Added some more exotic base64 encoders that truncate ending ==, Activ…

…e Scan is now off by default for manual GUI scans, fixed size burp collaborator now with valid TLS certificate hostname
slicingmelon · Apr 2, 2019 · 30b10e1 · 30b10e1
1 parent 9bc723a
commit 30b10e1
Showing 1 changed file with 13 additions and 10 deletions.
diff --git a/UploadScanner.py b/UploadScanner.py
@@ -4682,6 +4682,7 @@ class BurpCollaborator:
     # As we currently do around 2000 files, where only max. half of them have Collaborator payloads, 33 is fine.
     # Let's be on the safe side and do 34
     FIXED_PAYLOAD_SIZE = 34
+    # *must* be an uppercase letter
     PADDING_CHAR = "N"
 
     # A IBurpCollaboratorClientContext object that also knows if the
@@ -4731,13 +4732,10 @@ def add_padding(self, payload):
                 payload = payload + "/" + (padding - 1) * BurpCollaborator.PADDING_CHAR
             else:
                 # DNS Form: payload.burpcollaborator.net
-                # We create: NNNNN.payload.burpcollaborator.net
-                if padding == 1:
-                    # Because .payload.burpcollaborator.net  is invalid but
-                    #          payload.burpcollaborator.net. isn't
-                    payload += "."
-                else:
-                    payload = (padding - 1) * BurpCollaborator.PADDING_CHAR + "." + payload
+                # We create: NNNpayload.burpcollaborator.net
+                # Do *not* use a dot between NNN and payload as the
+                # Collaborator TLS certificate is not valid for such a domain
+                payload = padding * BurpCollaborator.PADDING_CHAR + payload
         return payload
 
     def remove_padding(self, payload):
@@ -4750,11 +4748,9 @@ def remove_padding(self, payload):
                 payload = payload[:-1]
         else:
             # DNS Form: payload.burpcollaborator.net
+            # This works because Burp Collaborator payload never contains upper case characters
             while payload.startswith(BurpCollaborator.PADDING_CHAR):
                 payload = payload[1:]
-            if payload.startswith("."):
-                # Remove / as well:
-                payload = payload[1:]
         return payload
 
     def get_dummy_payload(self):
@@ -4841,6 +4837,12 @@ def __init__(self, base_request_response, options, helpers, newline):
             # one line base64: alphanum, %2B, %2F
             lambda x: urllib.quote(x.encode("base64").replace('\n', '').replace('\r', '').strip()),
             # one line base64: alphanum, %2B, /
+
+            lambda x: x.encode("base64").replace('\n', '').replace('\r', '').strip().rstrip('='),  # one line base64: alphanum, +, / but missing end =
+            lambda x: urllib.quote(x.encode("base64").replace('\n', '').replace('\r', '').strip().rstrip('='), ''),
+            # one line base64: alphanum, %2B, %2F but missing end =
+            lambda x: urllib.quote(x.encode("base64").replace('\n', '').replace('\r', '').strip().rstrip('=')),
+            # one line base64: alphanum, %2B, / but missing end =
         ]
         self._default_file_extension = FloydsHelpers.u2s(os.path.splitext(self.opts.fi_ofilename)[1]) or ''
 
@@ -8625,6 +8627,7 @@ def deserialize(self, serialized_object, global_to_tab=False):
             self.modules[name].setSelected(serialized_object['modules'][name])
 
         if global_to_tab:
+            self.modules['activescan'].setSelected(False)
             self.modules['fingerping'].setSelected(True)
 
         for name in serialized_object['file_formats']: