Intruder 模式bug修复;新增About页面

yhy0 · May 9, 2023 · a3727fe · a3727fe
1 parent bf3464e
commit a3727fe
Show file tree

Hide file tree

Showing 6 changed files with 110 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -51,10 +51,7 @@ https://infosecwriteups.com/403-bypass-lyncdiscover-microsoft-com-db2778458c33
 
 -   [ ] Proxy 模块 						HTTP history 部分实现，其它未实现
 -   [x] Repeater 模块               
--   [x] Intruder 模块                部分功能已实现
-    -   [x] Sniper 模式 Fuzz
-    -   [x] Cluster bomb 模式 Fuzz
-    -   [x] 对 payload 进行 md5 加密
+-   [x] Intruder 模块                四种Fuzz模式已实现， payload部分各种处理函数未实现，现在只有MD5加密
 
 
 ### 字典可配置
@@ -65,6 +62,9 @@ https://infosecwriteups.com/403-bypass-lyncdiscover-microsoft-com-db2778458c33
 前端不会，全靠 ChatGPT 
 
 - 现在各个 tabs 页面，不点进去不会激活，导致 BurpSuite 用之前必须点击一遍每个页面
+- Intruder 模块 手动修改request包内容时，每写一个字符，要重新点击鼠标，将光标重新定位到要修改的位置
+
+  - Attack 显示不能切换别的 Intruder tab页，不然结果就不显示了，前端数据绑定问题，太菜了，还没想好怎么写
 ## License
 
 This code is distributed under the [MIT license](https://github.com/yhy0/ChYing/blob/main/LICENSE). See [LICENSE](https://github.com/yhy0/ChYing/blob/main/LICENSE) in this directory.

diff --git a/frontend/src/assets/images/yhy.jpeg b/frontend/src/assets/images/yhy.jpeg
diff --git a/frontend/src/components/About.vue b/frontend/src/components/About.vue
@@ -0,0 +1,77 @@
+<script setup>
+import {BrowserOpenURL} from "../../wailsjs/runtime/runtime.js";
+
+function openURL(url) {
+    BrowserOpenURL(url);
+}
+</script>
+
+<template>
+    <n-collapse :default-expanded-names="['3', '4']">
+        <n-collapse-item title="已有功能" name="1">
+            <div>
+                <n-card style="text-align: left;">
+                    <n-h3> 目录扫描 </n-h3>
+                    <n-p> 提取 <n-button @click="openURL('https://github.com/maurosoria/dirsearch')" quaternary type="primary">Dirsearch</n-button> 的字典规则进行扫描，目前只会进行一层目录扫描，后期考虑根据找到的目录，进行多层目录遍历</n-p>
+                    <n-p><n-button @click="openURL('https://github.com/lijiejie/bbscan')" quaternary type="primary">BBscan</n-button> 规则扫描</n-p>
+                </n-card>
+
+                <n-card style="text-align: left;">
+                    <n-h3> Swagger 测试 </n-h3>
+                    <n-p> 对 `swagger api` 进行未授权、ssrf、注入等测试</n-p>
+                </n-card>
+
+                <n-card style="text-align: left;">
+                    <n-h3> 403 bypass </n-h3>
+                    <n-p> 上述两个功能会自动进行 403 bypass</n-p>
+                    <n-p><n-button @click="openURL('https://github.com/devploit/dontgo403')" quaternary type="primary">dontgo403</n-button> </n-p>
+                    <n-p><n-button @click="openURL('https://infosecwriteups.com/403-bypass-lyncdiscover-microsoft-com-db2778458c33')" quaternary type="primary">403-bypass-lyncdiscover-microsoft-com-db2778458c33</n-button> </n-p>
+                </n-card>
+                <n-card style="text-align: left;">
+                    <n-h3> JWT 测试 </n-h3>
+                    <n-p> JWT token 解析，<n-button @click="openURL('https://jwt.io/')" quaternary type="primary">jwt.io</n-button> 样式显示</n-p>
+                    <n-p> JWT 秘钥爆破 样式显示</n-p>
+                </n-card>
+
+                <n-card style="text-align: left;">
+                    <n-h3> BurpSuite </n-h3>
+                    <n-p> Proxy 模块 HTTP history 部分实现，其它未实现 </n-p>
+                    <n-p> Repeater 模块</n-p>
+                    <n-p> Intruder 模块 四种Fuzz模式已实现， payload部分各种处理函数未实现，现在只有MD5加密</n-p>
+                </n-card>
+            </div>
+        </n-collapse-item>
+        <n-collapse-item title="字典可配置" name="2">
+            <n-card style="text-align: left;">
+                用到的各种字典文件, 第一次运行会将内置字典释放到用户目录的`.config/ChYing`目录下，后续每次运行都会先读取一遍
+            </n-card>
+        </n-collapse-item>
+        <n-collapse-item title="问题" name="3">
+            <n-card style="text-align: left;">
+                <n-gradient-text type="error">
+                    现在各个 tabs 页面，不点进去不会激活，导致 BurpSuite 用之前必须点击一遍每个页面
+                </n-gradient-text>
+                <n-gradient-text type="error">
+                    Intruder 模块 手动修改request包内容时，每写一个字符，要重新点击鼠标，将光标重新定位到要修改的位置
+                </n-gradient-text>
+                <n-gradient-text type="error">
+                    Attack 显示不能切换别的 Intruder tab页，不然结果就不显示了，前端数据绑定问题，太菜了，还没想好怎么写
+                </n-gradient-text>
+            </n-card>
+        </n-collapse-item>
+
+        <n-collapse-item title="yhy" name="4">
+            <n-card >
+                <div style="display: flex; justify-content: center;">
+                    <n-button @click="openURL('https://github.com/yhy0/')" quaternary type="primary" size="large">yhy</n-button>
+                    <n-button @click="openURL('https://github.com/yhy0/ChYing')" quaternary type="primary" size="large">承影</n-button>
+                </div>
+                <img src="../assets/images/yhy.jpeg" alt="yhy"/>
+            </n-card>
+        </n-collapse-item>
+    </n-collapse>
+</template>
+
+<style scoped>
+
+</style>
diff --git a/frontend/src/components/Home.vue b/frontend/src/components/Home.vue
@@ -1,12 +1,12 @@
 <script setup>
+import {ref} from "vue";
 import Twj from "./Twj.vue"
 import Swagger from "./Swagger.vue"
 import Fuzz from "./fuzz/Fuzz.vue"
 import BurpSuite from "./burpsuite/BurpSuite.vue";
-import {ref} from "vue";
-
-const activeTabs = ref(['Fuzz', 'Swagger', 'TWJ', 'BurpSuite'])
+import About from "./About.vue";
 
+const activeTabs = ref(['Fuzz', 'Swagger', 'TWJ', 'BurpSuite','About'])
 
 </script>
 
@@ -37,6 +37,12 @@ const activeTabs = ref(['Fuzz', 'Swagger', 'TWJ', 'BurpSuite'])
                     <BurpSuite/>
                 </n-message-provider>
             </n-tab-pane>
+
+            <n-tab-pane name="About" display-directive="show:lazy" tab="About">
+                <n-message-provider>
+                    <About/>
+                </n-message-provider>
+            </n-tab-pane>
         </n-tabs>
     </n-card>
 </template>
diff --git a/frontend/src/components/burpsuite/intruder/Intruder.vue b/frontend/src/components/burpsuite/intruder/Intruder.vue
@@ -25,6 +25,7 @@ const attackTypes = ref([""]); // 用于保存每个标签页对应的攻击类
 
 function handleAdd() {
     const newKey = String(+panels.value[panels.value.length - 1].key + 1);
+    attackTypes.value.push('Sniper');
     panels.value.push({
         title: `Tab ${newKey}`,
         req: ``,
@@ -36,7 +37,6 @@ function handleAdd() {
         len: 0,
     });
     value.value = newKey;
-    attackTypes.value.push('Sniper');
 }
 
 function handleClose(name) {
@@ -59,9 +59,9 @@ EventsOn("IntruderBody", result => {
         id: "",
         len: 0,
     };
+    attackTypes.value.push('Sniper');
     panels.value.push(newPanel);
     value.value = newKey;
-    attackTypes.value.push('Sniper');
 });
 
 const request = ref('');
@@ -76,8 +76,11 @@ function updateReqValue(panel) {
 
     const count = (request.value.match(/§/g) || []).length; // 计算 § 符号的数量
     payloadCount.value = count / 2;
-    panel.len = payloadCount.value;
-
+    if(["Sniper", "Battering ram"].includes(attackTypes.value[Number(value.value)])){
+        panel.len = 1;
+    } else {
+        panel.len = payloadCount.value;
+    }
 }
 
 const options = [
@@ -108,7 +111,11 @@ function Add(panel) {
         request.value = request.value.replace(selection, `§${selection}§`)
         const count = (request.value.match(/§/g) || []).length; // 计算 § 符号的数量
         payloadCount.value = count / 2;
-        panel.len = payloadCount.value;
+        if(["Sniper", "Battering ram"].includes(attackTypes.value[Number(value.value)])){
+            panel.len = 1;
+        } else {
+            panel.len = payloadCount.value;
+        }
         panel.req = request.value;
     }
 }

diff --git a/tools/burpSuite/intruder.go b/tools/burpSuite/intruder.go
@@ -44,12 +44,14 @@ func sniper(target string, req string, payloads []string, rules []string, uuid s
 
 	var id = 0
 
-	for i, position := range positions {
-		request := req // req 不能改变
+	for _, position := range positions {
 		for _, payload := range payloads {
+			request := req // req 不能改变
 			// 这里是根据payload位置来进行对应的处理
-			payload = processing(payload, rules[i])
+			payload = processing(payload, rules[0])
 			request = strings.Replace(request, position, payload, 1)
+			// 去除其他位置的 §
+			request = strings.ReplaceAll(request, "§", "")
 			ch <- struct{}{}
 			id += 1
 			go func(request, payload string, id int) {
@@ -79,7 +81,7 @@ func sniper(target string, req string, payloads []string, rules []string, uuid s
 					IntruderMap[uuid] = smap
 				}
 
-				IntruderMap[uuid].WriteMap(i, &HTTPBody{
+				IntruderMap[uuid].WriteMap(id, &HTTPBody{
 					TargetUrl: target,
 					Request:   resp.RequestDump,
 					Response:  resp.ResponseDump,
@@ -107,8 +109,8 @@ func batteringRam(target string, req string, payloads []string, rules []string,
 	for i, payload := range payloads {
 		request := req // req 不能改变
 		// 这里是根据payload位置来进行对应的处理
-		for j, position := range positions {
-			payload = processing(payload, rules[j])
+		for _, position := range positions {
+			payload = processing(payload, rules[0])
 			request = strings.Replace(request, position, payload, 1)
 		}
 
@@ -341,7 +343,6 @@ func getPositions(req string) []string {
 	for _, match := range matches {
 		result = append(result, "§"+match[1]+"§")
 	}
-
 	return result
 }