Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

Burp Extension 101 (Java) 插件编写指南

wpadmin~November 16, 2018 /InfoSec

Burp Extension 101 (Java)

Hello World

Intro to Burp Extender (Java)
https://www.youtube.com/watch?v=wR1ENja0lI0

IDEA 新建项目 > Java > Next > Next
打开 Burp > Extender > APIs > save Interface Files (保存的路径选项目的 src 路径)

新建 BurpExtender.java

BurpExtender.java

package burp;

import java.io.PrintWriter;

public class BurpExtender implements IBurpExtender{
    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks){

        callbacks.setExtensionName("A3eScanner");
        PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true);
        stdout.println("A3eScanner initialized.");
    }
}

编译脚本

在项目路径下新建一个 build 目录
在项目路径下新建一个 jar 目录
在项目路径下新建一个 compile_to_jar.bat 的文件

compile_to_jar.bat

@doskey javac="C:\Program Files\Java\jdk1.8.0_181\bin\javac.exe" $*
@doskey jar="C:\Program Files\Java\jdk1.8.0_181\bin\jar.exe" $*
javac -d build src/burp/*.java
javac -encoding UTF-8 -Xdiags:verbose -Xlint:unchecked -d build src/burp/*.java
jar cf jar/acescanner.jar -C build burp

delete.bat

del /S "build/burp"

HTTP Listener

BurpExtender.java

package burp;

import java.io.PrintWriter;

public class BurpExtender implements IBurpExtender, IHttpListener {

    IExtensionHelpers helpers;
    PrintWriter stdout;

    @Override
    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {

        callbacks.setExtensionName("XXExp1oit");
        helpers = callbacks.getHelpers();
        stdout = new PrintWriter(callbacks.getStdout(), true);
        stdout.println("XXExp1oit initialized.");
        callbacks.registerHttpListener(this);
    }

    @Override
    public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
        if (messageIsRequest) {
            IHttpService httpService = messageInfo.getHttpService();
            String host = httpService.getHost();

            if (host != null) {
                stdout.println("Host: " + host);
            }
        }
    }
}

Proxy Listener

简单总结一下 Burp 插件的基本写法

1 继承相应的接口,比如 IHttpListener, IProxyListener 等
2 在回调方法中注册相应的 Listener 对应的 对象。 callbacks.registerProxyListener(this);
3 实现接口需要实现的方法。

package burp;

import java.util.List;
import java.io.PrintWriter;
import java.net.URL;

public class BurpExtender implements IBurpExtender, IProxyListener {

    IExtensionHelpers helpers;
    PrintWriter stdout;

    @Override
    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {

        callbacks.setExtensionName("XXExp1oit");
        helpers = callbacks.getHelpers();
        stdout = new PrintWriter(callbacks.getStdout(), true);
        stdout.println("XXExp1oit initialized.");

        callbacks.registerProxyListener(this);

    }

    @Override
    public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message) {
        if (messageIsRequest) {

            // 替换 Proxy 中的 HTTP Requesst
            // 添加 自定义的 HTTP header
            IHttpRequestResponse messageInfo = message.getMessageInfo();
            IRequestInfo rqInfo = helpers.analyzeRequest(messageInfo);
            List<String> headers = rqInfo.getHeaders();
            headers.add("X-XXExp1oit: v1.0.1");
            String request = new String(messageInfo.getRequest());
            String messageBody = request.substring(rqInfo.getBodyOffset());
            byte[] updatedMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
            messageInfo.setRequest(updatedMessage);


            // 回显一些信息
            IHttpService httpService = messageInfo.getHttpService();
            String host = httpService.getHost();
            int port = httpService.getPort();
            String protocol = httpService.getProtocol();
            URL url = rqInfo.getUrl();
            stdout.println("XXExp1oit Processing: " + protocol + "://" + host + ":" + String.valueOf(port));
            stdout.println(url.toString());
        }
    }
}

Itab

参考
Burp XXE Scanner 插件开发(附下载)
https://www.freebuf.com/sectool/171123.html

https://github.com/portswigger/cvss-calculator

BurpExtender.java

package burp;

import java.util.List;
import java.io.PrintWriter;
import java.net.URL;

import javax.swing.*;


public class BurpExtender implements IBurpExtender {

    public static String projectName = "XXExp1oit";
    public static String projectVersion = "1.0.1";

    IExtensionHelpers helpers;
    IBurpExtenderCallbacks callbacks;
    PrintWriter stdout;

    OptionTab optionTab;

    @Override
    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {

        // Extension Name
        callbacks.setExtensionName(projectName);

        this.callbacks = callbacks;
        this.helpers = callbacks.getHelpers();
        stdout = new PrintWriter(callbacks.getStdout(), true);
        stdout.println(projectName + " " + projectVersion + " initialized.");

        optionTab = new OptionTab(callbacks);

    }

}

OptionTab.java

package burp;

import javax.swing.*;
import javax.swing.JOptionPane;
import java.awt.*;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.io.*;

public class OptionTab implements ITab, ActionListener {
    public static String tabName = "XXExp Options";
    JPanel jp1;
    JTextField jtfString1, jtfString2;
    JButton jb1;
    JLabel jlString1, jlString2;

    private final IBurpExtenderCallbacks callbacks;

    public OptionTab(final IBurpExtenderCallbacks callbacks) {
        this.callbacks = callbacks;

        jp1 = new JPanel();
        jlString1 = new JLabel("Label 1:");
        jlString2 = new JLabel("Label 2:");

        jtfString1 = new JTextField(20);
        jtfString2 = new JTextField(20);

        jb1 = new JButton("save");
        jb1.addActionListener(this);

        jp1.add(jlString1);
        jp1.add(jtfString1);
        jp1.add(jlString2);
        jp1.add(jtfString2);
        jp1.add(jb1);

        callbacks.customizeUiComponent(jtfString2);
        callbacks.addSuiteTab(OptionTab.this);
    }

    @Override
    public String getTabCaption() {
        return tabName;
    }

    @Override
    public Component getUiComponent() {
        return jp1;
    }

    @Override
    public void actionPerformed(ActionEvent e) {
        if ((jtfString1.getText() != "") && (jtfString2.getText() != "")) {
            JOptionPane.showMessageDialog(jp1, "OK", "OK Title", JOptionPane.INFORMATION_MESSAGE);
        } else {
            JOptionPane.showMessageDialog(jp1, "Label 1 和 Label 2不能为空", "提示", JOptionPane.WARNING_MESSAGE);
        }
    }


}

参考资料

安全小课堂第142期【burp插件开发入门】
https://mp.weixin.qq.com/s/ugNzyoMHri9T3wuYK4_RhA

Intro to Burp Extender (Java)
https://www.youtube.com/watch?v=wR1ENja0lI0

BSidesCHS 2015: Building Burp Extensions – Jason Gillam
https://www.youtube.com/watch?v=v7Yjdi9NvOY

New Burp Suite Extensibility
https://portswigger.net/blog/new-burp-suite-extensibility

Writing your first Burp Suite extension
https://portswigger.net/blog/writing-your-first-burp-suite-extension

Sample Burp Suite extension: Hello World
https://portswigger.net/blog/sample-burp-suite-extension-hello-world

Sample Burp Suite extension: event listeners
https://portswigger.net/blog/sample-burp-suite-extension-event-listeners

Sample Burp Suite extension: traffic redirector
https://portswigger.net/blog/sample-burp-suite-extension-traffic-redirector

Sample Burp Suite extension: custom logger
https://portswigger.net/blog/sample-burp-suite-extension-custom-logger

Sample Burp Suite extension: custom editor tab
https://portswigger.net/blog/sample-burp-suite-extension-custom-editor-tab

Sample Burp Suite extension: custom scan insertion points
https://portswigger.net/blog/sample-burp-suite-extension-custom-scan-insertion-points

Sample Burp Suite extension: custom scanner checks
https://portswigger.net/blog/sample-burp-suite-extension-custom-scanner-checks

Sample Burp Suite extension: Intruder payloads
https://portswigger.net/blog/sample-burp-suite-extension-intruder-payloads

Leave a Reply

Your email address will not be published. Required fields are marked *