Cameudis' Blog

Binary Hack, Computer System, Music, and whatever

0%

【PoRE#0x03】Burp Extension

官方教程:Creating Burp extensions - PortSwigger
Montoya官方文档:MontoyaApi
Montoya官方示例:PortSwigger/burp-extensions-montoya-api-examples: Examples for using the Montoya API with Burp Suite

Burp Suite过去插件开发使用的是Extender API,不过最近推出了一套新的API(今年1月刚刚发布),叫做Montoya API。新的API增加了Burp Suite插件开发的简便性,但是似乎并不完善,还有一些接口没有实现的样子。

对于Lab4中的任务,也就是自动处理HTTP包的插件,可以参考这个例子:burp-extensions-montoya-api-examples/proxyhandler/src/main/java/example/proxyhandler at main · PortSwigger/burp-extensions-montoya-api-examples

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public class Ext implements BurpExtension {

@Override
public void initialize(MontoyaApi api) {
api.extension().setName("Lab4_Extension");

Logging logging = api.logging();

// write a message to our output stream
logging.logToOutput("Hello output.");

api.proxy().registerRequestHandler(new RequestHandler(logging));
logging.logToOutput("Bind RequestHandler");
api.proxy().registerResponseHandler(new RespondHandler(logging));
logging.logToOutput("Bind RespondHandler");
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
public class RequestHandler implements ProxyRequestHandler {
private final Logging logging;
RequestHandler(Logging logging) {
this.logging = logging;
}
@Override
public ProxyRequestReceivedAction handleRequestReceived(InterceptedRequest interceptedRequest) {

logging.logToOutput("Request");
logging.logToOutput("url " + interceptedRequest.url());
logging.logToOutput("request " + interceptedRequest.bodyToString());

// modify the request
HttpRequest new_request = interceptedRequest;
if (interceptedRequest.url().contains("login")) {
logging.logToOutput("Login detected");
new_request = interceptedRequest.withBody("msg=...");
} else if (interceptedRequest.url().contains("buy")) {
logging.logToOutput("Buy detected");
new_request = interceptedRequest.withBody("msg=...");
}

return ProxyRequestReceivedAction.continueWith(new_request);
}

@Override
public ProxyRequestToBeSentAction handleRequestToBeSent(InterceptedRequest interceptedRequest) {
//Do nothing with the user modified request, continue as normal.
return ProxyRequestToBeSentAction.continueWith(interceptedRequest);
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
public class RespondHandler implements ProxyResponseHandler {
private final Logging logging;
RespondHandler(Logging logging) {
this.logging = logging;
}
@Override
public ProxyResponseReceivedAction handleResponseReceived(InterceptedResponse interceptedResponse) {
logging.logToOutput("Response");
logging.logToOutput("response " + interceptedResponse.bodyToString());

// modify the response
if (interceptedResponse.bodyToString().equals("...")) {
return ProxyResponseReceivedAction.continueWith(interceptedResponse.withBody("..."));
}
return ProxyResponseReceivedAction.continueWith(interceptedResponse);
}
@Override
public ProxyResponseToBeSentAction handleResponseToBeSent(InterceptedResponse interceptedResponse) {
return ProxyResponseToBeSentAction.continueWith(interceptedResponse);
}
}