Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jiangsir404/Xss-Sql-Fuzz
burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz
https://github.com/jiangsir404/Xss-Sql-Fuzz
burp burp-extensions burpsuite python
Last synced: 15 days ago
JSON representation
burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz
- Host: GitHub
- URL: https://github.com/jiangsir404/Xss-Sql-Fuzz
- Owner: jiangsir404
- Created: 2018-12-04T05:19:31.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2018-12-04T10:34:52.000Z (almost 6 years ago)
- Last Synced: 2024-07-31T08:11:47.843Z (3 months ago)
- Topics: burp, burp-extensions, burpsuite, python
- Language: Python
- Homepage:
- Size: 285 KB
- Stars: 59
- Watchers: 4
- Forks: 10
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-bugbounty-tools - Xss-Sql-Fuzz - burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz (Exploitation / XSS Injection)
README
## Xss-Sql-Fuzz
一个burpsuite 插件 用来fuzz xss和sql注入, 可以对post,get 的所有参数一键自动添加上我们的payload.
## Usage
Extender->Option 添加jython包
Extender->Extensions->Add 添加Xss-Sql-Fuzz.py 插件。
## ToDO
- [x] 对GET型参数添加payload
- [x] 对POST型参数添加payload
- [x] 对响应中的unicode 解码
- [x] 对GET POST型中的一些特殊参数比如token,submit, code,sign,action这些参数,会自动进行模糊匹配跳过。
- [x] 添加XFF头
- [x] 添加Referer(基于host头)
- [x] 对json格式的post数据进行处理
- [ ] 生成json csrf 表单
如果想自定义payload, 直接再代码里面改即可。
menuItem = ['addXFF','post fuzz1:x\'">','post fuzz2:![]()
','post fuzz3:\'-sleep(3)-\'','get fuzz1:x\'">',
'get fuzz2:![]()
','get fuzz3:\'-sleep(3)-\'']
payload 如上,直接改冒号右边的payload即可生效,也可以自己添加菜单栏,添加格式: `get fuzz4:payload4`, `post fuzz4:payload4`
