图片不用处理
String mimeInferred = helpers.analyzeResponse(messageInfo.getResponse()).getInferredMimeType();
if ((mimeInferred.equalsIgnoreCase("JPEG"))
|| (mimeInferred.equalsIgnoreCase("PNG"))
|| (mimeInferred.equalsIgnoreCase("TIFF"))
|| (mimeInferred.equalsIgnoreCase("GIF"))) {
扫描到结果上报到系统里(不常用:没必要到他系统里,有地方log下来即可)
callbacks.addScanIssue(new CustomScanIssue(
messageInfo.getHttpService(),
helpers.analyzeRequest(messageInfo).getUrl(),
new IHttpRequestResponse[]{callbacks.applyMarkers(messageInfo, null, match)},
"Information disclosure at ImageMagick at converter tool",
"The response contains sensitive internal server information",
"Medium"));
}
respInfo.getStatusCode()中定义过滤没必要的处理的statusCode.
- helpers.indexOf(request,helpers.stringToBytes(“<@/“), true, 0, request.length) > -1 比较byte中是否存在某某。
toolFlag指示了发起请求或收到响应的Burp工具的ID(判断是在哪里,Repeater、Proxy、Scanner等)
调试发起Request请求
IHttpRequestResponse resp = callbacks.makeHttpRequest(messageInfo.getHttpService(), helpers.buildHttpMessage(reqInfo.getHeaders(), bodyss));
避免重复死循环发起请求
if (toolFlag == 4) { // 避免循环
}
Java并发使用executor.submit (具体再细看看)
executor.submit(
() -> autoRepeater.modifyAndSendRequestAndLog(
toolFlag,
messageInfo)
);