背景

我已经把awvs变成了被动扫描器引擎,其中一些关键环节,我会做一些总结以笔记形式发出来。

awvs可以通过导入burpsuite的导出xml文件作为被动扫描器流量的流量输入,它还可以接收如下所述的数据格式

Accepted formats include text file with a list of URLs (.txt), Fiddler session archives (.saz), Swagger files (.json, .yaml or .yml), Web Services Definition Files (.wsdl), BURP saved files (.xml) and state files, Selenium (.html, .side), Web Application Description Language (.wadl), ASP.NET Web Forms Project Files (.csproj, .vbproj), Paros log files (.session.data), Postman Collections v2 (.json) or HTTP archive files (*.har)

原burpsuite xml导出数据格式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?xml version="1.0"?>
<!DOCTYPE items [
<!ELEMENT items (item*)>
<!ATTLIST items burpVersion CDATA "">
<!ATTLIST items exportTime CDATA "">
<!ELEMENT item (time, url, host, port, protocol, method, path, extension, request, status, responselength, mimetype, response, comment)>
<!ELEMENT time (#PCDATA)>
<!ELEMENT url (#PCDATA)>
<!ELEMENT host (#PCDATA)>
<!ATTLIST host ip CDATA "">
<!ELEMENT port (#PCDATA)>
<!ELEMENT protocol (#PCDATA)>
<!ELEMENT method (#PCDATA)>
<!ELEMENT path (#PCDATA)>
<!ELEMENT extension (#PCDATA)>
<!ELEMENT request (#PCDATA)>
<!ATTLIST request base64 (true|false) "false">
<!ELEMENT status (#PCDATA)>
<!ELEMENT responselength (#PCDATA)>
<!ELEMENT mimetype (#PCDATA)>
<!ELEMENT response (#PCDATA)>
<!ATTLIST response base64 (true|false) "false">
<!ELEMENT comment (#PCDATA)>
]>
<items burpVersion="2.1.06" exportTime="Tue Feb 04 17:55:42 CST 2020">
  <item>
    <time>Tue Feb 04 17:55:28 CST 2020</time>
    <url><![CDATA[http://192.168.0.108/vulnerabilities/sqli_blind/?id=qyf&Submit=Submit]]></url>
    <host ip="192.168.0.108">192.168.0.108</host>
    <port>80</port>
    <protocol>http</protocol>
    <method><![CDATA[GET]]></method>
    <path><![CDATA[/vulnerabilities/sqli_blind/?id=qyf&Submit=Submit]]></path>
    <extension>null</extension>
    <request base64="true"><![CDATA[R0VUIC92dWxuZXJhYmlsaXRpZXMvc3FsaV9ibGluZC8/aWQ9cXlmJlN1Ym1pdD1TdWJtaXQgSFRUUC8xLjENCkhvc3Q6IDE5Mi4xNjguMC4xMDgNClVwZ3JhZGUtSW5zZWN1cmUtUmVxdWVzdHM6IDENClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwXzE1XzMpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS83OS4wLjM5NDUuMTMwIFNhZmFyaS81MzcuMzYNCkFjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpBY2NlcHQtTGFuZ3VhZ2U6IHpoLUNOLHpoO3E9MC45DQpDb29raWU6IFBIUFNFU1NJRD1pdmJ1amc4ZWNyYTIxMm9sNGplZGxhbWd1Njsgc2VjdXJpdHk9bG93DQpDb25uZWN0aW9uOiBjbG9zZQ0KDQo=]]></request>
    <status>404</status>
    <responselength>4842</responselength>
    <mimetype>HTML</mimetype>
    <response base64="true"><![CDATA[SFRUUC8xLjEgNDA0IE5vdCBGb3VuZA0KRGF0ZTogVHVlLCAwNCBGZWIgMjAyMCAwOTo1NToyOCBHTVQNClNlcnZlcjogQXBhY2hlLzIuNC4yNSAoRGViaWFuKQ0KRXhwaXJlczogVHVlLCAyMyBKdW4gMjAwOSAxMjowMDowMCBHTVQNCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlLCBtdXN0LXJldmFsaWRhdGUNClByYWdtYTogbm8tY2FjaGUNCkNvbnRlbnQtTGVuZ3RoOiA0NTY3DQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7Y2hhcnNldD11dGYtOA0KDQoNCjwhRE9DVFlQRSBodG1sIFBVQkxJQyAiLS8vVzNDLy9EVEQgWEhUTUwgMS4wIFN0cmljdC8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9UUi94aHRtbDEvRFREL3hodG1sMS1zdHJpY3QuZHRkIj4NCg0KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPg0KDQoJPGhlYWQ+DQoJCTxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04IiAvPg0KDQoJCTx0aXRsZT5WdWxuZXJhYmlsaXR5OiBTUUwgSW5qZWN0aW9uIChCbGluZCkgOjogRGFtbiBWdWxuZXJhYmxlIFdlYiBBcHBsaWNhdGlvbiAoRFZXQSkgdjEuMTAgKkRldmVsb3BtZW50KjwvdGl0bGU+DQoNCgkJPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiB0eXBlPSJ0ZXh0L2NzcyIgaHJlZj0iLi4vLi4vZHZ3YS9jc3MvbWFpbi5jc3MiIC8+DQoNCgkJPGxpbmsgcmVsPSJpY29uIiB0eXBlPSJcaW1hZ2UvaWNvIiBocmVmPSIuLi8uLi9mYXZpY29uLmljbyIgLz4NCg0KCQk8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCIgc3JjPSIuLi8uLi9kdndhL2pzL2R2d2FQYWdlLmpzIj48L3NjcmlwdD4NCg0KCTwvaGVhZD4NCg0KCTxib2R5IGNsYXNzPSJob21lIj4NCgkJPGRpdiBpZD0iY29udGFpbmVyIj4NCg0KCQkJPGRpdiBpZD0iaGVhZGVyIj4NCg0KCQkJCTxpbWcgc3JjPSIuLi8uLi9kdndhL2ltYWdlcy9sb2dvLnBuZyIgYWx0PSJEYW1uIFZ1bG5lcmFibGUgV2ViIEFwcGxpY2F0aW9uIiAvPg0KDQoJCQk8L2Rpdj4NCg0KCQkJPGRpdiBpZD0ibWFpbl9tZW51Ij4NCg0KCQkJCTxkaXYgaWQ9Im1haW5fbWVudV9wYWRkZWQiPg0KCQkJCTx1bCBjbGFzcz0ibWVudUJsb2NrcyI+PGxpIGNsYXNzPSIiPjxhIGhyZWY9Ii4uLy4uLy4iPkhvbWU8L2E+PC9saT4KPGxpIGNsYXNzPSIiPjxhIGhyZWY9Ii4uLy4uL2luc3RydWN0aW9ucy5waHAiPkluc3RydWN0aW9uczwvYT48L2xpPgo8bGkgY2xhc3M9IiI+PGEgaHJlZj0iLi4vLi4vc2V0dXAucGhwIj5TZXR1cCAvIFJlc2V0IERCPC9hPjwvbGk+CjwvdWw+PHVsIGNsYXNzPSJtZW51QmxvY2tzIj48bGkgY2xhc3M9IiI+PGEgaHJlZj0iLi4vLi4vdnVsbmVyYWJpbGl0aWVzL2JydXRlLyI+QnJ1dGUgRm9yY2U8L2E+PC9saT4KPGxpIGNsYXNzPSIiPjxhIGhyZWY9Ii4uLy4uL3Z1bG5lcmFiaWxpdGllcy9leGVjLyI+Q29tbWFuZCBJbmplY3Rpb248L2E+PC9saT4KPGxpIGNsYXNzPSIiPjxhIGhyZWY9Ii4uLy4uL3Z1bG5lcmFiaWxpdGllcy9jc3JmLyI+Q1NSRjwvYT48L2xpPgo8bGkgY2xhc3M9IiI+PGEgaHJlZj0iLi4vLi4vdnVsbmVyYWJpbGl0aWVzL2ZpLy4/cGFnZT1pbmNsdWRlLnBocCI+RmlsZSBJbmNsdXNpb248L2E+PC9saT4KPGxpIGNsYXNzPSIiPjxhIGhyZWY9Ii4uLy4uL3Z1bG5lcmFiaWxpdGllcy91cGxvYWQvIj5GaWxlIFVwbG9hZDwvYT48L2xpPgo8bGkgY2xhc3M9IiI+PGEgaHJlZj0iLi4vLi4vdnVsbmVyYWJpbGl0aWVzL2NhcHRjaGEvIj5JbnNlY3VyZSBDQVBUQ0hBPC9hPjwvbGk+CjxsaSBjbGFzcz0iIj48YSBocmVmPSIuLi8uLi92dWxuZXJhYmlsaXRpZXMvc3FsaS8iPlNRTCBJbmplY3Rpb248L2E+PC9saT4KPGxpIGNsYXNzPSJzZWxlY3RlZCI+PGEgaHJlZj0iLi4vLi4vdnVsbmVyYWJpbGl0aWVzL3NxbGlfYmxpbmQvIj5TUUwgSW5qZWN0aW9uIChCbGluZCk8L2E+PC9saT4KPGxpIGNsYXNzPSIiPjxhIGhyZWY9Ii4uLy4uL3Z1bG5lcmFiaWxpdGllcy93ZWFrX2lkLyI+V2VhayBTZXNzaW9uIElEczwvYT48L2xpPgo8bGkgY2xhc3M9IiI+PGEgaHJlZj0iLi4vLi4vdnVsbmVyYWJpbGl0aWVzL3hzc19kLyI+WFNTIChET00pPC9hPjwvbGk+CjxsaSBjbGFzcz0iIj48YSBocmVmPSIuLi8uLi92dWxuZXJhYmlsaXRpZXMveHNzX3IvIj5YU1MgKFJlZmxlY3RlZCk8L2E+PC9saT4KPGxpIGNsYXNzPSIiPjxhIGhyZWY9Ii4uLy4uL3Z1bG5lcmFiaWxpdGllcy94c3Nfcy8iPlhTUyAoU3RvcmVkKTwvYT48L2xpPgo8bGkgY2xhc3M9IiI+PGEgaHJlZj0iLi4vLi4vdnVsbmVyYWJpbGl0aWVzL2NzcC8iPkNTUCBCeXBhc3M8L2E+PC9saT4KPGxpIGNsYXNzPSIiPjxhIGhyZWY9Ii4uLy4uL3Z1bG5lcmFiaWxpdGllcy9qYXZhc2NyaXB0LyI+SmF2YVNjcmlwdDwvYT48L2xpPgo8L3VsPjx1bCBjbGFzcz0ibWVudUJsb2NrcyI+PGxpIGNsYXNzPSIiPjxhIGhyZWY9Ii4uLy4uL3NlY3VyaXR5LnBocCI+RFZXQSBTZWN1cml0eTwvYT48L2xpPgo8bGkgY2xhc3M9IiI+PGEgaHJlZj0iLi4vLi4vcGhwaW5mby5waHAiPlBIUCBJbmZvPC9hPjwvbGk+CjxsaSBjbGFzcz0iIj48YSBocmVmPSIuLi8uLi9hYm91dC5waHAiPkFib3V0PC9hPjwvbGk+CjwvdWw+PHVsIGNsYXNzPSJtZW51QmxvY2tzIj48bGkgY2xhc3M9IiI+PGEgaHJlZj0iLi4vLi4vbG9nb3V0LnBocCI+TG9nb3V0PC9hPjwvbGk+CjwvdWw+DQoJCQkJPC9kaXY+DQoNCgkJCTwvZGl2Pg0KDQoJCQk8ZGl2IGlkPSJtYWluX2JvZHkiPg0KDQoJCQkJDQo8ZGl2IGNsYXNzPSJib2R5X3BhZGRlZCI+DQoJPGgxPlZ1bG5lcmFiaWxpdHk6IFNRTCBJbmplY3Rpb24gKEJsaW5kKTwvaDE+DQoNCgkNCg0KCTxkaXYgY2xhc3M9InZ1bG5lcmFibGVfY29kZV9hcmVhIj4NCgkJPGZvcm0gYWN0aW9uPSIjIiBtZXRob2Q9IkdFVCI+DQoJCQk8cD4NCgkJCQlVc2VyIElEOgoJCQkJPGlucHV0IHR5cGU9InRleHQiIHNpemU9IjE1IiBuYW1lPSJpZCI+CgkJCQk8aW5wdXQgdHlwZT0ic3VibWl0IiBuYW1lPSJTdWJtaXQiIHZhbHVlPSJTdWJtaXQiPg0KCQkJPC9wPgoNCgkJPC9mb3JtPg0KCQk8cHJlPlVzZXIgSUQgaXMgTUlTU0lORyBmcm9tIHRoZSBkYXRhYmFzZS48L3ByZT4NCgk8L2Rpdj4NCg0KCTxoMj5Nb3JlIEluZm9ybWF0aW9uPC9oMj4NCgk8dWw+DQoJCTxsaT48YSBocmVmPSJodHRwOi8vd3d3LnNlY3VyaXRlYW0uY29tL3NlY3VyaXR5cmV2aWV3cy81RFAwTjFQNzZFLmh0bWwiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vd3d3LnNlY3VyaXRlYW0uY29tL3NlY3VyaXR5cmV2aWV3cy81RFAwTjFQNzZFLmh0bWw8L2E+PC9saT4NCgkJPGxpPjxhIGhyZWY9Imh0dHBzOi8vZW4ud2lraXBlZGlhLm9yZy93aWtpL1NRTF9pbmplY3Rpb24iIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2VuLndpa2lwZWRpYS5vcmcvd2lraS9TUUxfaW5qZWN0aW9uPC9hPjwvbGk+DQoJCTxsaT48YSBocmVmPSJodHRwOi8vZmVycnVoLm1hdml0dW5hLmNvbS9zcWwtaW5qZWN0aW9uLWNoZWF0c2hlZXQtb2t1LyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9mZXJydWgubWF2aXR1bmEuY29tL3NxbC1pbmplY3Rpb24tY2hlYXRzaGVldC1va3UvPC9hPjwvbGk+DQoJCTxsaT48YSBocmVmPSJodHRwOi8vcGVudGVzdG1vbmtleS5uZXQvY2hlYXQtc2hlZXQvc3FsLWluamVjdGlvbi9teXNxbC1zcWwtaW5qZWN0aW9uLWNoZWF0LXNoZWV0IiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL3BlbnRlc3Rtb25rZXkubmV0L2NoZWF0LXNoZWV0L3NxbC1pbmplY3Rpb24vbXlzcWwtc3FsLWluamVjdGlvbi1jaGVhdC1zaGVldDwvYT48L2xpPg0KCQk8bGk+PGEgaHJlZj0iaHR0cHM6Ly93d3cub3dhc3Aub3JnL2luZGV4LnBocC9CbGluZF9TUUxfSW5qZWN0aW9uIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cub3dhc3Aub3JnL2luZGV4LnBocC9CbGluZF9TUUxfSW5qZWN0aW9uPC9hPjwvbGk+DQoJCTxsaT48YSBocmVmPSJodHRwOi8vYm9iYnktdGFibGVzLmNvbS8iIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vYm9iYnktdGFibGVzLmNvbS88L2E+PC9saT4NCgk8L3VsPg0KPC9kaXY+Cg0KCQkJCTxiciAvPjxiciAvPg0KCQkJCQ0KDQoJCQk8L2Rpdj4NCg0KCQkJPGRpdiBjbGFzcz0iY2xlYXIiPg0KCQkJPC9kaXY+DQoNCgkJCTxkaXYgaWQ9InN5c3RlbV9pbmZvIj4NCgkJCQk8aW5wdXQgdHlwZT0iYnV0dG9uIiB2YWx1ZT0iVmlldyBIZWxwIiBjbGFzcz0icG9wdXBfYnV0dG9uIiBpZD0naGVscF9idXR0b24nIGRhdGEtaGVscC11cmw9Jy4uLy4uL3Z1bG5lcmFiaWxpdGllcy92aWV3X2hlbHAucGhwP2lkPXNxbGlfYmxpbmQmc2VjdXJpdHk9bG93JyApIj4gPGlucHV0IHR5cGU9ImJ1dHRvbiIgdmFsdWU9IlZpZXcgU291cmNlIiBjbGFzcz0icG9wdXBfYnV0dG9uIiBpZD0nc291cmNlX2J1dHRvbicgZGF0YS1zb3VyY2UtdXJsPScuLi8uLi92dWxuZXJhYmlsaXRpZXMvdmlld19zb3VyY2UucGhwP2lkPXNxbGlfYmxpbmQmc2VjdXJpdHk9bG93JyApIj4gPGRpdiBhbGlnbj0ibGVmdCI+PGVtPlVzZXJuYW1lOjwvZW0+IGFkbWluPGJyIC8+PGVtPlNlY3VyaXR5IExldmVsOjwvZW0+IGxvdzxiciAvPjxlbT5QSFBJRFM6PC9lbT4gZGlzYWJsZWQ8L2Rpdj4NCgkJCTwvZGl2Pg0KDQoJCQk8ZGl2IGlkPSJmb290ZXIiPg0KDQoJCQkJPHA+RGFtbiBWdWxuZXJhYmxlIFdlYiBBcHBsaWNhdGlvbiAoRFZXQSkgdjEuMTAgKkRldmVsb3BtZW50KjwvcD4NCgkJCQk8c2NyaXB0IHNyYz0nL2R2d2EvanMvYWRkX2V2ZW50X2xpc3RlbmVycy5qcyc+PC9zY3JpcHQ+DQoNCgkJCTwvZGl2Pg0KDQoJCTwvZGl2Pg0KDQoJPC9ib2R5Pg0KDQo8L2h0bWw+]]></response>
    <comment></comment>
  </item>
</items>

精简后xml数据格式:

为什么需要精简成如下数据格式?因为经过调研调试,发现url节点是必须的,而request节点awvs会在post请求中使用,method节点多一个也不多,就顺便带入。其他节点删除后,并没有明显的影响漏洞扫描结果数据。在awvs12中url节点还不是必须的,而awvs13不设置url节点会无法扫描”terminate called after throwing an instance of ‘ax::utility::WvsException’\n what(): HttpJob: unable to set url:”。

1
2
3
4
5
6
7
<items burpVersion="2.1.06">
    <item>
    <url><![CDATA[http://awvshello.m.apple.com/vulnerabilities/sqli_blind/?id=qyf&Submit=Submit]]></url>
    <method><![CDATA[GET]]></method>
    <request base64="true"><![CDATA[R0VUIC92dWxuZXJhYmlsaXRpZXMvc3FsaV9ibGluZC8gSFRUUC8xLjENClJlZmVyZXI6IGh0dHA6Ly9hd3ZzcXlmLnRlc3Quc2Fua3VhaS5jb20vdnVsbmVyYWJpbGl0aWVzL3NxbGlfYmxpbmQvDQpIb3N0OiBhd3ZzcXlmLnRlc3Quc2Fua3VhaS5jb20NClVwZ3JhZGUtSW5zZWN1cmUtUmVxdWVzdHM6IDENClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwXzE1XzMpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS83OS4wLjM5NDUuMTMwIFNhZmFyaS81MzcuMzYNCkFjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQ0KQWNjZXB0LUxhbmd1YWdlOiB6aC1DTix6aDtxPTAuOQ0KQ29va2llOiBfbHhzZGtfY3VpZD0xNmY1NGVkMWYwNGM4LTA5OTE4N2Y3NmFlNzk2LTFkMzM2YjVhLTE2ODAwMC0xNmY1NGVkMWYwNWM4OyBfbHhzZGs9MTZmNTRlZDFmMDRjOC0wOTkxODdmNzZhZTc5Ni0xZDMzNmI1YS0xNjgwMDAtMTZmNTRlZDFmMDVjODsgdT0xMjkwNTEzNDgyOyBfZ2E9R0ExLjIuNDg0Mzc2ODA4LjE1Nzk0MzAzMTQ7IF9seHNka19zPTE3MDFlYzg4ODJhLTIyNC1mN2UtZmIxJTdDcXV5aWZlaSU3QzI3OyBQSFBTRVNTSUQ9cjJkYmtudTRzbnFpYWRiYmllM2dnOWZxYTA7IHNlY3VyaXR5PWxvdw0KDQo=]]></request>
  </item>
</items>

cdata xml with golang of export burpsuite

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
package main

import (
	"encoding/xml"
	"fmt"
)

type items struct {
	XMLName xml.Name `xml:"items"`
	Version string   `xml:"burpVersion,attr"`
	Itemlist []item `xml:"item"`
}
type item struct {
	URL CdataStringUrl	`xml:"url"`
	METHOD CdataStringMethod `xml:"method"`
	Req CdataString `xml:"request"`
}


type CdataString struct {
	Value string `xml:",cdata"`
	Base64 string `xml:"base64,attr"`
}

type CdataStringUrl struct {
	Value string `xml:",cdata"`
}

type CdataStringMethod struct {
	Value string `xml:",cdata"`
}

func main() {
	v := &items{Version: "2.1.06"}
	for i:=0;i<10;i++{

		v.Itemlist = append(v.Itemlist, item{URL:CdataStringUrl{Value:"http://123.com"}, METHOD:CdataStringMethod{Value:"GET"}, Req: CdataString{Value: "bbbccc", Base64:"true"}})
	}
	output, err := xml.MarshalIndent(v, "", "  ")
	if err != nil {
		fmt.Printf("error: %v\n", err)
	}
	fmt.Println(string(output))
}

输出结果:
对base64数据在demo中没有转码,这里只做整体数据格式参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<items burpVersion="2.1.06">
  <item>
    <url><![CDATA[http://123.com]]></url>
    <method><![CDATA[GET]]></method>
    <request base64="true"><![CDATA[bbbccc]]></request>
  </item>
  <item>
    <url><![CDATA[http://123.com]]></url>
    <method><![CDATA[GET]]></method>
    <request base64="true"><![CDATA[bbbccc]]></request>
  </item>
  <item>
    <url><![CDATA[http://123.com]]></url>
    <method><![CDATA[GET]]></method>
    <request base64="true"><![CDATA[bbbccc]]></request>
  </item>
  <item>
    <url><![CDATA[http://123.com]]></url>
    <method><![CDATA[GET]]></method>
    <request base64="true"><![CDATA[bbbccc]]></request>
  </item>
  <item>
    <url><![CDATA[http://123.com]]></url>
    <method><![CDATA[GET]]></method>
    <request base64="true"><![CDATA[bbbccc]]></request>
  </item>
  <item>
    <url><![CDATA[http://123.com]]></url>
    <method><![CDATA[GET]]></method>
    <request base64="true"><![CDATA[bbbccc]]></request>
  </item>
  <item>
    <url><![CDATA[http://123.com]]></url>
    <method><![CDATA[GET]]></method>
    <request base64="true"><![CDATA[bbbccc]]></request>
  </item>
  <item>
    <url><![CDATA[http://123.com]]></url>
    <method><![CDATA[GET]]></method>
    <request base64="true"><![CDATA[bbbccc]]></request>
  </item>
  <item>
    <url><![CDATA[http://123.com]]></url>
    <method><![CDATA[GET]]></method>
    <request base64="true"><![CDATA[bbbccc]]></request>
  </item>
  <item>
    <url><![CDATA[http://123.com]]></url>
    <method><![CDATA[GET]]></method>
    <request base64="true"><![CDATA[bbbccc]]></request>
  </item>
</items>