GithubHelp home page GithubHelp logo

很棒的工具 about springspider HOT 3 CLOSED

whwlsfb avatar whwlsfb commented on August 27, 2024
很棒的工具

from springspider.

Comments (3)

whwlsfb avatar whwlsfb commented on August 27, 2024

还有这个位置,并且还要添加页面检查相关的逻辑,因为不是简单 StatusCode == 200就算检测到的。

SpringSpider/src/main/java/burp/scanner/sub/SpringActuator.java

Lines 16 to 59 in fb9de43

private final List<Payload> payloads = new ArrayList<Payload>() {{
add(new Payload(new ArrayList<String[]>() {{
add(new String[]{"env"});
add(new String[]{"actuator", "env"});
}}, (baseRequestResponse, checkRequest, newUrl) -> {
IResponseKeywords founds = Utils.Helpers.analyzeResponseKeywords(new ArrayList<String>() {{
add("java.version");
add("os.arch");
}}, checkRequest.getResponse());
if (BypassPayloadUtils.hasFound(founds, 0) && Utils.Helpers.analyzeResponse(checkRequest.getResponse()).getStatusCode() == 200) {
Utils.Callback.printOutput("found " + newUrl + ".\r\n");
return new Issue(
baseRequestResponse.getHttpService(),
newUrl,
new IHttpRequestResponse[]{checkRequest},
"Spring Actuator-Env found.",
"URL: " + newUrl,
"Medium", true);
} else {
return null;
}
}));
add(new Payload(new ArrayList<String[]>() {{
add(new String[]{"actuator"});
}}, (baseRequestResponse, checkRequest, newUrl) -> {
IResponseKeywords founds = Utils.Helpers.analyzeResponseKeywords(new ArrayList<String>() {{
add("health");
add("{\"self\":{");
add("{\"_links\":{");
}}, checkRequest.getResponse());
if (BypassPayloadUtils.hasFound(founds, 0) && Utils.Helpers.analyzeResponse(checkRequest.getResponse()).getStatusCode() == 200) {
Utils.Callback.printOutput("found " + newUrl + ".\r\n");
return new Issue(
baseRequestResponse.getHttpService(),
newUrl,
new IHttpRequestResponse[]{checkRequest},
"Spring Actuator found.",
"URL: " + newUrl,
"Medium", false);
} else {
return null;
}
}));
}};

from springspider.

whwlsfb avatar whwlsfb commented on August 27, 2024

而且建议不要添加heapdump的检查,这个文件一般比较庞大,不适合用在扫描场景

from springspider.

able9527 avatar able9527 commented on August 27, 2024

嗯嗯,我试着改下,感谢师傅

from springspider.

Related Issues (1)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.