search

modzero / mod0BurpUploadScanner

HTTP file upload scanner for Burp Proxy
Other
483 stars 138 forks source link

Bug #119

Open TrustStephen opened 8 months ago

TrustStephen commented 8 months ago 
Traceback (most recent call last):
  File "/home/stephen/Job-Burp/upload-scanner/UploadScanner.py", line 982, in doActiveScan
    self.do_checks(injector)
  File "/home/stephen/Job-Burp/upload-scanner/UploadScanner.py", line 1089, in do_checks
    self._php_rce(injector)
  File "/home/stephen/Job-Burp/upload-scanner/UploadScanner.py", line 1089, in do_checks
    self._php_rce(injector)
  File "/home/stephen/Job-Burp/upload-scanner/UploadScanner.py", line 1726, in _php_rce
    self._servercode_rce_backdoored_file(injector, self._php_gen_payload,
  File "/home/stephen/Job-Burp/upload-scanner/UploadScanner.py", line 1958, in _servercode_rce_backdoored_file
    for payload, expect, name, ext, content in bi.get_files(size, payload_func, formats):
  File "/home/stephen/Job-Burp/upload-scanner/UploadScanner.py", line 5746, in get_files
    for payload, expect, name, ext, c in self.get_exiftool_images(payload_func, size, formats):
  File "/home/stephen/Job-Burp/upload-scanner/UploadScanner.py", line 5770, in get_exiftool_images
    x = ImageHelpers.new_image(size[0], size[1], ext[1:])
  File "/home/stephen/Job-Burp/upload-scanner/UploadScanner.py", line 4649, in new_image
    g2d.setColor(Color(color))
  File "/home/stephen/Job-Burp/upload-scanner/UploadScanner.py", line 4649, in new_image
    g2d.setColor(Color(color))
IllegalAccessException: java.lang.IllegalAccessException: class org.python.core.PyReflectedFunction cannot access class sun.java2d.SunGraphics2D (in module java.desktop) because module java.desktop does not export sun.java2d to unnamed module @1fa909c9

Upload Scanner Version: 1.0.8a

Extension code location: doActiveScan
Jython version: 2.7.0 (default:9987c746f838, Apr 29 2015, 02:25:11) 
[OpenJDK 64-Bit Server VM (Oracle Corporation)]
Java version: 21.0.1
Burp version: Burp Suite Professional 2024 1.1.6
Command line arguments: 
Was loaded from BApp: False
Request: 'POST /education/aln/inputidp HTTP/1.1\r\nHost: s013-oneapi-app-ukw-api.azure-api.net\r\nUser-Agent:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0\r\nAccept:
application/json, text/plain, */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip,
deflate, br\r\nReferer: https://aln.capita-software.co.uk/\r\nOcp-Apim-Subscription-Key:
92f883d933c74b81bdaf1aa084518465\r\nConnectionid: Education9382\r\nAuthorization: Bearer eyJhbGciOiJ
SUzI1NiIsImtpZCI6Im1zMy1ua2xhX2s1bnJWb3hxd3N4UzZTbnllOWRxamVsZG53clByVk50dUEiLCJ0eXAiOiJKV1QifQ.eyJz
dWIiOiJjZjFlNzY3Ny1lZWViLTQ5Y2ItYjA1MS02ODRhNzgxZTU3MzgiLCJuYW1lIjoiT25lIFVzZXIiLCJleHRlbnNpb25fbWZh
QnlQaG9uZU9yRW1haWwiOiJwaG9uZSIsImVtYWlsIjoic3RlcGhlbi5yb2JpbnNvbit1c2VyMkB0cnVzdG1hcnF1ZS5jb20iLCJp
ZHAiOiJMb2NhbCIsInRpZCI6ImIwNWMyODMzLTYwM2ItNDUzOS1hZjkyLWZmNGIzODVhYWVlMyIsIm5vbmNlIjoiNWIyMGNjM2Et
YWI0My00NzhkLTkzOTMtMTk5MDFiNGM4MWRjIiwic2NwIjoidXNlcl9hY2Nlc3MiLCJhenAiOiJjZmNmNTFjYS0xMTRiLTRkY2Ut
YjNlMi1hN2QzNDM1ODV...