messageIsRequest, message):
if messageIsRequest:
messageInfo = message.getMessageInfo()
httpService = messageInfo.getHttpService()
requestBytes = messageInfo.getRequest()
requestInfo = self._helpers.analyzeRequest(requestBytes)
headers = requestInfo.getHeaders()
bodyBytes = requestBytes[requestInfo.getBodyOffset():]
bodyStr = self._helpers.bytesToString(bodyBytes)
############
# Match #
############
# add your matching logic here to stay in-scope
# host = str(httpService.getHost()).lower()
# if "target.com" not in host:
# return
############
# Attack #
############
# Get the original method
originalMethod = requestInfo.getMethod()
# List of HTTP methods
httpMethods = ["GET", "HEAD", "POST", "PUT", "DELETE", "PATCH", "TRACE", "CONNECT"]
for method in httpMethods:
if method != originalMethod:
# Create a new header with the new method
newHeader = headers[0].replace(originalMethod, method)
# Replace the old header with the new one
newHeaders = [newHeader] + headers[1:]
# Issue the request through Burp (Not TI)
self.issueRequest(httpService, newHeaders, bodyStr)
def queueRequests(target, wordlists):
# We don't use the TI engine, but we need to construct it for this to work
engine = RequestEngine(endpoint=target.endpoint)
# Keep this running until user cancels the attack
TrafficMagnet().listen()
def handleResponse(req, interesting):
table.add(req)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment