Learning Man's Blog

Burp Extensions —— RSA Plugin 编写

字数统计: 1.2k阅读时长: 5 min
2018/12/14

0x01 编写 RSA Plugin

i. Tab UI

添加自定义的tab需要调用的接口是ITab,需要调用addSuiteTab注册tab

This interface is used to provide Burp with details of a custom tab that will be added to Burp’s UI, using a method such as IBurpExtenderCallbacks.addSuiteTab().

必须实现下面两个方法用于 BURP 显示 Tab 的内容

Modifier and Type Method and Description
java.lang.String getTabCaption()
Burp uses this method to obtain the caption that should appear on the custom tab when it is displayed.
java.awt.Component getUiComponent()
Burp uses this method to obtain the component that should be used as the contents of the custom tab when it is displayed.

大致用法如下

# 用于设置 Tab 显示名
def getTabCaption(self):
    return "RSA Plugin"

# 用于点击 Tab 时显示 UI 界面,self.tab是自定义的 UI 结构
def getUiComponent(self):
    return self.tab

另外在getUiComponent方法可以用IBurpExtenderCallbacks.customizeUiComponent方法代替

ii. 右键菜单

右键菜单需要调用的是IContextMenuFactory,根据说明,需在通过registerContextMenuFactory注册自定义菜单

Extensions can implement this interface and then call IBurpExtenderCallbacks.registerContextMenuFactory() to register a factory for custom context menu items.

构建自定义菜单需要重写的方法是,可以通过invocation来判断触发的界面,可以动态构建菜单

Modifier and Type Method and Description
java.util.List<javax.swing.JMenuItem> createMenuItems(IContextMenuInvocation invocation)
This method will be called by Burp when the user invokes a context menu anywhere within Burp.

这里给加密解密都添加了额外的request/response,让用户来选择请求来源

更新:可以调用getToolFlag获取点击的菜单,getInvocationContext获取调用的上下文本环境

def createMenuItems(self, invocation):
    self._invocation = invocation
    self._messages_index = self._invocation.getSelectionBounds()
    self._messages = self._invocation.getSelectedMessages()
    self._servicetype = self._invocation.getInvocationContext() % 2
    top_menu = swing.JMenu(self._title)
    for _item in self.typeString:
        top_menu.add(swing.JMenuItem(_item, actionPerformed=lambda x: self.evenHandler(x)))
    return [top_menu]

InvacationContext取值主要为加粗标记的,可以通过简单余2来判断被选择文本来自request还是response

Constant Field Value
CONTEXT_INTRUDER_ATTACK_RESULTS 9
CONTEXT_INTRUDER_PAYLOAD_POSITIONS 8
CONTEXT_MESSAGE_EDITOR_REQUEST 0
CONTEXT_MESSAGE_EDITOR_RESPONSE 1
CONTEXT_MESSAGE_VIEWER_REQUEST 2
CONTEXT_MESSAGE_VIEWER_RESPONSE 3
CONTEXT_PROXY_HISTORY 6

iii. 文本替换

这个需求需要看在什么地方使用,这里是想实现类似Decoder右键快速替换的功能,调用的接口为IContextMenuInvocation,主要的方法是以下两个

Modifier and Type Method and Description
IHttpRequestResponse[] getSelectedMessages() This method can be used to retrieve details of the HTTP requests / responses that were shown or selected by the user when the context menu was invoked.
int[] getSelectionBounds() This method can be used to retrieve the bounds of the user’s selection into the current message, if applicable.

这里要注意,getSelectedMessages返回的类型是IHttpRequestResponse,所以需要自行判断选择的文本来自request还是response,否则结合getSelectionBounds给出的选定界限导出来的被选择文本可能是错误的,当然大多都来自前者,最后返回string是为了方便在中间输出日志信息

"""
@param sourcetype: 0 - Request
                   1 - Response
@return: String
"""
def getSelectedMessagesString(self):
    if self._servicetype == 0:
        self._tmpService = self._messages[0].getRequest()
    elif self._servicetype == 1:
        self._tmpService = self._messages[0].getResponse()
    self._tmpText = self._tmpService[self._messages_index[0]:self._messages_index[1]].tostring()
    return self._tmpText

执行替换时,直接替换所有的文本

def replaceText(self, data, rsastatus):
    if self.autoReplaceStuts is True and rsastatus is True:
        new_text = self._tmpService[:self._messages_index[0]] + self._helpers.stringToBytes(data) + self._tmpService[self._messages_index[1]:]
        if self._servicetype == 0:
            self._messages[0].setRequest(new_text)
        elif self._servicetype == 1:
            self._messages[0].setResponse(new_text)

0x02 常用的BURP类

来自 https://thief.one/2018/05/04/1/#burp插件开发文档

1. 插件入口和帮助接口类:IBurpExtender、IBurpExtenderCallbacks、IExtensionHelpers、IExtensionStateListener
IBurpExtender接口类是Burp插件的入口,所有Burp的插件均需要实现此接口,并且类命名为BurpExtender。 IBurpExtenderCallbacks接口类是IBurpExtender接口的实现类与Burp其他各个组件(Scanner、Intruder、Spider......)、各个通信对象(HttpRequestResponse、HttpService、SessionHandlingAction)之间的纽带。 IExtensionHelpers、IExtensionStateListener这两个接口类是插件的帮助和管理操作的接口定义。

2. UI相关接口类:IContextMenuFactory、IContextMenuInvocation、ITab、ITextEditor、IMessageEditor、IMenuItemHandler
这类接口类主要是定义Burp插件的UI显示和动作的处理事件,主要是软件交互中使用。

3. Burp工具组件接口类:IInterceptedProxyMessage、IIntruderAttack、IIntruderPayloadGenerator、IIntruderPayloadGeneratorFactory、IIntruderPayloadProcessor、IProxyListener、IScanIssue、IScannerCheck、IScannerInsertionPoint、IScannerInsertionPointProvider、IScannerListener、IScanQueueItem、IScopeChangeListener
这些接口类的功能非常好理解,Burp在接口定义的命名中使用了的见名知意的规范,看到接口类的名称,基本就能猜测出来这个接口是适用于哪个工具组件。

4. HTTP消息处理接口类:ICookie、IHttpListener、IHttpRequestResponse、IHttpRequestResponsePersisted、IHttpRequestResponseWithMarkers、IHttpService、IRequestInfo、IParameter、IResponseInfo
这些接口的定义主要是围绕HTTP消息通信过程中涉及的Cookie、Request、Response、Parameter几大消息对象,通过对通信消息头、消息体的数据处理,来达到控制HTTP消息传递的目的。

0x03 演示

老版本通过用户选择本文来源,后面更新后懒得重新截取动图了:3

项目地址

https://github.com/sari3l/Burp-Extensions/tree/master/RSA%20Plugin

参考资料

  1. https://portswigger.net/burp/extender/api/
CATALOG
  1. 1. 0x01 编写 RSA Plugin
    1. 1.1. i. Tab UI
    2. 1.2. ii. 右键菜单
    3. 1.3. iii. 文本替换
  2. 2. 0x02 常用的BURP类
  3. 3. 0x03 演示
  4. 4. 项目地址
  5. 5. 参考资料