Re: [W3af-develop] importResults burp logs
Status: Beta
Brought to you by:
andresriancho
From: Andres R. <and...@gm...> - 2009-08-09 14:44:31
|
Jon, On Sat, Jul 25, 2009 at 2:16 PM, Andres Riancho<and...@gm...> wrote: > Steven, > > On Sat, Jul 25, 2009 at 12:40 PM, Steven > Pinkham<ste...@ma...> wrote: >> Andres Riancho wrote: >>> Jon, >>> >>> On Fri, Jul 24, 2009 at 3:06 PM, jrose<jr...@ow...> wrote: >>>> Hey, >>>> >>>> I've extended the importResult plugin to parse burp logs for input since I >>>> often use burp when reviewing applications. >>> >>> I also use burp frequently and I never saw how to save/export the >>> proxy logs. After some searching in the burpsuite help I found the the >>> save state appears in the professional version only. Is that right? >> >> Save state and proxy logs are two different things. Save state is only >> for the Pro version, but proxy log saving is in all versions. At least >> it used to be, doubt he has changed it in the latest version. Go to >> Options tab, look for logging options. > > Thanks! > >> sqlmap also is able to take those burp logs and test the parameters for >> SQL injection, which is cool. Burp is so widely used it's a good idea >> to be able to integrate with it. > > @Jon: You should also take a look at this, maybe the sqlmap guys > already have a 100% working module for this and we are reinventing the > wheel. I would have that! For what I understand from the sqlmap code (Line 195 of options.py): if os.path.isfile(conf.list): __feedTargetsDict(conf.list, addedTargetUrls) elif os.path.isdir(conf.list): files = os.listdir(conf.list) files.sort() for reqFile in files: if not re.search("([\d]+)\-request", reqFile): continue __feedTargetsDict(os.path.join(conf.list, reqFile), addedTargetUrls) And from the configuration file (Line 7 sqlmap.conf): # Parse targets from Burp or WebScarab logs # Valid: Burp proxy (http://portswigger.net/suite/) requests log file path # or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) # 'conversations/' folder path list = I think that webscarab and burpsuite use the same log format. The only difference is that webscarab saves the information across multiple files inside a "conversations" directory, and burp uses only one file. With all this new information, I patched the original importResults.py file. It still needs to get improved a little bit, because the parser is reading all the requests, not only the requests that are from the w3af target host. http://w3af.svn.sourceforge.net/viewvc/w3af?view=rev&revision=2995 Please test the code with your log files and let me know if it's working properly, THANKS! Cheers, > Cheeers, > >> -- >> | Steven E. Pinkham | >> | Security Researcher, Maven Security | >> | http://www.mavensecurity.com | >> | GPG public key ID CD31CAFB | >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> W3af-develop mailing list >> W3a...@li... >> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ |