优化路由扫描参数问题

kN6jq · Jun 23, 2024 · eb53790 · eb53790
1 parent c0b8d62
commit eb53790
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 2 deletions.
diff --git a/src/main/java/burp/Example.java b/src/main/java/burp/Example.java
@@ -0,0 +1,36 @@
+package burp;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * @Author Xm17
+ * @Date 2024-06-23 10:27
+ */
+public class Example {
+    public static void main(String[] args) {
+        String request = "GET /vulnerabilities/sqli/?id=123&Submit=Submit HTTP/1.1\r\n" +
+                "Host: 192.168.11.6:801\r\n" +
+                "Upgrade-Insecure-Requests: 1\r\n" +
+                "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36\r\n" +
+                "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\n" +
+                "Referer: http://192.168.11.6:801/vulnerabilities/sqli/?id=1&Submit=Submit\r\n" +
+                "Accept-Encoding: gzip, deflate, br\r\n" +
+                "Accept-Language: zh-CN,zh;q=0.9\r\n" +
+                "Cookie: vue_admin_template_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzE5MDY4MzM0LCJlbWFpbCI6IiJ9.GpiGPvleDm8Sd6beJttdIbAHYkHb4SNU6MLNu8XyEVI; sidebarStatus=1; PHPSESSID=gabeni928ahij9gut8f2o6b4a0; security=low\r\n" +
+                "Connection: close\r\n\r\n";
+
+        // 定义正则表达式，匹配 ? 及其后面的内容
+        String regex = "\\?[^\\s]*";
+        Pattern pattern = Pattern.compile(regex);
+        Matcher matcher = pattern.matcher(request);
+
+        // 删除 ? 后面的内容（查询参数部分）
+        if (matcher.find()) {
+            request = request.replace(matcher.group(), "");
+        }
+
+        System.out.println("Modified request:");
+        System.out.println(request);
+    }
+}
diff --git a/src/main/java/burp/ui/RouteUI.java b/src/main/java/burp/ui/RouteUI.java
@@ -17,6 +17,8 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Objects;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import static burp.dao.RouteDao.*;
 import static burp.utils.Utils.getSuffix;
@@ -326,6 +328,7 @@ public static void Check(IHttpRequestResponse[] responses,boolean isSend) {
         String url = iRequestInfo.getUrl().toString();
         String method = iRequestInfo.getMethod();
         String request = Utils.helpers.bytesToString(iHttpRequestResponse.getRequest());
+        String requestx = "";
         String path = iRequestInfo.getUrl().getPath();
 
         if (!isSend){
@@ -351,10 +354,19 @@ public static void Check(IHttpRequestResponse[] responses,boolean isSend) {
             if (routeBean.getEnable() != 1){
                 continue;
             }
+            // 定义正则表达式，匹配 ? 及其后面的内容
+            String regex = "\\?[^\\s]*";
+            Pattern pattern = Pattern.compile(regex);
+            Matcher matcher = pattern.matcher(request);
+
+            // 删除请求数据包中的参数部分
+            if (matcher.find()) {
+                requestx = request.replace(matcher.group(), "");
+            }
             List<String> reqLists = append(path, routeBean.getPath());
             for (String reqList : reqLists) {
                 if (Objects.equals(method, "GET")) {
-                    String new_request = request.replaceFirst(path, reqList);
+                    String new_request = requestx.replaceFirst(path, reqList);
                     IHttpRequestResponse response = Utils.callbacks.makeHttpRequest(iHttpRequestResponse.getHttpService(), Utils.helpers.stringToBytes(new_request));
                     ExpressionUtils expressionUtils = new ExpressionUtils(response);
                     boolean process = expressionUtils.process(routeBean.getExpress());
@@ -371,7 +383,9 @@ public static void Check(IHttpRequestResponse[] responses,boolean isSend) {
                         }
                     }
                 } else if (Objects.equals(method, "POST")) {
-                    String new_request = request.replaceFirst(path, reqList);
+                    // 删除post数据中的body部分
+                    String request_data = request.split("\r\n\r\n")[0]+"\r\n\r\n";
+                    String new_request = request_data.replaceFirst(path, reqList);
                     IHttpRequestResponse response = Utils.callbacks.makeHttpRequest(iHttpRequestResponse.getHttpService(), Utils.helpers.stringToBytes(new_request));
                     ExpressionUtils expressionUtils = new ExpressionUtils(response);
                     boolean process = expressionUtils.process(routeBean.getExpress());