Created
January 11, 2021 17:20
-
-
Save d3vilbug/853d6823a015cfe20656bd24ad8dd410 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package burp; | |
| import java.io.PrintWriter; | |
| import java.security.NoSuchAlgorithmException; | |
| import java.util.List; | |
| import java.util.logging.Level; | |
| import java.util.logging.Logger; | |
| import javax.crypto.Cipher; | |
| import javax.crypto.NoSuchPaddingException; | |
| import javax.crypto.SecretKey; | |
| import javax.crypto.spec.IvParameterSpec; | |
| import javax.crypto.spec.SecretKeySpec; | |
| /** | |
| * @author bugzy | |
| */ | |
| public class BurpExtender implements IBurpExtender, IProxyListener, IHttpListener{ | |
| public String ExtensionName = "AES_Killer JSON"; | |
| public IBurpExtenderCallbacks callbacks; | |
| public IExtensionHelpers helpers; | |
| public PrintWriter stdout; | |
| public PrintWriter stderr; | |
| public Boolean isDebug = false; | |
| public Cipher cipher; | |
| public IvParameterSpec iv_param; | |
| public SecretKey sec_key; | |
| public String Host_URL = "<URL>"; | |
| public String[] offusicatedChar = {"+", "/", "="}; | |
| public String[] replaceWithChar = {"-", "_", ","}; | |
| @Override | |
| public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) { | |
| this.callbacks = callbacks; | |
| this.helpers = callbacks.getHelpers(); | |
| this.stdout = new PrintWriter(callbacks.getStdout(), true); | |
| this.callbacks.setExtensionName(this.ExtensionName); | |
| try { | |
| cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); | |
| sec_key = new SecretKeySpec("<Secret Key>".getBytes(),"AES"); | |
| iv_param = new IvParameterSpec("<IV Parameter>".getBytes()); | |
| } catch (NoSuchAlgorithmException ex) { | |
| Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex); | |
| } catch (NoSuchPaddingException ex) { | |
| Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex); | |
| } | |
| this.callbacks.registerHttpListener(this); | |
| this.callbacks.registerProxyListener(this); | |
| this.stdout.println("AES_Killer Installed !!!"); | |
| } | |
| private void print_output(String _src, String str){ | |
| if(! isDebug){ return; } | |
| this.stdout.println(_src + " :: " + str); | |
| } | |
| private void print_error(String _src, String str){ | |
| if(! isDebug){ return; } | |
| this.stdout.println(_src + " :: " + str); | |
| } | |
| private String do_Decrypt(String paramString){ | |
| try{ | |
| String temp_params = removeOff(paramString); | |
| cipher.init(2, sec_key ,iv_param); | |
| temp_params = new String (cipher.doFinal(this.helpers.base64Decode(temp_params))); | |
| return temp_params; | |
| }catch(Exception ex){ | |
| print_error("do_Decrypt", ex.getMessage()); | |
| return paramString; | |
| } | |
| } | |
| private String do_Encrypt(String paramString){ | |
| try{ | |
| String temp_params = paramString; | |
| cipher.init(1, sec_key ,iv_param); | |
| temp_params = new String (this.helpers.base64Encode(cipher.doFinal(temp_params.getBytes()))); | |
| return temp_params; | |
| }catch(Exception ex){ | |
| print_error("do_Encryp", ex.getMessage()); | |
| return paramString; | |
| } | |
| } | |
| public String removeOff(String paramString) { | |
| if (paramString != null) { | |
| for(int i =0; i< this.offusicatedChar.length; i++){ | |
| paramString = paramString.replace(this.replaceWithChar[i], this.offusicatedChar[i]); | |
| } | |
| return paramString; | |
| } | |
| return paramString; | |
| } | |
| @Override | |
| public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message) { | |
| if(messageIsRequest){ | |
| IHttpRequestResponse messageInfo = message.getMessageInfo(); | |
| IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo); | |
| String URL = new String(reqInfo.getUrl().toString()); | |
| List headers = reqInfo.getHeaders(); | |
| if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){ | |
| byte[] tmpreq = message.getMessageInfo().getRequest(); | |
| IParameter parameter = helpers.getRequestParameter(tmpreq, "params"); | |
| String enc_value = parameter.getValue().trim().replace("\\n", ""); | |
| String decValue = do_Decrypt(enc_value); | |
| headers.add(new String("AES-Killer: JSON")); | |
| byte[] updateMessage = helpers.buildHttpMessage(headers, decValue.getBytes()); | |
| messageInfo.setRequest(updateMessage); | |
| print_output("PPM", "decrypted request\n" + new String(updateMessage)); | |
| } | |
| }else { | |
| IHttpRequestResponse messageInfo = message.getMessageInfo(); | |
| IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo); | |
| IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse()); | |
| String URL = new String(reqInfo.getUrl().toString()); | |
| List headers = resInfo.getHeaders(); | |
| if(!headers.contains("AES-Killer: DecryptedResponse")){ | |
| return; | |
| } | |
| if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){ | |
| String tmpreq = new String(messageInfo.getResponse()); | |
| String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim(); | |
| messageBody = do_Encrypt(messageBody); | |
| byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes()); | |
| messageInfo.setResponse(updateMessage); | |
| print_output("Encrypted Response", new String(updateMessage)); | |
| } | |
| } | |
| } | |
| @Override | |
| public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) { | |
| if(messageIsRequest){ | |
| IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo); | |
| String URL = new String(reqInfo.getUrl().toString()); | |
| List headers = reqInfo.getHeaders(); | |
| if(!headers.contains("AES-Killer: JSON")){ | |
| return; | |
| } | |
| if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){ | |
| String tmpreq = new String(messageInfo.getRequest()); | |
| String messageBody = new String(tmpreq.substring(reqInfo.getBodyOffset())).trim(); | |
| messageBody = do_Encrypt(messageBody); | |
| messageBody = String.format("{\"params\":\"%s\"}", messageBody); | |
| byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes()); | |
| messageInfo.setRequest(updateMessage); | |
| print_output("PHTM :: Encrypted Request", new String(updateMessage)); | |
| } | |
| } | |
| else{ | |
| IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo); | |
| IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse()); | |
| String URL = new String(reqInfo.getUrl().toString()); | |
| List headers = resInfo.getHeaders(); | |
| if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){ | |
| String tmpreq = new String(messageInfo.getResponse()); | |
| String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim(); | |
| messageBody = do_Decrypt(messageBody); | |
| headers.add("AES-Killer: DecryptedResponse"); | |
| byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes()); | |
| messageInfo.setResponse(updateMessage); | |
| print_output("Decrypted Response", new String(updateMessage)); | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment