BurpSuite API - 从编辑的请求中获取响应

Question

我的 Burpsuite API 有一个问题，我找不到合适的函数来打印已编辑请求的响应。我正在使用 python 为 burpsuite 开发一个新插件。 myscript 只是从代理接收请求，然后编辑标题并再次发送。

从打嗝导入 IBurpExtender 从打嗝导入 IHttpListener

导入 re,urllib2

类 BurpExtender(IBurpExtender, IHttpListener):

def registerExtenderCallbacks(self, callbacks):
    self._callbacks = callbacks
    self._helpers = callbacks.getHelpers()
    callbacks.setExtensionName("Burp Plugin Python Demo")
    callbacks.registerHttpListener(self)
    return

def processHttpMessage(self, toolFlag, messageIsRequest, currentRequest):
    # only process requests
    if messageIsRequest:

        requestInfo = self._helpers.analyzeRequest(currentRequest)
        #timestamp = datetime.now()        
        #print "Intercepting message at:", timestamp.isoformat()

        headers = requestInfo.getHeaders()
        #print url
        if(requestInfo.getMethod() == "GET"):
            print "GET"
            print requestInfo.getUrl()
            response = urllib2.urlopen(requestInfo.getUrl())
            print response
        elif(requestInfo.getMethod() == "POST"):
            print "POST"
            print requestInfo.getUrl()
        #for header in headers:
            #print header

        bodyBytes = currentRequest.getRequest()[requestInfo.getBodyOffset():]
        bodyStr = self._helpers.bytesToString(bodyBytes)
        bodyStr = re.sub(r'=(\w+)','=<xss>',bodyStr)
        newMsgBody = bodyStr
        newMessage = self._helpers.buildHttpMessage(headers, newMsgBody)
        print "Sending modified message:"
        print "----------------------------------------------"
        print self._helpers.bytesToString(newMessage)
        print "----------------------------------------------\n\n"
        currentRequest.setRequest(newMessage)
    return

Answer 1

您需要打印响应，但如果 messageIsRequest 为假，您无需执行任何操作。当 messageIsRequest 为 false 时，表示 currentRequest 是一个响应，您可以像处理请求一样打印出响应。我是这样用 Java 做的：

def processHttpMessage(self, toolFlag, messageIsRequest, httpRequestResponse):
    if messageIsRequest:
        ....
    else
        HTTPMessage = httpRequestResponse.getResponse()
        print HTTPMessage

甚至还有一种方法可以让您在使用代理时将请求和响应绑定在一起。可以在 IInterceptedProxyMessage 中找到：

/**
 * This method retrieves a unique reference number for this
 * request/response.
 *
 * @return An identifier that is unique to a single request/response pair.
 * Extensions can use this to correlate details of requests and responses
 * and perform processing on the response message accordingly.
 */
int getMessageReference();

我认为 HTTPListener 不支持它。

我正在用 Java 编写扩展，并试图为这个 anwser 翻译成 Python。这段代码我没有测试过，可能会因为翻译引入一些bug。