Skip to content
Commits on Source (11)
Show whitespace changes
Inline Side-by-side
README.rst
View file @ 61290c0a
......@@ -7,6 +7,10 @@ Build Status
Requirements
------------
Please note that currently, ``Burp-UI`` must be running on the same server that
runs the burp-server.
For LDAP authentication (optional), we need the ``simpleldap`` module that
requires the following packages on Debian:
......@@ -54,6 +58,22 @@ By default, ``burp-ui`` listens on all interfaces (including IPv6) on port 5000.
You can then point your browser to http://127.0.0.1:5000/
Instructions
------------
In order to make the *on the fly* restoration/download functionality work, there
you need to check a few things:
1. Provide the full path of the burp (client) binary file
2. Provide the full path of an empty directory where a temporary restoration
will be made. This involves you have enough space left on that location on
the server that runs ``Burp-UI``
3. Launch ``Burp-UI`` with a user that can proceed restorations and that can
write in the directory above
4. Make sure to configure a client on the server that runs ``Burp-UI`` that can
restore files of other clients (option *restore_client* in burp-server
configuration)
Notes
-----
......@@ -63,16 +83,31 @@ I have closed the *github tracker* to have a unique tracker system.
TODO
----
Here is a non-exhaustive list of things I'd like to add:
* server-initiated restoration (with burp, you can create a special file that triggers a restoration when the client contacts the server the next time. In this case the client must accepts server-initiated restoration).
* burp-server configuration front-end (so that you can configure your burp server within burp-ui).
* More statistics.
* etc.
`Here <https://git.ziirish.me/ziirish/burp-ui/issues?label_name=todo>`_ is a non-exhaustive list of things I'd like to add.
Also note that in the future, I'd like to write a burp-client GUI.
But I didn't think yet of what to do.
Changelog
---------
* version 0.0.4:
- Add the ability to download files directly from the web interface
* version 0.0.3:
- Add authentication
* version 0.0.2:
- Fix bugs
* version 0.0.1:
- Initial release
Licenses
--------
......@@ -80,14 +115,14 @@ Burp-UI is released under the BSD 3-clause `License`_.
But this project is built on top of other tools listed here:
- `d3.js <http://d3js.org/>`_ (`BSD <http://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/d3/LICENSE>`__)
- `nvd3.js <http://nvd3.org/>`_ (`Apache <http://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/nvd3/LICENSE.md>`__)
- `jQuery <http://jquery.com/>`_ (`MIT <http://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/jquery/MIT-LICENSE.txt>`__)
- `jQuery-UI <http://jqueryui.com/>`_ (`MIT <http://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/jquery-ui/MIT-LICENSE.txt>`__)
- `fancytree <https://github.com/mar10/fancytree>`_ (`MIT <http://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/fancytree/MIT-LICENSE.txt>`__)
- `bootstrap <http://getbootstrap.com/>`_ (`MIT <http://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/bootstrap/LICENSE>`__)
- `typeahead <http://twitter.github.io/typeahead.js/>`_ (`MIT <http://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/typeahead/LICENSE>`__)
- `bootswatch <http://bootswatch.com/>`_ (`MIT <http://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/bootstrap/bootswatch.LICENSE>`__)
- `d3.js <http://d3js.org/>`_ (`BSD <https://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/d3/LICENSE>`__)
- `nvd3.js <http://nvd3.org/>`_ (`Apache <https://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/nvd3/LICENSE.md>`__)
- `jQuery <http://jquery.com/>`_ (`MIT <https://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/jquery/MIT-LICENSE.txt>`__)
- `jQuery-UI <http://jqueryui.com/>`_ (`MIT <https://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/jquery-ui/MIT-LICENSE.txt>`__)
- `fancytree <https://github.com/mar10/fancytree>`_ (`MIT <https://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/fancytree/MIT-LICENSE.txt>`__)
- `bootstrap <http://getbootstrap.com/>`_ (`MIT <https://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/bootstrap/LICENSE>`__)
- `typeahead <http://twitter.github.io/typeahead.js/>`_ (`MIT <https://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/typeahead/LICENSE>`__)
- `bootswatch <http://bootswatch.com/>`_ (`MIT <https://git.ziirish.me/ziirish/burp-ui/blob/master/burpui/static/bootstrap/bootswatch.LICENSE>`__)
Also note that this project is made with the Awesome `Flask`_ micro-framework.
......@@ -98,6 +133,6 @@ Special Thanks to Graham Keeling for its great software! This project would not
exist without `Burp`_.
.. _Flask: http://flask.pocoo.org/
.. _License: http://git.ziirish.me/ziirish/burp-ui/blob/master/LICENSE
.. _License: https://git.ziirish.me/ziirish/burp-ui/blob/master/LICENSE
.. _Burp: http://burp.grke.org/
.. _burpui.cfg: http://git.ziirish.me/ziirish/burp-ui/blob/master/burpui.cfg
.. _burpui.cfg: https://git.ziirish.me/ziirish/burp-ui/blob/master/burpui.cfg
burpui/misc/backend/burp1.py
View file @ 61290c0a
# -*- coding: utf8 -*-
import re
import os
import socket
import time
import json
import datetime
import ConfigParser
import shutil
import subprocess
import zipfile
from burpui.misc.utils import human_readable as _hr
from burpui.misc.backend.interface import BUIbackend, BUIserverException
g_burpport = 4972
g_burphost = '127.0.0.1'
g_tmpdir = '/tmp/buirestore'
g_burpbin = '/usr/sbin/burp'
class Burp(BUIbackend):
states = {
......@@ -52,25 +59,56 @@ class Burp(BUIbackend):
'path'
]
def __init__(self, app=None, host='127.0.0.1', port=4972, conf=None):
global g_burpport, g_burphost
def __init__(self, app=None, conf=None):
global g_burpport, g_burphost, g_tmpdir, g_burpbin
self.app = app
self.host = host
self.port = port
self.host = g_burphost
self.port = g_burpport
self.burpbin = g_burpbin
self.tmpdir = g_tmpdir
self.running = []
if conf:
config = ConfigParser.ConfigParser({'bport': g_burpport, 'bhost': g_burphost})
config = ConfigParser.ConfigParser({'bport': g_burpport, 'tmpdir': g_tmpdir, 'burpbin': g_burpbin})
with open(conf) as fp:
config.readfp(fp)
try:
self.port = config.getint('Burp1', 'bport')
self.host = config.get('Burp1', 'bhost')
tdir = config.get('Burp1', 'tmpdir')
bbin = config.get('Burp1', 'burpbin')
if not bbin.startswith('/'):
self.app.logger.warning('Please provide an absolute path for the \'burpbin\' option. Fallback to \'%s\'', g_burpbin)
bbin = g_burpbin
elif not re.match('^\S+$', bbin):
self.app.logger.warning('Incorrect value for the \'burpbin\' option. Fallback to \'%s\'', g_burpbin)
bbin = g_burpbin
elif not os.path.isfile(bbin) or not os.access(bbin, os.X_OK):
self.app.logger.warning('\'%s\' does not exist or is not executable. Fallback to \'%s\'', bbin, g_burpbin)
bbin = g_burpbin
if not tdir.startswith('/'):
self.app.logger.warning('Please provide an absolute path for the \'tmpdir\' option. Fallback to \'%s\'', g_tmpdir)
tdir = g_tmpdir
elif not re.match('^\S+$', tdir):
self.app.logger.warning('Incorrect value for the \'tmpdir\' option. Fallback to \'%s\'', g_tmpdir)
tdir = g_tmpdir
elif os.path.isdir(tdir) and os.listdir(tdir):
raise Exception('\'{0}\' is not empty!'.format(tdir))
elif os.path.isdir(tdir) and not os.access(tdir, os.W_OK|os.X_OK):
self.app.logger.warning('\'%s\' is not writable. Fallback to \'%s\'', tdir, g_tmpdir)
tdir = g_tmpdir
self.burpbin = bbin
self.tmpdir = tdir
except ConfigParser.NoOptionError, e:
self.app.logger.error(str(e))
except ConfigParser.NoSectionError, e:
self.app.logger.error(str(e))
self.app.logger.info('burp port: %d', self.port)
self.app.logger.info('burp host: %s', self.host)
self.app.logger.info('burp binary: %s', self.burpbin)
self.app.logger.info('temporary dir: %s', self.tmpdir)
"""
Utilities functions
......@@ -206,7 +244,7 @@ class Burp(BUIbackend):
returns a dict
"""
r = {}
if not name or name not in running:
if not name or name not in self.running:
return r
f = self.status('c:{0}\n'.format(name))
if not f:
......@@ -253,7 +291,7 @@ class Burp(BUIbackend):
except BUIserverException:
return False
for line in f:
r = re.search('^{0}\s+\d\s+(\S)'.format(name), line)
r = re.search('^{0}\s+\d\s+(\w)'.format(name), line)
if r and r.group(1) not in [ 'i', 'c', 'C' ]:
return True
return False
......@@ -372,3 +410,36 @@ class Burp(BUIbackend):
t['parent'] = top
r.append(t)
return r
def restore_files(self, name=None, backup=None, files=None):
if not name or not backup or not files:
return None
flist = json.loads(files)
if 'restore' not in flist:
return None
if os.path.isdir(self.tmpdir):
shutil.rmtree(self.tmpdir)
for r in flist['restore']:
reg = ''
if r['folder'] and r['key'] != '/':
reg = r['key']+'/'
else:
reg = r['key']
#cmd = self.burpbin+' -C '+name+' -a r -b '+str(backup)+' -r \''+reg+'\' -d '+self.tmpdir
status = subprocess.call([self.burpbin, '-C', name, '-a', 'r', '-b', str(backup), '-r', reg, '-d', self.tmpdir])
if status != 0:
return None
zip_dir = self.tmpdir.rstrip(os.sep)
zip_file = zip_dir+'.zip'
if os.path.isfile(zip_file):
os.remove(zip_file)
zip_len = len(zip_dir) + 1
with zipfile.ZipFile(zip_file, mode='w', compression=zipfile.ZIP_DEFLATED) as zf:
for dirname, subdirs, files in os.walk(zip_dir):
for filename in files:
path = os.path.join(dirname, filename)
entry = path[zip_len:]
zf.write(path, entry)
return zip_file
burpui/routes.py
View file @ 61290c0a
# -*- coding: utf8 -*-
import math
from flask import Flask, request, render_template, jsonify, redirect, url_for, abort, flash, g, session
from flask.ext.login import login_user, login_required, logout_user, current_user
from flask import Flask, request, render_template, jsonify, redirect, url_for, abort, flash, send_file
from flask.ext.login import login_user, login_required, logout_user
from burpui import app, bui, login_manager
from burpui.forms import LoginForm
......@@ -15,22 +15,30 @@ def load_user(userid):
return bui.uhandler.user(userid)
return None
@app.route('/login', methods=['POST', 'GET'])
def login():
form = LoginForm(request.form)
if form.validate_on_submit():
user = bui.uhandler.user(form.username.data)
if user.active and user.login(form.username.data, passwd=form.password.data):
login_user(user, remember=form.remember.data)
flash('Logged in successfully', 'success')
return redirect(request.args.get("next") or url_for('home'))
return render_template('login.html', form=form, login=True)
@app.route('/test/download')
def test_download():
try:
resp = send_file('/tmp/monfichierr', as_attachment=True)
resp.set_cookie('fileDownload', 'true')
return resp
except Exception, e:
abort(500)
@app.route('/logout')
@app.route('/api/restore/<name>/<int:backup>', methods=['POST'])
@login_required
def logout():
logout_user()
return redirect(url_for('home'))
def restore(name=None, backup=None):
l = request.form.get('list')
if not l or not name or not backup:
abort(500)
archive = bui.cli.restore_files(name, backup, l)
if not archive:
abort(500)
try:
resp = send_file(archive, as_attachment=True)
resp.set_cookie('fileDownload', 'true')
return resp
except Exception, e:
abort(500)
"""
Here is the API
......@@ -300,6 +308,23 @@ def client(name=None):
return redirect(url_for('live_monitor', name=name))
return render_template('client.html', client=True, overview=True, cname=c)
@app.route('/login', methods=['POST', 'GET'])
def login():
form = LoginForm(request.form)
if form.validate_on_submit():
user = bui.uhandler.user(form.username.data)
if user.active and user.login(form.username.data, passwd=form.password.data):
login_user(user, remember=form.remember.data)
flash('Logged in successfully', 'success')
return redirect(request.args.get("next") or url_for('home'))
return render_template('login.html', form=form, login=True)
@app.route('/logout')
@login_required
def logout():
logout_user()
return redirect(url_for('home'))
@app.route('/')
@login_required
def home():
......
burpui/static/jquery/jquery.fileDownload.js 0 → 100644
View file @ 61290c0a
/*
* jQuery File Download Plugin v1.4.2
*
* http://www.johnculviner.com
*
* Copyright (c) 2013 - John Culviner
*
* Licensed under the MIT license:
* http://www.opensource.org/licenses/mit-license.php
*
* !!!!NOTE!!!!
* You must also write a cookie in conjunction with using this plugin as mentioned in the orignal post:
* http://johnculviner.com/jquery-file-download-plugin-for-ajax-like-feature-rich-file-downloads/
* !!!!NOTE!!!!
*/
(function($, window){
// i'll just put them here to get evaluated on script load
var htmlSpecialCharsRegEx = /[<>&\r\n"']/gm;
var htmlSpecialCharsPlaceHolders = {
'<': 'lt;',
'>': 'gt;',
'&': 'amp;',
'\r': "#13;",
'\n': "#10;",
'"': 'quot;',
"'": '#39;' /*single quotes just to be safe, IE8 doesn't support &apos;, so use &#39; instead */
};
$.extend({
//
//$.fileDownload('/path/to/url/', options)
// see directly below for possible 'options'
fileDownload: function (fileUrl, options) {
//provide some reasonable defaults to any unspecified options below
var settings = $.extend({
//
//Requires jQuery UI: provide a message to display to the user when the file download is being prepared before the browser's dialog appears
//
preparingMessageHtml: null,
//
//Requires jQuery UI: provide a message to display to the user when a file download fails
//
failMessageHtml: null,
//
//the stock android browser straight up doesn't support file downloads initiated by a non GET: http://code.google.com/p/android/issues/detail?id=1780
//specify a message here to display if a user tries with an android browser
//if jQuery UI is installed this will be a dialog, otherwise it will be an alert
//
androidPostUnsupportedMessageHtml: "Unfortunately your Android browser doesn't support this type of file download. Please try again with a different browser.",
//
//Requires jQuery UI: options to pass into jQuery UI Dialog
//
dialogOptions: { modal: true },
//
//a function to call while the dowload is being prepared before the browser's dialog appears
//Args:
// url - the original url attempted
//
prepareCallback: function (url) { },
//
//a function to call after a file download dialog/ribbon has appeared
//Args:
// url - the original url attempted
//
successCallback: function (url) { },
//
//a function to call after a file download dialog/ribbon has appeared
//Args:
// responseHtml - the html that came back in response to the file download. this won't necessarily come back depending on the browser.
// in less than IE9 a cross domain error occurs because 500+ errors cause a cross domain issue due to IE subbing out the
// server's error message with a "helpful" IE built in message
// url - the original url attempted
//
failCallback: function (responseHtml, url) { },
//
// the HTTP method to use. Defaults to "GET".
//
httpMethod: "GET",
//
// if specified will perform a "httpMethod" request to the specified 'fileUrl' using the specified data.
// data must be an object (which will be $.param serialized) or already a key=value param string
//
data: null,
//
//a period in milliseconds to poll to determine if a successful file download has occured or not
//
checkInterval: 100,
//
//the cookie name to indicate if a file download has occured
//
cookieName: "fileDownload",
//
//the cookie value for the above name to indicate that a file download has occured
//
cookieValue: "true",
//
//the cookie path for above name value pair
//
cookiePath: "/",
//
//if specified it will be used when attempting to clear the above name value pair
//useful for when downloads are being served on a subdomain (e.g. downloads.example.com)
//
cookieDomain: null,
//
//the title for the popup second window as a download is processing in the case of a mobile browser
//
popupWindowTitle: "Initiating file download...",
//
//Functionality to encode HTML entities for a POST, need this if data is an object with properties whose values contains strings with quotation marks.
//HTML entity encoding is done by replacing all &,<,>,',",\r,\n characters.
//Note that some browsers will POST the string htmlentity-encoded whilst others will decode it before POSTing.
//It is recommended that on the server, htmlentity decoding is done irrespective.
//
encodeHTMLEntities: true
}, options);
var deferred = new $.Deferred();
//Setup mobile browser detection: Partial credit: http://detectmobilebrowser.com/
var userAgent = (navigator.userAgent || navigator.vendor || window.opera).toLowerCase();
var isIos; //has full support of features in iOS 4.0+, uses a new window to accomplish this.
var isAndroid; //has full support of GET features in 4.0+ by using a new window. Non-GET is completely unsupported by the browser. See above for specifying a message.
var isOtherMobileBrowser; //there is no way to reliably guess here so all other mobile devices will GET and POST to the current window.
if (/ip(ad|hone|od)/.test(userAgent)) {
isIos = true;
} else if (userAgent.indexOf('android') !== -1) {
isAndroid = true;
} else {
isOtherMobileBrowser = /avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|playbook|silk|iemobile|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|symbian|treo|up\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino/i.test(userAgent) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|e\-|e\/|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(di|rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|xda(\-|2|g)|yas\-|your|zeto|zte\-/i.test(userAgent.substr(0, 4));
}
var httpMethodUpper = settings.httpMethod.toUpperCase();
if (isAndroid && httpMethodUpper !== "GET") {
//the stock android browser straight up doesn't support file downloads initiated by non GET requests: http://code.google.com/p/android/issues/detail?id=1780
if ($().dialog) {
$("<div>").html(settings.androidPostUnsupportedMessageHtml).dialog(settings.dialogOptions);
} else {
alert(settings.androidPostUnsupportedMessageHtml);
}
return deferred.reject();
}
var $preparingDialog = null;
var internalCallbacks = {
onPrepare: function (url) {
//wire up a jquery dialog to display the preparing message if specified
if (settings.preparingMessageHtml) {
$preparingDialog = $("<div>").html(settings.preparingMessageHtml).dialog(settings.dialogOptions);
} else if (settings.prepareCallback) {
settings.prepareCallback(url);
}
},
onSuccess: function (url) {
//remove the perparing message if it was specified
if ($preparingDialog) {
$preparingDialog.dialog('close');
};
settings.successCallback(url);
deferred.resolve(url);
},
onFail: function (responseHtml, url) {
//remove the perparing message if it was specified
if ($preparingDialog) {
$preparingDialog.dialog('close');
};
//wire up a jquery dialog to display the fail message if specified
if (settings.failMessageHtml) {
$("<div>").html(settings.failMessageHtml).dialog(settings.dialogOptions);
}
settings.failCallback(responseHtml, url);
deferred.reject(responseHtml, url);
}
};
internalCallbacks.onPrepare(fileUrl);
//make settings.data a param string if it exists and isn't already
if (settings.data !== null && typeof settings.data !== "string") {
settings.data = $.param(settings.data);
}
var $iframe,
downloadWindow,
formDoc,
$form;
if (httpMethodUpper === "GET") {
if (settings.data !== null) {
//need to merge any fileUrl params with the data object
var qsStart = fileUrl.indexOf('?');
if (qsStart !== -1) {
//we have a querystring in the url
if (fileUrl.substring(fileUrl.length - 1) !== "&") {
fileUrl = fileUrl + "&";
}
} else {
fileUrl = fileUrl + "?";
}
fileUrl = fileUrl + settings.data;
}
if (isIos || isAndroid) {
downloadWindow = window.open(fileUrl);
downloadWindow.document.title = settings.popupWindowTitle;
window.focus();
} else if (isOtherMobileBrowser) {
window.location(fileUrl);
} else {
//create a temporary iframe that is used to request the fileUrl as a GET request
$iframe = $("<iframe>")
.hide()
.prop("src", fileUrl)
.appendTo("body");
}
} else {
var formInnerHtml = "";
if (settings.data !== null) {
$.each(settings.data.replace(/\+/g, ' ').split("&"), function () {
var kvp = this.split("=");
var key = settings.encodeHTMLEntities ? htmlSpecialCharsEntityEncode(decodeURIComponent(kvp[0])) : decodeURIComponent(kvp[0]);
if (key) {
var value = settings.encodeHTMLEntities ? htmlSpecialCharsEntityEncode(decodeURIComponent(kvp[1])) : decodeURIComponent(kvp[1]);
formInnerHtml += '<input type="hidden" name="' + key + '" value="' + value + '" />';
}
});
}
if (isOtherMobileBrowser) {
$form = $("<form>").appendTo("body");
$form.hide()
.prop('method', settings.httpMethod)
.prop('action', fileUrl)
.html(formInnerHtml);
} else {
if (isIos) {
downloadWindow = window.open("about:blank");
downloadWindow.document.title = settings.popupWindowTitle;
formDoc = downloadWindow.document;
window.focus();
} else {
$iframe = $("<iframe style='display: none' src='about:blank'></iframe>").appendTo("body");
formDoc = getiframeDocument($iframe);
}
formDoc.write("<html><head></head><body><form method='" + settings.httpMethod + "' action='" + fileUrl + "'>" + formInnerHtml + "</form>" + settings.popupWindowTitle + "</body></html>");
$form = $(formDoc).find('form');
}
$form.submit();
}
//check if the file download has completed every checkInterval ms
setTimeout(checkFileDownloadComplete, settings.checkInterval);
function checkFileDownloadComplete() {
//has the cookie been written due to a file download occuring?
if (document.cookie.indexOf(settings.cookieName + "=" + settings.cookieValue) != -1) {
//execute specified callback
internalCallbacks.onSuccess(fileUrl);
//remove cookie
var cookieData = settings.cookieName + "=; path=" + settings.cookiePath + "; expires=" + new Date(0).toUTCString() + ";";
if (settings.cookieDomain) cookieData += " domain=" + settings.cookieDomain + ";";
document.cookie = cookieData;
//remove iframe
cleanUp(false);
return;
}
//has an error occured?
//if neither containers exist below then the file download is occuring on the current window
if (downloadWindow || $iframe) {
//has an error occured?
try {
var formDoc = downloadWindow ? downloadWindow.document : getiframeDocument($iframe);
if (formDoc && formDoc.body != null && formDoc.body.innerHTML.length) {
var isFailure = true;
if ($form && $form.length) {
var $contents = $(formDoc.body).contents().first();
try {
if ($contents.length && $contents[0] === $form[0]) {
isFailure = false;
}
} catch (e) {
if (e && e.number == -2146828218) {
// IE 8-10 throw a permission denied after the form reloads on the "$contents[0] === $form[0]" comparison
isFailure = true;
} else {
throw e;
}
}
}
if (isFailure) {
// IE 8-10 don't always have the full content available right away, they need a litle bit to finish
setTimeout(function () {
internalCallbacks.onFail(formDoc.body.innerHTML, fileUrl);
cleanUp(true);
}, 100);
return;
}
}
}
catch (err) {
//500 error less than IE9
internalCallbacks.onFail('', fileUrl);
cleanUp(true);
return;
}
}
//keep checking...
setTimeout(checkFileDownloadComplete, settings.checkInterval);
}
//gets an iframes document in a cross browser compatible manner
function getiframeDocument($iframe) {
var iframeDoc = $iframe[0].contentWindow || $iframe[0].contentDocument;
if (iframeDoc.document) {
iframeDoc = iframeDoc.document;
}
return iframeDoc;
}
function cleanUp(isFailure) {
setTimeout(function() {
if (downloadWindow) {
if (isAndroid) {
downloadWindow.close();
}
if (isIos) {
if (downloadWindow.focus) {
downloadWindow.focus(); //ios safari bug doesn't allow a window to be closed unless it is focused
if (isFailure) {
downloadWindow.close();
}
}
}
}
//iframe cleanup appears to randomly cause the download to fail
//not doing it seems better than failure...
//if ($iframe) {
// $iframe.remove();
//}
}, 0);
}
function htmlSpecialCharsEntityEncode(str) {
return str.replace(htmlSpecialCharsRegEx, function(match) {
return '&' + htmlSpecialCharsPlaceHolders[match];
});
}
return deferred.promise();
}
});
})(jQuery, this);
burpui/templates/client-browse.html
View file @ 61290c0a
......@@ -44,5 +44,52 @@
</tbody>
</table>
</div>
<br />
<div class="row">
<form id="form-restore" class="form-inline" method="POST" role="form" action="{{ url_for("restore", name=cname, backup=nbackup) }}">
<input type="hidden" name="list">
<div id="restore-form" style="display:none;">
<button type="submit" class="btn btn-info">Download selected files</button>
</div>
</form>
</div>
</div>
<div id="restore-modal" class="modal fade">
<div class="modal-dialog modal-lg">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
<h4 class="modal-title">Processing request</h4>
</div>
<div class="modal-body">
Please wait while restoration is processing...
<br />
<div class="progress progress-striped active">
<div class="progress-bar progress-bar-info" style="width: 100%"></div>
</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
</div>
</div>
</div>
</div>
<div id="error-modal" class="modal fade">
<div class="modal-dialog modal-lg">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
<h4 class="modal-title">Restoration error</h4>
</div>
<div class="modal-body">
<div class="alert alert-danger">
An error occurred while processing the restoration.
</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
</div>
</div>
</div>
</div>
{% endblock %}
burpui/templates/gerard.js
View file @ 61290c0a
......@@ -97,7 +97,7 @@ $('#input-client').typeahead(null, {
{% endif -%}
{% if live -%}
{% include "js/live-report.js" %}
{% include "js/live-monitor.js" %}
{% endif -%}
var _async_ajax = function(b) {
......@@ -123,11 +123,11 @@ $(function() {
$('li.detail').hover(
// mouse in
function() {
$(this).find('.dtl').show();
$(this).find('.dtl').removeClass('hidden-md hidden-lg');
},
// mouse out
function() {
$(this).find('.dtl').hide();
$(this).find('.dtl').addClass('hidden-md hidden-lg');
}
);
......
burpui/templates/js/client-browse.js
View file @ 61290c0a
......@@ -32,6 +32,8 @@
* }
*/
$("#tree").fancytree({
checkbox: true,
selectMode: 2,
extensions: ["glyph", "table", "gridnav", "filter"],
glyph: {
map: {
......@@ -110,7 +112,6 @@
});
},
*/
selectMode: 1,
scrollParent: $(window),
renderColumns: function(event, data) {
var node = data.node;
......@@ -121,6 +122,21 @@
$tdList.eq(3).text(node.data.gid);
$tdList.eq(4).text(node.data.size);
$tdList.eq(5).text(node.data.date);
},
select: function(event, data) {
var s = data.tree.getSelectedNodes();
if (s.length > 0) {
$("#restore-form").show();
v = [];
$.each(s, function(i, n) {
v.push({key: n.key, folder: n.folder});
});
r = {restore:v};
$("input[name=list]").val(JSON.stringify(r));
} else {
$("#restore-form").hide();
$("input[name=list]").val('');
}
}
});
......@@ -168,3 +184,22 @@
$("input[name=search-tree]").keyup();
});
$("#form-restore").on('submit', function(e) {
var $preparingFileModal = $("#restore-modal");
$preparingFileModal.modal('toggle');
$.fileDownload($(this).prop('action'), {
successCallback: function (url) {
$preparingFileModal.modal('hide');
},
failCallback: function (responseHtml, url) {
$preparingFileModal.modal('hide');
$("#error-modal").modal('toggle');
},
httpMethod: "POST",
data: $(this).serialize()
});
e.preventDefault();
});
burpui/templates/js/live-monitor.js
View file @ 61290c0a
......@@ -3,10 +3,7 @@ _live = function() {
url = '{{ url_for("running_clients") }}';
html = ''
$.getJSON(url, function(data) {
if (!data.results) {
return;
}
if (data.results.length === 0) {
if (!data.results || data.results.length === 0) {
document.location = '{{ url_for("home") }}';
}
$.each(data.results, function(i, c) {
......
burpui/templates/layout.html
View file @ 61290c0a
......@@ -6,17 +6,18 @@
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="{{ url_for('static', filename='images/favicon.ico') }}">
<title>Burp Server Dashboard</title>
<!-- Bootstrap core CSS -->
<link href="{{ url_for('static', filename='bootstrap/bootstrap.min.css') }}" rel="stylesheet">
{% if report %}
{% if report -%}
<link href="{{ url_for('static', filename='nvd3/nv.d3.min.css') }}" rel="stylesheet">
{% endif %}
{% if tree %}
{% endif -%}
{% if tree -%}
<link href="{{ url_for('static', filename='fancytree/skin-bootstrap/ui.fancytree.css') }}" rel="stylesheet">
{% endif %}
{% endif -%}
<!-- Custom styles for this template -->
<link href="{{ url_for('static', filename='dashboard.css') }}" rel="stylesheet">
......@@ -29,9 +30,9 @@
<div class="container-fluid">
<div class="row">
{% if not live and not login %}
{% if not live and not login -%}
{% include "sidebar.html" %}
{% endif %}
{% endif -%}
{% block body %}{% endblock %}
</div>
</div>
......@@ -45,19 +46,22 @@
================================================== -->
<script src="{{ url_for('static', filename='typeahead/typeahead.jquery.min.js') }}"></script>
<script src="{{ url_for('static', filename='typeahead/bloodhound.min.js') }}"></script>
{% if report %}
{% if report -%}
<!-- d3 + nvd3 Javascript
================================================== -->
<script src="{{ url_for('static', filename='d3/d3.min.js') }}"></script>
<script src="{{ url_for('static', filename='nvd3/nv.d3.min.js') }}"></script>
{% endif %}
{% if tree %}
{% endif -%}
{% if tree -%}
<!-- Fancytree Javascript
================================================== -->
<script src="{{ url_for('static', filename='jquery-ui/jquery-ui-1.10.4.min.js') }}"></script>
<script src="{{ url_for('static', filename='fancytree/jquery.fancytree-custom.min.js') }}"></script>
<script src="{{ url_for('static', filename='fancytree/jquery.fancytree.filter.js') }}"></script>
{% endif %}
<!-- FileDownload Javascript
================================================== -->
<script src="{{ url_for('static', filename='jquery/jquery.fileDownload.js') }}"></script>
{% endif -%}
<script type="text/javascript">
{% include "gerard.js" %}
</script>
......
burpui/templates/live-monitor-template.html
View file @ 61290c0a
<br />
<div class="col-lg-12">
<h1 class="page-header">{{ cname }}</h1>
<h4>{{ (counters.bytes_in / counters.estimated_bytes * 100)|round }}%</h4>
<h4>{{ (counters.bytes / counters.estimated_bytes * 100)|round }}%</h4>
<div class="progress progress-striped active">
<div class="progress-bar progress-bar-success" style="width: {{ counters.bytes_in / counters.estimated_bytes * 100 }}%"></div>
<div class="progress-bar progress-bar-success" style="width: {{ counters.bytes / counters.estimated_bytes * 100 }}%"></div>
</div>
{% if counters.path %}
<div class="panel panel-primary">
......
burpui/templates/topbar.html
View file @ 61290c0a
......@@ -11,13 +11,13 @@
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li class="detail{% if clients %} active{% endif %}"><a href="{{ url_for('home') }}"><span class="glyphicon glyphicon-home"></span><span class="dtl" style="display:none;">&nbsp;Clients</span></a></li>
<li class="detail disabled"><a href="#"><span class="glyphicon glyphicon-wrench"></span><span class="dtl" style="display:none;">&nbsp;Settings</span></a></li>
<li class="detail{% if live %} active{% endif %}"><a href="{{ url_for('live_monitor') }}"><span id="toblink" class="glyphicon glyphicon-screenshot"></span><span class="dtl" style="display:none;">&nbsp;Live monitor</span></a></li>
<li class="detail{% if clients %} active{% endif %}"><a href="{{ url_for('home') }}"><span class="glyphicon glyphicon-home"></span><span class="dtl hidden-md hidden-lg">&nbsp;Clients</span></a></li>
<li class="detail disabled"><a href="#"><span class="glyphicon glyphicon-wrench"></span><span class="dtl hidden-md hidden-lg">&nbsp;Settings</span></a></li>
<li class="detail{% if live %} active{% endif %}"><a href="{{ url_for('live_monitor') }}"><span id="toblink" class="glyphicon glyphicon-screenshot"></span><span class="dtl hidden-md hidden-lg">&nbsp;Live monitor</span></a></li>
{% if current_user and current_user.is_authenticated() %}
<li class="detail"><a href="{{ url_for('logout') }}"><span class="glyphicon glyphicon-log-out"></span><span class="dtl" style="display:none;">&nbsp;Logout <small>({{ current_user.name }})</small></span></a></li>
<li class="detail"><a href="{{ url_for('logout') }}"><span class="glyphicon glyphicon-log-out"></span><span class="dtl hidden-md hidden-lg">&nbsp;Logout<small>({{ current_user.name }})</small></span></a></li>
{% endif %}
<li><a id="refresh" href="#"><span class="glyphicon glyphicon-refresh"></span></a></li>
<li><a id="refresh" href="#"><span class="glyphicon glyphicon-refresh"></span><span class="hidden-md hidden-lg">&nbsp;Refresh</span></a></li>
</ul>
<form class="navbar-form navbar-right" id="search">
<input type="text" class="form-control" id="input-client" placeholder="Search client..." autocomplete="off">
......
share/burpui/etc/burpui.cfg
View file @ 61290c0a
......@@ -4,10 +4,6 @@ port: 5000
# On which address is the application listening
# '::' is the default for all IPv6
bind: ::
# burp status port
bport: 4972
# burp status address
bhost: 127.0.0.1
# enable SSL
ssl: false
# ssl cert
......@@ -18,13 +14,23 @@ sslkey: /etc/burp/ssl_cert-server.key
version: 1
# authentication plugin (mandatory)
# list the misc/auth directory to see the available backends
# to disable authentication you can set "auth: none"
auth: basic
[UI]
# refresh interval of the pages in seconds
refresh: 15
# ldapauth specific options
## burp1 backend specific options
#[Burp1]
## burp status port
#bport: 4972
## burp binary
#burpbin: /usr/sbin/burp
## temporary dir for the on the fly restoration
#tmpdir: /tmp/buirestore
## ldapauth specific options
#[LDAP]
## LDAP host
#host: 127.0.0.1
......@@ -37,7 +43,9 @@ refresh: 15
## Bindpw to list existing users
#bindpw: Sup3rS3cr3tPa$$w0rd
# basicauth specific options
## basicauth specific options
## Note: in case you leave this section commented, the default login/password
## is admin/admin
#[BASIC]
#admin: password
#user1: otherpassword
test/test_burpui.py
View file @ 61290c0a
......@@ -42,8 +42,12 @@ class BurpuiTestCase(TestCase):
print '\nTest 2 Finished!\n'
def create_app(self):
conf = os.path.join(os.path.dirname(os.path.realpath(__file__)), '../burpui.cfg')
app.config['TESTING'] = True
app.config['LOGIN_DISABLED'] = True
app.config['LIVESERVER_PORT'] = 5001
app.config['CFG'] = conf
bui.setup(conf)
bui.cli.port = 9999
login_manager.init_app(app)
return app
......