mod0BurpUploadScanner：用于Burp代理的HTTP文件上传扫描器

# UploadScanner Burp extension A Burp Suite Pro extension to do security tests for HTTP file uploads. **Table of Contents** <!-- Table of contents generated generated by http://tableofcontent.eu --> - [Abstract](#abstract) - [Main feature](#main-feature) - [Installation](#installation) - [Tutorials](#tutorials) - [About](#about) - [Background information and FAQ](#background-information-and-faq) - [TL;DR and important infos](#tldr-and-important-infos) - [Basics](#basics) - [Checklist](#checklist) - [I broke the website, omg, what did I do?](#i-broke-the-website-omg-what-did-i-do) - [Limitations](#limitations) - [Detecting issues](#detecting-issues) - [Detecting successful uploads](#detecting-successful-uploads) - [FlexiInjector - Detecting requests with uploads](#flexiinjector-detecting-requests-with-uploads) - [Image Formating options](#image-formating-options) - [ReDownloader](#redownloader) - [Testing and trophy case](#testing-and-trophy-case) - [Explanation for UI configuration options](#explanation-for-ui-configuration-options) - [Modules](#modules) - [Active Scan module](#active-scan-module) - [Imagetragick module](#imagetragick-module) - [Imagemagick/Graphicsmagick module](#imagemagickgraphicsmagick-module) - [Ghostscript module](#ghostscript-module) - [LibAvFormat module](#libavformat-module) - [PHP code module](#php-code-module) - [JSP code module](#jsp-code-module) - [ASP code module](#asp-code-module) - [.htaccess/web.config module](#htaccesswebconfig-module) - [CGI module](#cgi-module) - [Server Side Include (SSI) module](#server-side-include-ssi-module) - [XXE module](#xxe-module) - [XSS module](#xss-module) - [Eicar module](#eicar-module) - [PDF module](#pdf-module) - [Other SSRF module](#other-ssrf-module) - [CSV/spreadsheet module](#csvspreadsheet-module) - [Path traversal module](#path-traversal-module) - [Polyglot module](#polyglot-module) - [Fingerping module](#fingerping-module) - [Quirks module](#quirks-module) - [Generic URL replacer module](#generic-url-replacer-module) - [Recursive uploader module](#recursive-uploader-module) - [Fuzzer module](#fuzzer-module) - [Timeout and DoS module](#timeout-and-dos-module) - [File formats](#file-formats) - [General options](#general-options) - [Delete project settings on reload](#delete-project-settings-on-reload) - [Name of exiftool executable](#name-of-exiftool-executable) - [Throttle between requests in seconds](#throttle-between-requests-in-seconds) - [Sleep time for sleep payloads in seconds](#sleep-time-for-sleep-payloads-in-seconds) - [Create log (see "Done uploads" tab)](#create-log-see-done-uploads-tab) - [Replace filename in requests](#replace-filename-in-requests) - [Replace content type in requests](#replace-content-type-in-requests) - [Replace file size in requests](#replace-file-size-in-requests) - [Enable wget/curl/rundll payloads (default: only nslookup)](#enable-wgetcurlrundll-payloads-default-only-nslookup) - [FlexiInjector options](#flexiinjector-options) - [Choose file you uploaded](#choose-file-you-uploaded) - [Mime type of that file](#mime-type-of-that-file) - [Image formating options](#image-formating-options) - [ReDownloader parsing options](#redownloader-parsing-options) - [Parse other response (preflight request)](#parse-other-response-preflight-request) - [1. Start marker to parse URL from response](#1-start-marker-to-parse-url-from-response) - [1. End marker to parse URL from response](#1-end-marker-to-parse-url-from-response) - [Replace \/ with / in parsed content](#replace-with-in-parsed-content) - [Additional URL prefix for parsed part](#additional-url-prefix-for-parsed-part) - [Additional URL suffix for parsed part](#additional-url-suffix-for-parsed-part) - [2. Alternatively, a static URL](#2-alternatively-a-static-url) - [Recursive uploader module options](#recursive-uploader-module-options) - [Fuzzer module options](#fuzzer-module-options) ## Abstract Testing web applications is a standard task for every security analyst. Various automated and semi-automated security testing tools exist to simplify the task. HTTP based file uploads are one specialised use case. However, most automated web application security scanners are not adapting their attacks when encountering file uploads and are therefore likely to miss vulnerabilities related to file upload functionalities. While a lot of techniques used for file upload testing are documented throughout the web, the code necessary to automate such attacks is often missing. In other cases, the techniques only apply to very specific use cases. One of the goals of this research was to generalise and automate these attacks. The attack techniques include generic attacks such as Cross Site Scripting (XSS), External Entity Injection (XXE) and PHP/JSP/ASP code injection, but the goal is to execute these attacks customised for the use case of HTTP based file uploads. Additionally, more specific attacks on server side parsers are used as an attack vector, for example Server Side Request Forgery (SSRF) through m3u8 playlist file formats being parsed with LibAv. File uploads on websites are an underestimated area for security testing. The attack surface on a server that parses files is automatically a lot bigger. While some of the issues that might occur get very high attention (eg. the [ImageTragick](https://imagetragick.com/) vulnerability), there are countless memory corruption bugs that get fixed every day in various parses that might also be in use on your webserver. And while your REST XML web service might not be vulnerable to XML External Entity (XXE) injection, it doesn't mean your image parser for JPEG XMP metadata (which is XML) has no XXE issue. Various techniques are necessary to successfully upload a file, including correlation of file extensions, content types, and content. Moreover, the file content has to pass server-side checks or modifications such as image size requirements or resizing operations. Circumventing processing on the server side, creating content that survives the modification or creating content that results in the desired payload after the modification is another goal of this extension. While there are already a couple of Burp extensions doing some checks, this extension tries to implements most attacks that seem feasible for file uploads. The extension is testing various attacks and is divided into modules. Each module handles several attacks of the same category. ## Main feature While the extension has various interesting features in its various modules, one of the main features is: 1. Taking a small gif, png, jpeg, tiff, pdf, zip and mp4 file 2. If it’s an image, resize the image (sizes are UI options) 3. If it’s an image, give it a random new color 4. If the file format supports it, use the exiftool file format meta data techniques "keywords", "comment", "iptc:keywords", "xmp:keywords", "exif:ImageDescription" and "ThumbnailImage" ... 5. ... to inject PHP, JSP, ASP, XXE, SSRF, XXS and SSI payloads ... 6. ... then upload with various combinations of file extensions and content-types ... 7. ... to detect issues via sleep based payloads, Burp Collaborator interactions or by downloading the file again ## Installation [UploadScanner.py](UploadScanner.py) is the file you need to import into Burp, see [Portswigger's support page on how to install an extension](https://support.portswigger.net/customer/portal/articles/1965930-how-to-install-an-extension-in-burp-suite). After installing the extension, check the "Global & Active Scanning configuration" tab of the extension. If a field is marked red, there is an error. ## Tutorials There are several tutorial videos available for the different topics that will help you get started. The UI of the extension changed a little since