vulnerscom / burp-vulners-scanner Goto Github PK
View Code? Open in Web Editor NEWVulnerability scanner based on vulners.com search API
License: GNU Lesser General Public License v3.0
burp-vulners-scanner's People
Contributors
Stargazers
Watchers
Forkers
techlord-rce irivera007 5up3rc m00zh33 shrv minkione aglerj moccamc abhijithbr 1572766337 tuian caoyunzhu kbahaxor mferreirasec phpplay songofhack mgcfish murthysagi mjgrey expert4u-rahul 0x13337 bhassani subinacls smallmeet portswigger security-geeks icakir tobey123 mrmugiwara 957204459 infosecsecurity vf3ng olivierh59500 dipsec grukz whb224117 lei720 own2pwn bwry keerok samyoyo mohanad-mw3 wyousquared yeyintminthuhtut adzon ismailbozkurt losiry zjgwhh h1d3r ox-b dictionaryhouse jithinraj lw1988 team-firebugs rdincel1 dnkls zuoshouxu ch4p34un0ir prodject fingerleakers bipabo1l bollfk rohithreddy12 alilangtest selfevo vaginessa nbg0x1 ro9ueadmin amreetvishal c0ntr07 akustolin greatspider135 drkeinelustt allisone-0 shangadi latestalexey strunz983 redteam-tools 0xbadca7 noodled 8l4nk grayguest shellsec ethelhub funreason slooppe modulexcite trrnt wutenglan sha-512 ngkogkos pentestmafia jayway007 toygang kakakpy gnebbia pentesterkaly imulmul sudonone acealchemycyberblazeburp-vulners-scanner's Issues
Domain is blocked
Hi,
Your domain is blocked in my organization. I tried to load the rules manually, but they are not loading.
Is there a way to achieve this?
Otherwise, can that be implemented?
Thanks!
org.json.JSONException
org.json.JSONException: A JSONObject text must end with '}' at 32021 [character 9 line 914]
at org.json.JSONTokener.syntaxError(JSONTokener.java:451)
at org.json.JSONObject.(JSONObject.java:201)
at org.json.JSONTokener.nextValue(JSONTokener.java:380)
at org.json.JSONObject.(JSONObject.java:215)
at org.json.JSONTokener.nextValue(JSONTokener.java:380)
at org.json.JSONObject.(JSONObject.java:215)
at org.json.JSONObject.(JSONObject.java:319)
at burp.HttpClient.parseResponse(HttpClient.java:51)
at burp.HttpClient.get(HttpClient.java:43)
at burp.VulnersService.loadRules(VulnersService.java:133)
at burp.BurpExtender.initPassiveScan(BurpExtender.java:41)
at com.codemagi.burp.PassiveScan.initialize(PassiveScan.java:37)
at com.codemagi.burp.BaseExtender.registerExtenderCallbacks(BaseExtender.java:49)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at burp.gsu.lambda$registerExtenderCallbacks$0(Unknown Source)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
java.lang.IllegalArgumentException: Invalid offsets
I can see following output in the Error log for this extender:
at burp.fcg.addScanIssue(Unknown Source)
at burp.uvb.addScanIssue(Unknown Source)
at burp.jbf.addScanIssue(Unknown Source)
at burp.VulnersService$1.onScannerSuccess(VulnersService.java:89)
at burp.VulnersRestCallback.onSuccess(VulnersRestCallback.java:42)
at burp.VulnersRestCallback.completed(VulnersRestCallback.java:60)
at com.mashape.unirest.http.HttpClientHelper$1.completed(HttpClientHelper.java:82)
at com.mashape.unirest.http.HttpClientHelper$1.completed(HttpClientHelper.java:75)
at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:119)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:177)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:432)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:325)
at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:267)
at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81)
at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:123)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:164)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:339)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:317)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:278)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:590)
at java.lang.Thread.run(Thread.java:745)
java.lang.IllegalArgumentException: Invalid offsets: the list should be in sequence and offsets should not overlap.
at burp.fcg.addScanIssue(Unknown Source)
at burp.uvb.addScanIssue(Unknown Source)
at burp.jbf.addScanIssue(Unknown Source)
at burp.VulnersService$1.onScannerSuccess(VulnersService.java:89)
at burp.VulnersRestCallback.onSuccess(VulnersRestCallback.java:42)
at burp.VulnersRestCallback.completed(VulnersRestCallback.java:60)
at com.mashape.unirest.http.HttpClientHelper$1.completed(HttpClientHelper.java:82)
at com.mashape.unirest.http.HttpClientHelper$1.completed(HttpClientHelper.java:75)
at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:119)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:177)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:432)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:325)
at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:267)
at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81)
at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:123)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:164)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:339)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:317)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:278)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:590)
at java.lang.Thread.run(Thread.java:745)
java.lang.IllegalArgumentException: Invalid offsets: the list should be in sequence and offsets should not overlap.
at burp.fcg.addScanIssue(Unknown Source)
at burp.uvb.addScanIssue(Unknown Source)
at burp.jbf.addScanIssue(Unknown Source)
at burp.VulnersService$1.onFail(VulnersService.java:103)
at burp.VulnersRestCallback.completed(VulnersRestCallback.java:56)
at com.mashape.unirest.http.HttpClientHelper$1.completed(HttpClientHelper.java:82)
at com.mashape.unirest.http.HttpClientHelper$1.completed(HttpClientHelper.java:75)
at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:119)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:177)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:432)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:325)
at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:267)
at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81)
at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:123)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:164)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:339)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:317)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:278)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:590)
at java.lang.Thread.run(Thread.java:745)
java.lang.IllegalArgumentException: Invalid offsets: the list should be in sequence and offsets should not overlap.
at burp.fcg.addScanIssue(Unknown Source)
at burp.uvb.addScanIssue(Unknown Source)
at burp.jbf.addScanIssue(Unknown Source)
at burp.VulnersService$1.onFail(VulnersService.java:103)
at burp.VulnersRestCallback.completed(VulnersRestCallback.java:56)
at com.mashape.unirest.http.HttpClientHelper$1.completed(HttpClientHelper.java:82)
at com.mashape.unirest.http.HttpClientHelper$1.completed(HttpClientHelper.java:75)
at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:119)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:177)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:432)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:325)
at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:267)
at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81)
at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:123)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:164)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:339)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:317)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:278)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:590)
at java.lang.Thread.run(Thread.java:745)
Is it possible to fix it? I didn't add/alter any rules, only those default ones, freshly loaded from vulners.com are used.
Thanks
Upload to BApp store
Can you upload this extension to BurpSuite BApp store?
false positive (high/firm) for IIS (7.5)
Hello,
I doubt this is a valid finding (high, firm) as it looks to me the server banner was just taken and a lookup was performed:
For this the IIS from 2008R2 shouldn't have been patched. One cannot tell from the outside -- at least not by looking at this banner.
Can this be either taken out or at least changed to info/firm, then at least not supplying the CVEs?
Thx, Dirk
Setting Proxy is missleading
I noticed that activating the use of a proxy and afterwards changing the proxies host and port will not set the proxy correctly. Only changing the option to use a proxy will finally set the altered settings.
for example:
- Select "Proxy enabled"
- Change the Host name to abcd.com
- Internally still the old host is used
- deactivate and active the "Proxy enabled" option
- Now the host abcd.com is used to contact https://vulners.com
java.net.UnknownHostException
When I open Burp from CMD, and load the newest version of Extender from official BApp store, I can see following exception in CMD window:
C:\Program Files\BurpSuitePro>java -jar burpsuite_pro.jar
com.mashape.unirest.http.exceptions.UnirestException: java.net.UnknownHostException: vulners.com
at com.mashape.unirest.http.HttpClientHelper$1.failed(HttpClientHelper.java:86)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:134)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:419)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.connectionRequestFailed(AbstractClientExchangeHandler.java:335)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.access$100(AbstractClientExchangeHandler.java:62)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler$1.failed(AbstractClientExchangeHandler.java:378)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:134)
at org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager$InternalPoolEntryCallback.failed(PoolingNHttpClientConnectionManager.java:503)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:134)
at org.apache.http.nio.pool.AbstractNIOConnPool.fireCallbacks(AbstractNIOConnPool.java:453)
at org.apache.http.nio.pool.AbstractNIOConnPool.lease(AbstractNIOConnPool.java:285)
at org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager.requestConnection(PoolingNHttpClientConnectionManager.java:265)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.requestConnection(AbstractClientExchangeHandler.java:363)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.start(DefaultClientExchangeHandlerImpl.java:125)
at org.apache.http.impl.nio.client.InternalHttpAsyncClient.execute(InternalHttpAsyncClient.java:141)
at org.apache.http.impl.nio.client.CloseableHttpAsyncClient.execute(CloseableHttpAsyncClient.java:74)
at org.apache.http.impl.nio.client.CloseableHttpAsyncClient.execute(CloseableHttpAsyncClient.java:107)
at org.apache.http.impl.nio.client.CloseableHttpAsyncClient.execute(CloseableHttpAsyncClient.java:91)
at com.mashape.unirest.http.HttpClientHelper.requestAsync(HttpClientHelper.java:102)
at com.mashape.unirest.request.BaseRequest.asJsonAsync(BaseRequest.java:76)
at burp.VulnersService.loadRules(VulnersService.java:165)
at burp.BurpExtender.initPassiveScan(BurpExtender.java:32)
at com.codemagi.burp.PassiveScan.initialize(PassiveScan.java:37)
at com.codemagi.burp.BaseExtender.registerExtenderCallbacks(BaseExtender.java:49)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at burp.mch.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.net.UnknownHostException: vulners.com
at java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method)
at java.net.InetAddress$2.lookupAllHostAddr(Unknown Source)
at java.net.InetAddress.getAddressesFromNameService(Unknown Source)
at java.net.InetAddress.getAllByName0(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at java.net.InetAddress.getAllByName(Unknown Source)
at org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45)
at org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager$InternalAddressResolver.resolveRemoteAddress(PoolingNHttpClientConnectionManager.java:608)
at org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager$InternalAddressResolver.resolveRemoteAddress(PoolingNHttpClientConnectionManager.java:579)
at org.apache.http.nio.pool.AbstractNIOConnPool.processPendingRequest(AbstractNIOConnPool.java:426)
at org.apache.http.nio.pool.AbstractNIOConnPool.lease(AbstractNIOConnPool.java:275)
... 19 more
Is it possible you gracefully reported to user (in my case, I'm behind firewall and I need properly set proxy to load the database) that the URL is unreachable, instead throwing this exception?
Thanks
False positive: Tomcat etc. banner
Hi,
thx for your tremendously useful software.
I think there's a misinterpretation of the web server header / banner: Server: Apache-Coyote/1.1 . To my knowledge all version of Tomcat and friends have that banner.
Issue detail
The following vulnerabilities for software Apache Coyote (Tomcat) - 1.1 found:
CVE-2013-4286 - 5.8 - CVE-2013-4286 Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification...
CVE-2013-4590 - 4.3 - CVE-2013-4590 Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML documen...
[..]
CVE-2005-2090 - 4.3 - CVE-2005-2090 Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a...
[..]
Cheers, Dirk
java.lang.IllegalArgumentException
Sep 01, 2018 4:44:42 PM org.apache.http.client.protocol.ResponseProcessCookies processCookies
WARNING: Invalid cookie header: "Set-Cookie: vulnersSession=YV5C4G8V9U5J3NUFO86RIGPNT2ZUVYCP00LC3YN9OPZYZ7S60TL2TVNWZMAIR459BUVC1S8PQZK62XHIYHYMRRRD306U99NCW0P951J5R0CD6S4MEE833F877J6D3OS3:8UhRTZbJHiHdLZoF7j8oUMf9tuw; Domain=.vulners.com; expires=Sat, 01 Sep 2018 14:44:52 GMT; HttpOnly; Max-Age=10; Path=/; Secure". Invalid 'expires' attribute: Sat, 01 Sep 2018 14:44:52 GMT
Sep 01, 2018 4:44:43 PM org.apache.http.client.protocol.ResponseProcessCookies processCookies
WARNING: Invalid cookie header: "Set-Cookie: vulnersSession=BLLNIX9BV3XJNFQKRWW691GYS629ASOC22TQ5AO0LRADDTGEYG8C15I5U5H8H6VK61GYYANGKWPIN1PBKSVMCBNUF6Y5PNLP9OJF4L1FBR23BZ7WV7IZNZYHFFQV56IQ:Wg16vwdvh5JSOHmkDccL054Elv8; Domain=.vulners.com; expires=Sat, 01 Sep 2018 14:44:53 GMT; HttpOnly; Max-Age=10; Path=/; Secure". Invalid 'expires' attribute: Sat, 01 Sep 2018 14:44:53 GMT
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
com.mashape.unirest.http.exceptions.UnirestException: java.lang.IllegalArgumentException: Invalid offsets: the list should be in sequence and offsets should not overlap.
at com.mashape.unirest.http.HttpClientHelper$1.failed(HttpClientHelper.java:86)
at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:134)
at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:419)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.exception(HttpAsyncRequestExecutor.java:154)
at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:278)
at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81)
at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:123)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:164)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:339)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:317)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:278)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:590)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: Invalid offsets: the list should be in sequence and offsets should not overlap.
at burp.v0d.addScanIssue(Unknown Source)
at burp.nb.addScanIssue(Unknown Source)
at burp.aph.addScanIssue(Unknown Source)
at burp.VulnersService$1.onScannerSuccess(VulnersService.java:89)
at burp.VulnersRestCallback.onSuccess(VulnersRestCallback.java:42)
at burp.VulnersRestCallback.completed(VulnersRestCallback.java:60)
at com.mashape.unirest.http.HttpClientHelper$1.completed(HttpClientHelper.java:82)
at com.mashape.unirest.http.HttpClientHelper$1.completed(HttpClientHelper.java:75)
at org.apache.http.concurrent.BasicFuture.completed(BasicFuture.java:119)
at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:177)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:432)
at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:325)
at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:267)
... 10 more
Dependency Conflict: duplicate classes "org.objectweb.asm.Type.getObjectType" in different JARs, have different implementations
Hi, in burp-vulners-scanner-1.2, duplicate classes with the same fully-qualified name org.objectweb.asm.Type.getObjectType are included in two different libraries, i.e., org.ow2.asm:asm:5.0.3 and asm:asm:3.0.
According to "first declaration wins" class loading strategy, only this class in asm:asm:3.0 can be loaded, and that in org.ow2.asm:asm:5.0.3 will be shadowed.
By further analyzing, your project expects to invoke method org.objectweb.asm.Type.getObjectType in org.ow2.asm:asm:5.0.3. As it has been shadowed, so that this method defined in asm:asm:3.0 are actually forced to be referenced via the following invocation path:
<burp.VulnersService: checkSoftware(Ljava/lang/String;Lburp/models/Software;Lburp/IHttpRequestResponse;Ljava/util/List;)V> /root/sensor/unzip/burp-vulners-scanner-1.2/target/classes
<com.googlecode.concurrentlinkedhashmap.ConcurrentHashMapV8: get(Ljava/lang/Object;)Ljava/lang/Object;> /root/.m2/repository/com/googlecode/concurrentlinkedhashmap/concurrentlinkedhashmap-lru/1.4.2/concurrentlinkedhashmap-lru-1.4.2.jar
<org.apache.commons.lang3.time.DurationFormatUtils$Token: equals(Ljava/lang/Object;)Z> /root/.m2/repository/org/apache/commons/commons-lang3/3.1/commons-lang3-3.1.jar
<org.objectweb.asm.tree.analysis.BasicValue: toString()Ljava/lang/String;> /root/.m2/repository/org/ow2/asm/asm-analysis/5.0.3/asm-analysis-5.0.3.jar
<org.objectweb.asm.tree.analysis.BasicValue: <clinit>()V> /root/.m2/repository/org/ow2/asm/asm-analysis/5.0.3/asm-analysis-5.0.3.jar
<org.objectweb.asm.Type: getObjectType(Ljava/lang/String;)Lorg/objectweb/asm/Type;>
Workaround solution:
An easy way to workaround the problem is reversing the declaration order of these two libraries (i.e., reverse the declaration order of httpclient and maven-resolver-transport-http) in pom file.
Then, according to "first declaration wins" class loading strategy, class org.objectweb.asm.Type.getObjectType in org.ow2.asm:asm:5.0.3 can be loaded (the version that burp-vulners-scanner-1.2 expects to reference by static analysis).
This fix will not affect other libraries or class, except the above duplicate class.
Dependency tree---
[INFO] burp-vulners-scanner:burp-vulners-scanner:jar:1.2
[INFO] +- com.codemagi:burp-suite-utils:jar:LATEST:compile
[INFO] | - net.portswigger.burp.extender:burp-extender-api:jar:LATEST:compile
[INFO] +- com.intellij:forms_rt:jar:7.0.3:compile
[INFO] | +- asm:asm-commons:jar:3.0:compile
[INFO] | | - asm:asm-tree:jar:3.0:compile
[INFO] | | - asm:asm:jar:3.0:compile
[INFO] | +- com.jgoodies:forms:jar:1.1-preview:compile
[INFO] | - jdom:jdom:jar:1.0:compile
[INFO] +- org.jtwig:jtwig-core:jar:5.85.3.RELEASE:compile
[INFO] | +- org.jtwig:jtwig-reflection:jar:5.85.3.RELEASE:compile
[INFO] | | +- (com.google.guava:guava:jar:18.0:compile - omitted for duplicate)
[INFO] | | +- (org.apache.commons:commons-lang3:jar:3.1:compile - omitted for duplicate)
[INFO] | | - (org.slf4j:slf4j-api:jar:1.7.12:compile - omitted for duplicate)
[INFO] | +- com.google.guava:guava:jar:18.0:compile
[INFO] | +- org.apache.commons:commons-lang3:jar:3.1:compile
[INFO] | +- org.parboiled:parboiled-java:jar:1.1.7:compile
[INFO] | | +- org.parboiled:parboiled-core:jar:1.1.7:compile
[INFO] | | +- org.ow2.asm:asm:jar:5.0.3:compile
[INFO] | | +- org.ow2.asm:asm-tree:jar:5.0.3:compile
[INFO] | | | - (org.ow2.asm:asm:jar:5.0.3:compile - omitted for duplicate)
[INFO] | | +- org.ow2.asm:asm-analysis:jar:5.0.3:compile
[INFO] | | | - (org.ow2.asm:asm-tree:jar:5.0.3:compile - omitted for duplicate)
[INFO] | | - org.ow2.asm:asm-util:jar:5.0.3:compile
[INFO] | | - (org.ow2.asm:asm-tree:jar:5.0.3:compile - omitted for duplicate)
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.12:compile
[INFO] | - com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru:jar:1.4.2:compile
[INFO] - org.json:json:jar:20160810:compile
Thank you very much.
Best,
Coco
Does not appear to be working anymore.
I installed the extension from the BApp store and am browsing a target web app that clearly has many software version disclosures through various HTTP response headers (.NET MVC application on IIS). I also have Logger++ running. At no point does the extension identify any of the the response headers, and at no point does the extension attempt to reach out to the vulners database. The only time the vulners extension generates any network activity is when I load the detection signatures through its configuration interface. Is this extension still functional? is this project still supported?
Too many results returned, fails to show there are vulnerabilities
Given a site "www.notrealsite.com" with header: X-Powered-By: PHP/5.3.3
The extension outputs:
[Vulners] start check for domain www.notrealsite.com for software PHP, headers/5.3.3 : https://vulners.com/api/v3/burp/software/?software=cpe%3A%2Fa%3Aphp%3Aphp&version=5.3.3&type=cpe
But does not report anything in Burp.
Opening this URL manually:
https://vulners.com/api/v3/burp/software/?software=cpe%3A%2Fa%3Aphp%3Aphp&version=5.3.3&type=cpe
returns this:
{
"result": "warning",
"data": {
"warning": "Too much results - 70 for the query (cpe:"cpe:/a:php:php" AND (cpe:5.3.3* OR (description:"5.3.3" AND NOT ("before version 5.3.3" OR "< 5.3.3" OR "less than 5.3.3" OR "before 5.3.3" OR "prior to 5.3.3")))) OR (description:"php" AND description:"5.3.3" AND title:"php" AND bulletinFamily:exploit AND NOT ("before version 5.3.3" OR "< 5.3.3" OR "less than 5.3.3" OR "before 5.3.3" OR "prior to 5.3.3") AND -type:seebug) with software:cpe:/a:php:php version:5.3.3",
"errorCode": 402
}
}
I should mention i am using Burp 2.0.12beta
does not detect Sitefinity vulnerabilites
I'm testing a website generated with Sitefinity vulnerable version (https://vulners.com/nessus/TELERIK_UI_FOR_ASPNET_AJAX_CVE-2017-9248.NASL). There are few tags in the source code with its references:
<meta name="Generator" content="Sitefinity 8.0.5700.0 PE" />
<link href="/Telerik.Web.UI.WebResource.axd?d=db0VBNCGqiCBC3Vgke_pPFchlOHtWXWZy5yiIL7Xkw4BKD4t0egHi-CSQGlanoHiwNHz42KiKocVdBEET-qqRKf7mRxdch7uo9JWF6hDykNfKCdduw1nCwUiwqEWEwuKQ2&t=63524329720342&compress=0&_TSM_CombinedScripts_=%3b%3bTelerik.Sitefinity.Resources%2c+Version%3d8.0.5700.0
<script type="text/javascript">
--
| //<
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.