Skip to content

Instantly share code, notes, and snippets.

@d3vilbug
Created January 11, 2021 17:26
Show Gist options
  • Save d3vilbug/391cc26b27de37e49f5e75682f65ed5b to your computer and use it in GitHub Desktop.
Save d3vilbug/391cc26b27de37e49f5e75682f65ed5b to your computer and use it in GitHub Desktop.
package burp;
import java.io.PrintWriter;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
/**
*
* @author bugzy
*/
public class BurpExtender implements IBurpExtender, IProxyListener, IHttpListener{
public String ExtensionName = "AES_Killer Parameters";
public IBurpExtenderCallbacks callbacks;
public IExtensionHelpers helpers;
public PrintWriter stdout;
public PrintWriter stderr;
public Boolean isDebug = true;
public Cipher cipher;
public IvParameterSpec iv_param;
public SecretKey sec_key;
public String Host_URL = "<URL>";
public String[] offusicatedChar = {"+", "/"};
public String[] replaceWithChar = {"-", "_"};
// Endpoints and their corresponding parameters & grant_type in order
public List<String> endpoints = new ArrayList<String>();
public String[][] parameters = {
{"username", "password"}
};
public String[] grant_type = { "grant_type=password", ""};
@Override
public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
this.callbacks = callbacks;
this.helpers = callbacks.getHelpers();
this.stdout = new PrintWriter(callbacks.getStdout(), true);
this.stderr = new PrintWriter(callbacks.getStderr(), true);
this.callbacks.setExtensionName(this.ExtensionName);
// Add endpoint here
this.endpoints.add("login");
try {
cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
sec_key = new SecretKeySpec(Base64.getDecoder().decode("<Secret Key>"),"AES");
iv_param = new IvParameterSpec(Base64.getDecoder().decode("<IV Parameter>"));
} catch (NoSuchAlgorithmException ex) {
Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex);
} catch (NoSuchPaddingException ex) {
Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex);
}
this.callbacks.registerHttpListener(this);
this.callbacks.registerProxyListener(this);
this.stdout.println("AES_Killer Installed !!!");
}
private void print_output(String _src, String str){
if(! isDebug){ return; }
this.stdout.println(_src + " :: " + str + "\n\n");
}
private void print_error(String _src, String str){
if(! isDebug){ return; }
this.stdout.println(_src + " :: " + str);
}
private String do_Decrypt(String paramString){
try{
String temp_params = removeOff(paramString);
cipher.init(2, sec_key ,iv_param);
temp_params = new String (cipher.doFinal(this.helpers.base64Decode(temp_params)), "UTF-8");
return temp_params;
}catch(Exception ex){
print_error("do_Decrypt", ex.getMessage());
return paramString;
}
}
private String do_Encrypt(String paramString){
try{
String temp_params = paramString;
cipher.init(1, sec_key ,iv_param);
temp_params = new String (this.helpers.base64Encode(cipher.doFinal(temp_params.getBytes())));
return doOff(temp_params);
}catch(Exception ex){
print_error("do_Encryp", ex.getMessage());
return paramString;
}
}
public String removeOff(String paramString) {
if (paramString != null) {
for(int i =0; i< this.offusicatedChar.length; i++){
paramString = paramString.replace(this.replaceWithChar[i], this.offusicatedChar[i]);
}
return paramString;
}
return paramString;
}
public String doOff(String paramString) {
if (paramString != null) {
for(int i =0; i< this.offusicatedChar.length; i++){
paramString = paramString.replace(this.offusicatedChar[i], this.replaceWithChar[i]);
}
return paramString;
}
return paramString;
}
public String get_endpoint(String _url){
return _url.replaceAll(this.Host_URL, "");
}
public String get_param(byte[] _tmp_req, String _req_param){
IParameter _parameters = this.helpers.getRequestParameter(_tmp_req, _req_param);
String _param = _parameters.getValue().toString();
_param = this.helpers.urlDecode(_param);
return _param;
}
public String remove_padding(String _pad_param){
_pad_param = _pad_param.replaceAll("\u0000", "");
_pad_param = _pad_param.substring(4, _pad_param.length());
_pad_param = _pad_param.substring(0, _pad_param.length() - 8);
return _pad_param;
}
public String add_padding(String _nml_param){
return "1234"+_nml_param+"12345678";
}
public String get_dec_params(byte[] _tmp_req, String _endpoint){
String _dec_params = "";
int _index = endpoints.indexOf(_endpoint);
String[] _params = this.parameters[_index];
_dec_params = this.grant_type[_index] + "&";
for(int i=0; i< _params.length; i++){
String _param = get_param(_tmp_req, _params[i]);
_param = this.helpers.urlDecode(_param);
_param = this.do_Decrypt(_param);
_dec_params = _dec_params + _params[i] + "=" + remove_padding(_param) + "&";
}
return _dec_params;
}
public String get_enc_params(byte[] _tmp_req, String _endpoint){
String _enc_params = "";
int _index = endpoints.indexOf(_endpoint);
String[] _params = this.parameters[_index];
_enc_params = this.grant_type[_index] + "&";
for(int i=0; i< _params.length; i++){
String _param = get_param(_tmp_req, _params[i]);
_param = add_padding(_param);
_param = this.do_Encrypt(_param);
_enc_params = _enc_params + _params[i] + "=" + _param + "&";
}
return _enc_params;
}
@Override
public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message) {
if(messageIsRequest){
IHttpRequestResponse messageInfo = message.getMessageInfo();
IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
String URL = new String(reqInfo.getUrl().toString());
List headers = reqInfo.getHeaders();
if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){
String _endpoint = get_endpoint(URL);
if(!endpoints.contains(_endpoint)){ return; }
byte[] tmpreq = message.getMessageInfo().getRequest();
String _dec_param = get_dec_params(tmpreq, _endpoint);
headers.add(new String("AES-Killer: Parameter"));
byte[] updateMessage = helpers.buildHttpMessage(headers, _dec_param.getBytes());
messageInfo.setRequest(updateMessage);
print_output("PPM", "decrypted request :: " + new String(updateMessage));
}
}else {
// IHttpRequestResponse messageInfo = message.getMessageInfo();
// IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
// IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse());
// String URL = new String(reqInfo.getUrl().toString());
// List headers = resInfo.getHeaders();
//
// if(!headers.contains("AES-Killer: DecryptedResponse")){
// return;
// }
//
// if((URL.contains(this.Host_URL) ) && reqInfo.getMethod().toLowerCase().contains("post")){
// String tmpreq = new String(messageInfo.getResponse());
// String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim();
// messageBody = do_Encrypt(messageBody);
// byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
// messageInfo.setResponse(updateMessage);
// print_output("Final Request", new String(updateMessage));
// }
}
}
@Override
public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
if(messageIsRequest){
IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
String URL = new String(reqInfo.getUrl().toString());
List headers = reqInfo.getHeaders();
if(!headers.contains("AES-Killer: Parameter")){
return;
}
if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){
String _endpoint = get_endpoint(URL);
if(!endpoints.contains(_endpoint)){ return; }
String _enc_paramaters = this.get_enc_params(messageInfo.getRequest(), _endpoint);
byte[] updateMessage = helpers.buildHttpMessage(headers, _enc_paramaters.getBytes());
messageInfo.setRequest(updateMessage);
print_output("PHTM :: Encrypted Request\n ", new String(updateMessage));
}
}
else{
// IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
// IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse());
// String URL = new String(reqInfo.getUrl().toString());
// List headers = resInfo.getHeaders();
//
// if((URL.contains(this.Host_URL)) && reqInfo.getMethod().toLowerCase().contains("post")){
// String tmpreq = new String(messageInfo.getResponse());
// String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim();
// messageBody = do_Decrypt(messageBody);
// headers.add("AES-Killer: DecryptedResponse");
// byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
// messageInfo.setResponse(updateMessage);
// print_output("Decrypted Response", new String(updateMessage));
// }
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment