0x01 编写 RSA Plugin
i. Tab UI
添加自定义的tab需要调用的接口是ITab
,需要调用addSuiteTab
注册tab
This interface is used to provide Burp with details of a custom tab that will be added to Burp’s UI, using a method such as IBurpExtenderCallbacks.addSuiteTab().
必须实现下面两个方法用于 BURP 显示 Tab 的内容
Modifier and Type | Method and Description |
---|---|
java.lang.String | getTabCaption() Burp uses this method to obtain the caption that should appear on the custom tab when it is displayed. |
java.awt.Component | getUiComponent() Burp uses this method to obtain the component that should be used as the contents of the custom tab when it is displayed. |
大致用法如下
# 用于设置 Tab 显示名
def getTabCaption(self):
return "RSA Plugin"
# 用于点击 Tab 时显示 UI 界面,self.tab是自定义的 UI 结构
def getUiComponent(self):
return self.tab
另外在getUiComponent
方法可以用IBurpExtenderCallbacks.customizeUiComponent
方法代替
ii. 右键菜单
右键菜单需要调用的是IContextMenuFactory
,根据说明,需在通过registerContextMenuFactory
注册自定义菜单
Extensions can implement this interface and then call IBurpExtenderCallbacks.registerContextMenuFactory() to register a factory for custom context menu items.
构建自定义菜单需要重写的方法是,可以通过invocation
来判断触发的界面,可以动态构建菜单
Modifier and Type | Method and Description |
---|---|
java.util.List<javax.swing.JMenuItem> | createMenuItems(IContextMenuInvocation invocation) This method will be called by Burp when the user invokes a context menu anywhere within Burp. |
这里给加密解密都添加了额外的request/response
,让用户来选择请求来源
更新:可以调用getToolFlag
获取点击的菜单,getInvocationContext
获取调用的上下文本环境
def createMenuItems(self, invocation):
self._invocation = invocation
self._messages_index = self._invocation.getSelectionBounds()
self._messages = self._invocation.getSelectedMessages()
self._servicetype = self._invocation.getInvocationContext() % 2
top_menu = swing.JMenu(self._title)
for _item in self.typeString:
top_menu.add(swing.JMenuItem(_item, actionPerformed=lambda x: self.evenHandler(x)))
return [top_menu]
InvacationContext取值主要为加粗标记的,可以通过简单余2来判断被选择文本来自request还是response
Constant Field | Value |
---|---|
CONTEXT_INTRUDER_ATTACK_RESULTS | 9 |
CONTEXT_INTRUDER_PAYLOAD_POSITIONS | 8 |
CONTEXT_MESSAGE_EDITOR_REQUEST | 0 |
CONTEXT_MESSAGE_EDITOR_RESPONSE | 1 |
CONTEXT_MESSAGE_VIEWER_REQUEST | 2 |
CONTEXT_MESSAGE_VIEWER_RESPONSE | 3 |
CONTEXT_PROXY_HISTORY | 6 |
iii. 文本替换
这个需求需要看在什么地方使用,这里是想实现类似Decoder
右键快速替换的功能,调用的接口为IContextMenuInvocation
,主要的方法是以下两个
Modifier and Type | Method and Description |
---|---|
IHttpRequestResponse[] getSelectedMessages() | This method can be used to retrieve details of the HTTP requests / responses that were shown or selected by the user when the context menu was invoked. |
int[] getSelectionBounds() | This method can be used to retrieve the bounds of the user’s selection into the current message, if applicable. |
这里要注意,getSelectedMessages
返回的类型是IHttpRequestResponse
,所以需要自行判断选择的文本来自request还是response,否则结合getSelectionBounds
给出的选定界限导出来的被选择文本可能是错误的,当然大多都来自前者,最后返回string
是为了方便在中间输出日志信息
"""
@param sourcetype: 0 - Request
1 - Response
@return: String
"""
def getSelectedMessagesString(self):
if self._servicetype == 0:
self._tmpService = self._messages[0].getRequest()
elif self._servicetype == 1:
self._tmpService = self._messages[0].getResponse()
self._tmpText = self._tmpService[self._messages_index[0]:self._messages_index[1]].tostring()
return self._tmpText
执行替换时,直接替换所有的文本
def replaceText(self, data, rsastatus):
if self.autoReplaceStuts is True and rsastatus is True:
new_text = self._tmpService[:self._messages_index[0]] + self._helpers.stringToBytes(data) + self._tmpService[self._messages_index[1]:]
if self._servicetype == 0:
self._messages[0].setRequest(new_text)
elif self._servicetype == 1:
self._messages[0].setResponse(new_text)
0x02 常用的BURP类
来自 https://thief.one/2018/05/04/1/#burp插件开发文档
1. 插件入口和帮助接口类:IBurpExtender、IBurpExtenderCallbacks、IExtensionHelpers、IExtensionStateListener
IBurpExtender接口类是Burp插件的入口,所有Burp的插件均需要实现此接口,并且类命名为BurpExtender。 IBurpExtenderCallbacks接口类是IBurpExtender接口的实现类与Burp其他各个组件(Scanner、Intruder、Spider......)、各个通信对象(HttpRequestResponse、HttpService、SessionHandlingAction)之间的纽带。 IExtensionHelpers、IExtensionStateListener这两个接口类是插件的帮助和管理操作的接口定义。
2. UI相关接口类:IContextMenuFactory、IContextMenuInvocation、ITab、ITextEditor、IMessageEditor、IMenuItemHandler
这类接口类主要是定义Burp插件的UI显示和动作的处理事件,主要是软件交互中使用。
3. Burp工具组件接口类:IInterceptedProxyMessage、IIntruderAttack、IIntruderPayloadGenerator、IIntruderPayloadGeneratorFactory、IIntruderPayloadProcessor、IProxyListener、IScanIssue、IScannerCheck、IScannerInsertionPoint、IScannerInsertionPointProvider、IScannerListener、IScanQueueItem、IScopeChangeListener
这些接口类的功能非常好理解,Burp在接口定义的命名中使用了的见名知意的规范,看到接口类的名称,基本就能猜测出来这个接口是适用于哪个工具组件。
4. HTTP消息处理接口类:ICookie、IHttpListener、IHttpRequestResponse、IHttpRequestResponsePersisted、IHttpRequestResponseWithMarkers、IHttpService、IRequestInfo、IParameter、IResponseInfo
这些接口的定义主要是围绕HTTP消息通信过程中涉及的Cookie、Request、Response、Parameter几大消息对象,通过对通信消息头、消息体的数据处理,来达到控制HTTP消息传递的目的。
0x03 演示
老版本通过用户选择本文来源,后面更新后懒得重新截取动图了:3
项目地址
https://github.com/sari3l/Burp-Extensions/tree/master/RSA%20Plugin