Burp Suite Japan LT Carnivalでの発表資料
Burp SuiteͷศརͳػೳͰόάόϯςΟNo1zy
View Slide
ࣗݾհ• twitter: @no1zy_sec• ใܥઐֶੜ• ৽ถόάϋϯλʔ• ڈͷ֫ಘใۚ૯ֹ 612ສԁ
όάϋϯλʔBurp Suite͕େ͖The 2019 Hacker Report
Կ͕ศརʁ• Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ• Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ
հ͢Δศརػೳ1. Burp Collaborator client2. Find Script3. Analyze targetશͯPro൛ͷΈͰར༻Ͱ͖Δ
1. Burp Collaborator client
Burp Collaborator client• ֎෦ͷͪड͚αʔόʔͱͯ͠ͷׂΛ࣋ͭػೳ• Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢Δͱ͖ʹ༗ޮ• DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ
͍ํ1. Burp > Burp Collaborator clientΛΫϦοΫ
͍ํ2. Copy to clipboardΛΫϦοΫ
͍ํ$ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.netଓςετ
͍ํ• ϦΫΤετΛ֬ೝ͢Δ
SSRFͷςετྫGitLabͷϦϙδτϦΠϯϙʔτػೳ
SSRFͷςετྫίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕ൃੜ͢ΔػೳɺSSRF͕Մೳͳ߹͕͋Δ
http://127.0.0.1:22SSRF Payload
SSRFͷςετྫϨεϙϯε
http://127.0.0.1:4444SSRF Payload
ΤϥʔϝοηʔδͷࠩҟΛར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ
2. Find Script
Find Script• JavaScriptϑΝΠϧΛऩू͢ΔతͰ༻͢Δ• APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػີใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲʹཱͯΔ͜ͱ͕Ͱ͖Δ
͍ํ1. Engagement tools > Find scriptsΛΫϦοΫ͏s
͍ํ• JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ
͍ํ• Export scriptsͰϑΝΠϧʹநग़Ͱ͖Δ
APIΤϯυϙΠϯτͷಛఆ1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙΠϯτΛಛఆ͢Δ
JSParser
1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू1. Find ScriptͰURLΛϦετ͢Δ2. Copy selected URLsΛΫϦοΫ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ1. Proxy > History > ϑΟϧλʔઃఆΛ։͘2. Show only ʹνΣοΫ͠ js ͱೖྗ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ3. ΞΠςϜΛશબ͢Δ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ4. Copy URLsΛΫϦοΫ
2. APIΤϯυϙΠϯτΛಛఆ͢Δ1. ίϐʔͨ͠URLΛషΓ͚2. JSParseΛΫϦοΫ
৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟͰ͖Δ֬Λ্͛Δ2. APIΤϯυϙΠϯτΛಛఆ͢Δ
3. Analyze target
Analyze target• Ͳͷύϥϝʔλ͕Կճ༻͞Ε͍ͯΔ͔ѲͰ͖Δ• ੬ऑੑͷԣల։ύϥϝʔλϕʔεͰ੬ऑੑΛ୳͍ͨ࣌͠ʹ༗ޮͳ߹͕͋Δ
͍ํ1. Engagement tools > Analyze target ΛΫϦοΫ
͍ํղੳ݁ՌΛ֬ೝ͢Δ
Happy Hunting!