search

silentsignal / burp-piper

Piper Burp Suite Extender plugin
https://blog.silentsignal.eu/2020/03/27/unix-style-approach-to-web-application-testing/
GNU General Public License v3.0
115 stars 12 forks source link

New config: read from /dev/urandom #20

Closed ngregoire closed 3 years ago

ngregoire commented 3 years ago

Given that Piper doesn't support Intruder payload generators, I used a payload processor instead. That works well! The result is a low-cost Web fuzzer, mostly aimed to embedded/IoT devices

piper_dev_urandom

intruderPayloadProcessors:
- prefix: [sh, -c, dd if=/dev/urandom of=/dev/stdout bs=1 count=`shuf -i1-100 -n1` status=none]
  inputMethod: stdin
  name: /dev/urandom
v-p-b commented 3 years ago

Linking the inspiring Twitter thread for reference: https://twitter.com/Agarri_FR/status/1326221026422906880

dnet commented 3 years ago

Thanks, I added it to the deafult config and finally added support for payload generators. I like your workaround (and TIL null payloads exist) and this new payload generator solution will allow for external generators that need state (and thus no reexec for every payload), such as https://github.com/asciimoo/exrex by @asciimoo (see example config) or John the Ripper's stdout password listing output for rules mangling.

dnet commented 3 years ago

I released v0.7 that contains these.

ngregoire commented 3 years ago

Many thanks, for:

As an improvement, I wonder if the payload's baseValue (for processors and generators) could be exposed (probably via stdin). It would be useful when some details (length, charset, ...) about the non-fuzzed value are needed, for example when mutating with radamsa.

dnet commented 3 years ago

I wonder if the payload's baseValue (for processors and generators) could be exposed (probably via stdin). It would be useful when some details (length, charset, ...) about the non-fuzzed value are needed

I was thinking about this when I integrated it this way:

https://github.com/silentsignal/burp-piper/blob/80b858967fa503b6016915c1506439e06eaa707d/src/main/kotlin/burp/BurpExtender.kt#L173

So that empty byte array could definitely be replaced by baseValue, I'll run some local test and see what comes out... If I could fit this into cmd.execute that would be great, since that would mean stdin/command line argument could be switchable using the regular GUI options already used for all other tools.

I'm not sure what you mean for processors, since I already make it available to them, see below:

https://github.com/silentsignal/burp-piper/blob/80b858967fa503b6016915c1506439e06eaa707d/src/main/kotlin/burp/BurpExtender.kt#L138

Did it not work for you? If so, let's talk about it, since that should be a bug which I intend to fix. :)

ngregoire commented 3 years ago

Generators: exposing the baseValue would allow to run (f.e.) radamsa on it. That would nice, even if it isn't a common use-case (at least for me). No opinions regarding how to integrate that in the GUI and such.

Processors: it works fine, it was just me being dumb (tested by chaining a stock Convert to upper-case and a Piper-provided rev)