0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@MMK3

【BurpSuite】Python Script 雛形集

0
Last updated at Posted at 2026-03-30

概要

使い回しできる、PythonScriptの雛形を記載

場面1

内容

  • 診断対象のリクエストBを正常実行するには、リクエストAで返却されるCookie名sessionの値と、metaタグにあるcsrf-tokenの値が必要

PythonScript

import sys,re,datetime,locale
from burp import IBurpExtenderCallbacks

TARGET_PASS = '/TARGET_PASS/B'
PRE_REQUEST_CONTENTS = (
    "GET /TARGET_PASS/A HTTP/1.1\r\n"
    "Host: TARGET.jp\r\n"
    "\r\n"
)

TARGET_REQUEST_REPLACE_VALUE= '_token=%s&'

if toolFlag & (
    IBurpExtenderCallbacks.TOOL_REPEATER |
    IBurpExtenderCallbacks.TOOL_INTRUDER |
    IBurpExtenderCallbacks.TOOL_SCANNER
):
    if messageIsRequest:
        
        try:
            service = messageInfo.getHttpService()
            request = messageInfo.getRequest()
            requestInfo = helpers.analyzeRequest(service, request)
            headers = requestInfo.getHeaders()
            requestUrl = requestInfo.getUrl().toString()
            
            bodyOffset = requestInfo.getBodyOffset()
            requestBodyBytes = request[bodyOffset:]
            requestBodyStr = helpers.bytesToString(requestBodyBytes)

            if TARGET_PASS in requestUrl:
                print("## Get target request")
                
                # 事前リクエスト送信
                pre = callbacks.makeHttpRequest(service, PRE_REQUEST_CONTENTS)
                print("## Send pre request")
                
                # 事前リクエストのレスポンスヘッダー取得
                preResponseBytes = pre.getResponse()
                preResponseInfo = helpers.analyzeResponse(preResponseBytes)
                headersPre = preResponseInfo.getHeaders()
                
                # 事前リクエストのレスポンスヘッダーから、クッキー名「session」の値を抽出
                session = ''
                for header in headersPre:
                    m = re.search(r'Set-Cookie:\s*session=([^;]+)', header)
                    if m:
                        session = m.group(1)
                        break
                print(session, "\r\n")
                
                
                # 事前リクエストのレスポンスボディ取得
                bodyOffset = preResponseInfo.getBodyOffset()
                preResponseBody = preResponseBytes[bodyOffset:]
                preResponseBodyStr = helpers.bytesToString(preResponseBody)
                
                # 事前リクエストのレスポンスボディから、metaタグにある、csrf-tokenの値を取得
                m = re.search(r'<meta\s+name="csrf-token"\s+content="([^"]+)"', preResponseBodyStr)
                csrf_token = ''
                if m:
                    csrf_token = m.group(1)
                print(csrf_token, "\r\n")
                
                
                # 診断対象のリクエストのヘッダーのクッキー「session」の値を、取得した値に書き換える
                targetHeaders = []
                for h in headers:
                    if h.lower().startswith("content-length"):
                        continue
                    elif h.lower().startswith("cookie:"):
                        cookie_str = h[len("Cookie:"):].strip()
                        cookies = cookie_str.split("; ")
                        new_cookies = []
                        replaced = False
                        
                        for c in cookies:
                            key, _, value = c.partition("=")
                            if key == "session":
                                new_cookies.append("session=%s" % session)
                                replaced = True
                            else:
                                new_cookies.append(c)
                        if not replaced:
                            new_cookies.append("session=%s" % session)
                        
                        new_cookie_header = "Cookie: " + "; ".join(new_cookies)
                        targetHeaders.append(new_cookie_header)
                    else:
                        targetHeaders.append(h)
                print(targetHeaders, "\r\n")
                
                # 診断対象のリクエストの、リクエストボディ書き換え
                newToken = TARGET_REQUEST_REPLACE_VALUE % csrf_token
                print(newToken, "\r\n")
                
                after_amp = requestBodyStr.split("&", 1)[1]
                print(after_amp, "\r\n")
                
                newBody = newToken + after_amp
                print(newBody)
                
                # 診断対象のリクエスト 送信
                target = helpers.buildHttpMessage(targetHeaders, newBody)
                messageInfo.setRequest(target)
                
                print "## FINNISH\r\n\r\n"
                
        except Exception as e:
            print "ERROR:", e
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?