Skip to content

Instantly share code, notes, and snippets.

@d3vilbug

d3vilbug/AES_Killer_v4.0.java

Last active April 12, 2021 16:16
Show Gist options
  • Save d3vilbug/0225423e124605f9eb58d439fcc50234 to your computer and use it in GitHub Desktop.
Save d3vilbug/0225423e124605f9eb58d439fcc50234 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
AES_Killer_v4.0.java
package burp;
import java.io.PrintWriter;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
/**
* @author bugzy
*/
public class BurpExtender implements IBurpExtender, IProxyListener, IHttpListener{
public String ExtensionName = "AES_Killer v4.0";
public IBurpExtenderCallbacks callbacks;
public IExtensionHelpers helpers;
public PrintWriter stdout;
public PrintWriter stderr;
public Boolean isDebug = false;
public String _key01 = "<Base64 encoded key>"; // key used to encrypt complete request & response body
public String _key02 = "<Base64 encoded key>"; // key used to encrypt specific parameters within the request
public Cipher cipher;
public SecretKey sec_key;
public String[] Hosts = { "https://<HOST URL>:443/", "https://<HOST2 URL>:443/"};
// encrypted parameters
public String[] params = { "username", "password", "account", "amount" };
@Override
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
this.callbacks = callbacks;
this.helpers = callbacks.getHelpers();
this.stdout = new PrintWriter(callbacks.getStdout(), true);
this.callbacks.setExtensionName(this.ExtensionName);
this.callbacks.registerHttpListener(this);
this.callbacks.registerProxyListener(this);
this.stdout.println("AES_Killer - v4.0 Installed !!!");
}
private void print_output(String _src, String str){
if(! isDebug){ return; }
this.stdout.println(_src + " :: " + str);
}
private void print_error(String _src, String str){
if(! isDebug){ return; }
this.stdout.println(_src + " :: " + str);
}
private String do_Decrypt(String _key, String paramString){
try{
String temp_params = paramString;
cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
sec_key = new SecretKeySpec(this.helpers.base64Decode(_key), "AES");
cipher.init(2, sec_key);
temp_params = new String (cipher.doFinal(this.helpers.base64Decode(temp_params)));
return temp_params;
}catch(Exception ex){
print_error("do_Decrypt", ex.getMessage());
return paramString;
}
}
private String do_Encrypt(String _key, String paramString){
try{
String temp_params = paramString;
cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
sec_key = new SecretKeySpec(this.helpers.base64Decode(_key), "AES");
cipher.init(1, sec_key);
temp_params = new String (this.helpers.base64Encode(cipher.doFinal(temp_params.getBytes())));
return temp_params;
}catch(Exception ex){
print_error("do_Encryp", ex.getMessage());
return paramString;
}
}
private String decrypt_parameters(String _reqBody){
String _str = _reqBody;
for(int i=0; i< this.params.length; i++){
int _fi = _str.indexOf(params[i]);
if(_fi == -1){ continue; }
_fi = _fi + params[i].length() + 2;
int _si = _str.indexOf("</end-del>", _fi);
String _enc_param = _str.substring(_fi, _si);
if(_enc_param.contains("null")){ continue; } // null value check
String _dec_param = do_Decrypt(_key02, _enc_param);
_str = _str.substring(0, _fi) + _dec_param + _str.substring(_si, _str.length());
}
return _str;
}
private String encrypt_parameters(String _reqBody){
String _str = _reqBody;
for(int i=0; i< this.params.length; i++){
int _fi = _str.indexOf(params[i]);
if(_fi == -1){ continue; }
_fi = _fi + params[i].length() + 2;
int _si = _str.indexOf("</<end-del>>", _fi);
String _enc_param = _str.substring(_fi, _si);
if(_enc_param.contains("null")){ continue; } // null value check
String _dec_param = do_Encrypt(_key02, _enc_param);
_str = _str.substring(0, _fi) + _dec_param + _str.substring(_si, _str.length());
}
return _str;
}
@Override
public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message) {
if(messageIsRequest){
IHttpRequestResponse messageInfo = message.getMessageInfo();
IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
String URL = new String(reqInfo.getUrl().toString());
List headers = reqInfo.getHeaders();
if((URL.contains(this.Hosts[0]) || URL.contains(this.Hosts[1])) && reqInfo.getMethod().toLowerCase().contains("post")){
String tmpreq = new String(messageInfo.getRequest());
String messageBody = new String(tmpreq.substring(reqInfo.getBodyOffset())).trim();
String decValue = do_Decrypt(_key01, messageBody);
decValue = decrypt_parameters(decValue);
headers.add(new String("AES-Killer: v4.0"));
byte[] updateMessage = helpers.buildHttpMessage(headers, decValue.getBytes());
messageInfo.setRequest(updateMessage);
print_output("PPM", "Decrypted request\n" + new String(updateMessage));
}
}else {
IHttpRequestResponse messageInfo = message.getMessageInfo();
IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse());
String URL = new String(reqInfo.getUrl().toString());
List headers = resInfo.getHeaders();
// if(!headers.contains("AES-Killer: DecryptedResponse")){
// return;
// }
if((URL.contains(this.Hosts[0]) || URL.contains(this.Hosts[1])) && reqInfo.getMethod().toLowerCase().contains("post")){
String tmpreq = new String(messageInfo.getResponse());
String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim();
messageBody = do_Encrypt(_key01, messageBody);
byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
messageInfo.setResponse(updateMessage);
print_output("PPM","Final Encrypted Response\n" + new String(updateMessage));
}
}
}
@Override
public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
if(messageIsRequest){
IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
String URL = new String(reqInfo.getUrl().toString());
List headers = reqInfo.getHeaders();
// if(!headers.contains("AES-Killer: v4.0")){
// return;
// }
if((URL.contains(this.Hosts[0]) || URL.contains(this.Hosts[1])) && reqInfo.getMethod().toLowerCase().contains("post")){
String tmpreq = new String(messageInfo.getRequest());
String messageBody = new String(tmpreq.substring(reqInfo.getBodyOffset())).trim();
messageBody = encrypt_parameters(messageBody);
messageBody = do_Encrypt(_key01, messageBody);
byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
messageInfo.setRequest(updateMessage);
print_output("PHTM", "Final Encrypted Request\n" + new String(updateMessage));
}
}
else{
IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse());
String URL = new String(reqInfo.getUrl().toString());
List headers = resInfo.getHeaders();
if((URL.contains(this.Hosts[0]) || URL.contains(this.Hosts[1])) && reqInfo.getMethod().toLowerCase().contains("post")){
String tmpreq = new String(messageInfo.getResponse());
String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim();
messageBody = do_Decrypt(_key01, messageBody);
headers.add("AES-Killer: DecryptedResponse");
byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
messageInfo.setResponse(updateMessage);
print_output("PHTM", "Decrypted Response\n" + new String(updateMessage));
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment