d3vilbug/AES_Killer-Parameters.java

## AES_Killer-Parameters.java
package burp;

import java.io.PrintWriter;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

/**
 *
 * @author bugzy
 */
public class BurpExtender implements IBurpExtender, IProxyListener, IHttpListener{

    public String ExtensionName =  "AES_Killer Parameters";

    public IBurpExtenderCallbacks callbacks;
    public IExtensionHelpers helpers;
    public PrintWriter stdout;
    public PrintWriter stderr;
    public Boolean isDebug = true;

    public Cipher cipher;
    public IvParameterSpec iv_param;
    public SecretKey sec_key;

    public String Host_URL = "<URL>";

    public String[] offusicatedChar = {"+", "/"};
    public String[] replaceWithChar = {"-", "_"};

    // Endpoints and their corresponding parameters & grant_type in order
    public List<String> endpoints = new ArrayList<String>();
    public String[][] parameters = {
        {"username", "password"}
    };
    public String[] grant_type = { "grant_type=password", ""};

    @Override
    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
        this.callbacks = callbacks;
        this.helpers = callbacks.getHelpers();
        this.stdout = new PrintWriter(callbacks.getStdout(), true);
        this.stderr = new PrintWriter(callbacks.getStderr(), true);
        this.callbacks.setExtensionName(this.ExtensionName);

        // Add endpoint here
        this.endpoints.add("login");

        try {
            cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            sec_key = new SecretKeySpec(Base64.getDecoder().decode("<Secret Key>"),"AES");
            iv_param = new IvParameterSpec(Base64.getDecoder().decode("<IV Parameter>"));
        } catch (NoSuchAlgorithmException ex) {
            Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex);
        } catch (NoSuchPaddingException ex) {
            Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex);
        }


        this.callbacks.registerHttpListener(this);
        this.callbacks.registerProxyListener(this);
        this.stdout.println("AES_Killer Installed !!!");
    }

    private void print_output(String _src, String str){
        if(! isDebug){ return; }
        this.stdout.println(_src + " :: " + str + "\n\n");
    }

    private void print_error(String _src, String str){
        if(! isDebug){ return; }
        this.stdout.println(_src + " :: " + str);
    }

    private String do_Decrypt(String paramString){
        try{
            String temp_params = removeOff(paramString);
            cipher.init(2, sec_key ,iv_param);
            temp_params = new String (cipher.doFinal(this.helpers.base64Decode(temp_params)), "UTF-8");
            return temp_params;
        }catch(Exception ex){
            print_error("do_Decrypt", ex.getMessage());
            return paramString;
        }
    }

    private String do_Encrypt(String paramString){
        try{
            String temp_params = paramString;
            cipher.init(1, sec_key ,iv_param);
            temp_params = new String (this.helpers.base64Encode(cipher.doFinal(temp_params.getBytes())));
            return doOff(temp_params);
        }catch(Exception ex){
            print_error("do_Encryp", ex.getMessage());
            return paramString;
        }
    }

    public String removeOff(String paramString) {
        if (paramString != null) {
          for(int i =0; i< this.offusicatedChar.length; i++){
              paramString = paramString.replace(this.replaceWithChar[i], this.offusicatedChar[i]);
          }
          return paramString;
        }
        return paramString;
    }

    public String doOff(String paramString) {
        if (paramString != null) {
          for(int i =0; i< this.offusicatedChar.length; i++){
              paramString = paramString.replace(this.offusicatedChar[i], this.replaceWithChar[i]);
          }
          return paramString;
        }
        return paramString;
    }

    public String get_endpoint(String _url){
        return _url.replaceAll(this.Host_URL, "");
    }

    public String get_param(byte[] _tmp_req, String _req_param){
        IParameter _parameters = this.helpers.getRequestParameter(_tmp_req, _req_param);
        String _param = _parameters.getValue().toString();
        _param = this.helpers.urlDecode(_param);
        return _param;
    }

    public String remove_padding(String _pad_param){
        _pad_param = _pad_param.replaceAll("\u0000", "");
        _pad_param = _pad_param.substring(4, _pad_param.length());
        _pad_param = _pad_param.substring(0, _pad_param.length() - 8);
        return _pad_param;
    }

    public String add_padding(String _nml_param){
        return "1234"+_nml_param+"12345678";
    }

    public String get_dec_params(byte[] _tmp_req, String _endpoint){
        String _dec_params = "";
        int _index = endpoints.indexOf(_endpoint);
        String[] _params = this.parameters[_index];

        _dec_params = this.grant_type[_index] + "&";
        for(int i=0; i< _params.length; i++){
            String _param = get_param(_tmp_req, _params[i]);
            _param = this.helpers.urlDecode(_param);
            _param = this.do_Decrypt(_param);

            _dec_params = _dec_params + _params[i] + "=" + remove_padding(_param) + "&";
        }

        return _dec_params;
    }

    public String get_enc_params(byte[] _tmp_req, String _endpoint){
        String _enc_params = "";
        int _index = endpoints.indexOf(_endpoint);
        String[] _params = this.parameters[_index];

        _enc_params = this.grant_type[_index] + "&";
        for(int i=0; i< _params.length; i++){
            String _param = get_param(_tmp_req, _params[i]);
            _param = add_padding(_param);
            _param = this.do_Encrypt(_param);

            _enc_params = _enc_params + _params[i] + "=" + _param + "&";
        }

        return _enc_params;
    }


    @Override
    public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message) {
        if(messageIsRequest){
            IHttpRequestResponse messageInfo = message.getMessageInfo();
            IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
            String URL = new String(reqInfo.getUrl().toString());
            List headers = reqInfo.getHeaders();

            if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){
                String _endpoint = get_endpoint(URL);
                if(!endpoints.contains(_endpoint)){ return; }

                byte[] tmpreq = message.getMessageInfo().getRequest();
                String _dec_param = get_dec_params(tmpreq, _endpoint);
                headers.add(new String("AES-Killer: Parameter"));

                byte[] updateMessage = helpers.buildHttpMessage(headers, _dec_param.getBytes());
                messageInfo.setRequest(updateMessage);
                print_output("PPM", "decrypted request :: " + new String(updateMessage));
            }

        }else {
//            IHttpRequestResponse messageInfo = message.getMessageInfo();
//            IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
//            IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse());
//            String URL = new String(reqInfo.getUrl().toString());
//            List headers = resInfo.getHeaders();
//
//            if(!headers.contains("AES-Killer: DecryptedResponse")){
//                return;
//            }
//
//            if((URL.contains(this.Host_URL) ) && reqInfo.getMethod().toLowerCase().contains("post")){
//                String tmpreq = new String(messageInfo.getResponse());
//                String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim();
//                messageBody = do_Encrypt(messageBody);
//                byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
//                messageInfo.setResponse(updateMessage);
//                print_output("Final Request", new String(updateMessage));
//            }
        }
    }


    @Override
    public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
        if(messageIsRequest){
            IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
            String URL = new String(reqInfo.getUrl().toString());
            List headers = reqInfo.getHeaders();

            if(!headers.contains("AES-Killer: Parameter")){
                return;
            }

            if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){
                String _endpoint = get_endpoint(URL);
                if(!endpoints.contains(_endpoint)){ return; }

                String _enc_paramaters = this.get_enc_params(messageInfo.getRequest(), _endpoint);
                byte[] updateMessage = helpers.buildHttpMessage(headers, _enc_paramaters.getBytes());
                messageInfo.setRequest(updateMessage);
                print_output("PHTM :: Encrypted Request\n ", new String(updateMessage));
            }

        }
        else{
//            IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
//            IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse());
//            String URL = new String(reqInfo.getUrl().toString());
//            List headers = resInfo.getHeaders();
//
//            if((URL.contains(this.Host_URL)) && reqInfo.getMethod().toLowerCase().contains("post")){
//                String tmpreq = new String(messageInfo.getResponse());
//                String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim();
//                messageBody = do_Decrypt(messageBody);
//                headers.add("AES-Killer: DecryptedResponse");
//                byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
//                messageInfo.setResponse(updateMessage);
//                print_output("Decrypted Response", new String(updateMessage));
//            }
        }
    }

}
	package burp;

	import java.io.PrintWriter;
	import java.security.NoSuchAlgorithmException;
	import java.util.ArrayList;
	import java.util.Base64;
	import java.util.List;
	import java.util.logging.Level;
	import java.util.logging.Logger;
	import javax.crypto.Cipher;
	import javax.crypto.NoSuchPaddingException;
	import javax.crypto.SecretKey;
	import javax.crypto.spec.IvParameterSpec;
	import javax.crypto.spec.SecretKeySpec;

	/**
	*
	* @author bugzy
	*/
	public class BurpExtender implements IBurpExtender, IProxyListener, IHttpListener{

	public String ExtensionName = "AES_Killer Parameters";

	public IBurpExtenderCallbacks callbacks;
	public IExtensionHelpers helpers;
	public PrintWriter stdout;
	public PrintWriter stderr;
	public Boolean isDebug = true;

	public Cipher cipher;
	public IvParameterSpec iv_param;
	public SecretKey sec_key;

	public String Host_URL = "<URL>";

	public String[] offusicatedChar = {"+", "/"};
	public String[] replaceWithChar = {"-", "_"};

	// Endpoints and their corresponding parameters & grant_type in order
	public List<String> endpoints = new ArrayList<String>();
	public String[][] parameters = {
	{"username", "password"}
	};
	public String[] grant_type = { "grant_type=password", ""};

	@Override
	public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
	this.callbacks = callbacks;
	this.helpers = callbacks.getHelpers();
	this.stdout = new PrintWriter(callbacks.getStdout(), true);
	this.stderr = new PrintWriter(callbacks.getStderr(), true);
	this.callbacks.setExtensionName(this.ExtensionName);

	// Add endpoint here
	this.endpoints.add("login");

	try {
	cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
	sec_key = new SecretKeySpec(Base64.getDecoder().decode("<Secret Key>"),"AES");
	iv_param = new IvParameterSpec(Base64.getDecoder().decode("<IV Parameter>"));
	} catch (NoSuchAlgorithmException ex) {
	Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex);
	} catch (NoSuchPaddingException ex) {
	Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex);
	}


	this.callbacks.registerHttpListener(this);
	this.callbacks.registerProxyListener(this);
	this.stdout.println("AES_Killer Installed !!!");
	}

	private void print_output(String _src, String str){
	if(! isDebug){ return; }
	this.stdout.println(_src + " :: " + str + "\n\n");
	}

	private void print_error(String _src, String str){
	if(! isDebug){ return; }
	this.stdout.println(_src + " :: " + str);
	}

	private String do_Decrypt(String paramString){
	try{
	String temp_params = removeOff(paramString);
	cipher.init(2, sec_key ,iv_param);
	temp_params = new String (cipher.doFinal(this.helpers.base64Decode(temp_params)), "UTF-8");
	return temp_params;
	}catch(Exception ex){
	print_error("do_Decrypt", ex.getMessage());
	return paramString;
	}
	}

	private String do_Encrypt(String paramString){
	try{
	String temp_params = paramString;
	cipher.init(1, sec_key ,iv_param);
	temp_params = new String (this.helpers.base64Encode(cipher.doFinal(temp_params.getBytes())));
	return doOff(temp_params);
	}catch(Exception ex){
	print_error("do_Encryp", ex.getMessage());
	return paramString;
	}
	}

	public String removeOff(String paramString) {
	if (paramString != null) {
	for(int i =0; i< this.offusicatedChar.length; i++){
	paramString = paramString.replace(this.replaceWithChar[i], this.offusicatedChar[i]);
	}
	return paramString;
	}
	return paramString;
	}

	public String doOff(String paramString) {
	if (paramString != null) {
	for(int i =0; i< this.offusicatedChar.length; i++){
	paramString = paramString.replace(this.offusicatedChar[i], this.replaceWithChar[i]);
	}
	return paramString;
	}
	return paramString;
	}

	public String get_endpoint(String _url){
	return _url.replaceAll(this.Host_URL, "");
	}

	public String get_param(byte[] _tmp_req, String _req_param){
	IParameter _parameters = this.helpers.getRequestParameter(_tmp_req, _req_param);
	String _param = _parameters.getValue().toString();
	_param = this.helpers.urlDecode(_param);
	return _param;
	}

	public String remove_padding(String _pad_param){
	_pad_param = _pad_param.replaceAll("\u0000", "");
	_pad_param = _pad_param.substring(4, _pad_param.length());
	_pad_param = _pad_param.substring(0, _pad_param.length() - 8);
	return _pad_param;
	}

	public String add_padding(String _nml_param){
	return "1234"+_nml_param+"12345678";
	}

	public String get_dec_params(byte[] _tmp_req, String _endpoint){
	String _dec_params = "";
	int _index = endpoints.indexOf(_endpoint);
	String[] _params = this.parameters[_index];

	_dec_params = this.grant_type[_index] + "&";
	for(int i=0; i< _params.length; i++){
	String _param = get_param(_tmp_req, _params[i]);
	_param = this.helpers.urlDecode(_param);
	_param = this.do_Decrypt(_param);

	_dec_params = _dec_params + _params[i] + "=" + remove_padding(_param) + "&";
	}

	return _dec_params;
	}

	public String get_enc_params(byte[] _tmp_req, String _endpoint){
	String _enc_params = "";
	int _index = endpoints.indexOf(_endpoint);
	String[] _params = this.parameters[_index];

	_enc_params = this.grant_type[_index] + "&";
	for(int i=0; i< _params.length; i++){
	String _param = get_param(_tmp_req, _params[i]);
	_param = add_padding(_param);
	_param = this.do_Encrypt(_param);

	_enc_params = _enc_params + _params[i] + "=" + _param + "&";
	}

	return _enc_params;
	}


	@Override
	public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message) {
	if(messageIsRequest){
	IHttpRequestResponse messageInfo = message.getMessageInfo();
	IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
	String URL = new String(reqInfo.getUrl().toString());
	List headers = reqInfo.getHeaders();

	if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){
	String _endpoint = get_endpoint(URL);
	if(!endpoints.contains(_endpoint)){ return; }

	byte[] tmpreq = message.getMessageInfo().getRequest();
	String _dec_param = get_dec_params(tmpreq, _endpoint);
	headers.add(new String("AES-Killer: Parameter"));

	byte[] updateMessage = helpers.buildHttpMessage(headers, _dec_param.getBytes());
	messageInfo.setRequest(updateMessage);
	print_output("PPM", "decrypted request :: " + new String(updateMessage));
	}

	}else {
	// IHttpRequestResponse messageInfo = message.getMessageInfo();
	// IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
	// IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse());
	// String URL = new String(reqInfo.getUrl().toString());
	// List headers = resInfo.getHeaders();
	//
	// if(!headers.contains("AES-Killer: DecryptedResponse")){
	// return;
	// }
	//
	// if((URL.contains(this.Host_URL) ) && reqInfo.getMethod().toLowerCase().contains("post")){
	// String tmpreq = new String(messageInfo.getResponse());
	// String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim();
	// messageBody = do_Encrypt(messageBody);
	// byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
	// messageInfo.setResponse(updateMessage);
	// print_output("Final Request", new String(updateMessage));
	// }
	}
	}


	@Override
	public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
	if(messageIsRequest){
	IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
	String URL = new String(reqInfo.getUrl().toString());
	List headers = reqInfo.getHeaders();

	if(!headers.contains("AES-Killer: Parameter")){
	return;
	}

	if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){
	String _endpoint = get_endpoint(URL);
	if(!endpoints.contains(_endpoint)){ return; }

	String _enc_paramaters = this.get_enc_params(messageInfo.getRequest(), _endpoint);
	byte[] updateMessage = helpers.buildHttpMessage(headers, _enc_paramaters.getBytes());
	messageInfo.setRequest(updateMessage);
	print_output("PHTM :: Encrypted Request\n ", new String(updateMessage));
	}

	}
	else{
	// IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
	// IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse());
	// String URL = new String(reqInfo.getUrl().toString());
	// List headers = resInfo.getHeaders();
	//
	// if((URL.contains(this.Host_URL)) && reqInfo.getMethod().toLowerCase().contains("post")){
	// String tmpreq = new String(messageInfo.getResponse());
	// String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim();
	// messageBody = do_Decrypt(messageBody);
	// headers.add("AES-Killer: DecryptedResponse");
	// byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
	// messageInfo.setResponse(updateMessage);
	// print_output("Decrypted Response", new String(updateMessage));
	// }
	}
	}

	}