Skip to content

Instantly share code, notes, and snippets.

@d3vilbug

d3vilbug/AES_Killer-Parameters.java

Created January 11, 2021 17:26
Download ZIP

Revisions

  1. d3vilbug created this gist Jan 11, 2021.
    268 changes: 268 additions & 0 deletions AES_Killer-Parameters.java
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,268 @@
    package burp;

    import java.io.PrintWriter;
    import java.security.NoSuchAlgorithmException;
    import java.util.ArrayList;
    import java.util.Base64;
    import java.util.List;
    import java.util.logging.Level;
    import java.util.logging.Logger;
    import javax.crypto.Cipher;
    import javax.crypto.NoSuchPaddingException;
    import javax.crypto.SecretKey;
    import javax.crypto.spec.IvParameterSpec;
    import javax.crypto.spec.SecretKeySpec;

    /**
    *
    * @author bugzy
    */
    public class BurpExtender implements IBurpExtender, IProxyListener, IHttpListener{

    public String ExtensionName = "AES_Killer Parameters";

    public IBurpExtenderCallbacks callbacks;
    public IExtensionHelpers helpers;
    public PrintWriter stdout;
    public PrintWriter stderr;
    public Boolean isDebug = true;

    public Cipher cipher;
    public IvParameterSpec iv_param;
    public SecretKey sec_key;

    public String Host_URL = "<URL>";

    public String[] offusicatedChar = {"+", "/"};
    public String[] replaceWithChar = {"-", "_"};

    // Endpoints and their corresponding parameters & grant_type in order
    public List<String> endpoints = new ArrayList<String>();
    public String[][] parameters = {
    {"username", "password"}
    };
    public String[] grant_type = { "grant_type=password", ""};

    @Override
    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
    this.callbacks = callbacks;
    this.helpers = callbacks.getHelpers();
    this.stdout = new PrintWriter(callbacks.getStdout(), true);
    this.stderr = new PrintWriter(callbacks.getStderr(), true);
    this.callbacks.setExtensionName(this.ExtensionName);

    // Add endpoint here
    this.endpoints.add("login");

    try {
    cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    sec_key = new SecretKeySpec(Base64.getDecoder().decode("<Secret Key>"),"AES");
    iv_param = new IvParameterSpec(Base64.getDecoder().decode("<IV Parameter>"));
    } catch (NoSuchAlgorithmException ex) {
    Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex);
    } catch (NoSuchPaddingException ex) {
    Logger.getLogger(BurpExtender.class.getName()).log(Level.SEVERE, null, ex);
    }


    this.callbacks.registerHttpListener(this);
    this.callbacks.registerProxyListener(this);
    this.stdout.println("AES_Killer Installed !!!");
    }

    private void print_output(String _src, String str){
    if(! isDebug){ return; }
    this.stdout.println(_src + " :: " + str + "\n\n");
    }

    private void print_error(String _src, String str){
    if(! isDebug){ return; }
    this.stdout.println(_src + " :: " + str);
    }

    private String do_Decrypt(String paramString){
    try{
    String temp_params = removeOff(paramString);
    cipher.init(2, sec_key ,iv_param);
    temp_params = new String (cipher.doFinal(this.helpers.base64Decode(temp_params)), "UTF-8");
    return temp_params;
    }catch(Exception ex){
    print_error("do_Decrypt", ex.getMessage());
    return paramString;
    }
    }

    private String do_Encrypt(String paramString){
    try{
    String temp_params = paramString;
    cipher.init(1, sec_key ,iv_param);
    temp_params = new String (this.helpers.base64Encode(cipher.doFinal(temp_params.getBytes())));
    return doOff(temp_params);
    }catch(Exception ex){
    print_error("do_Encryp", ex.getMessage());
    return paramString;
    }
    }

    public String removeOff(String paramString) {
    if (paramString != null) {
    for(int i =0; i< this.offusicatedChar.length; i++){
    paramString = paramString.replace(this.replaceWithChar[i], this.offusicatedChar[i]);
    }
    return paramString;
    }
    return paramString;
    }

    public String doOff(String paramString) {
    if (paramString != null) {
    for(int i =0; i< this.offusicatedChar.length; i++){
    paramString = paramString.replace(this.offusicatedChar[i], this.replaceWithChar[i]);
    }
    return paramString;
    }
    return paramString;
    }

    public String get_endpoint(String _url){
    return _url.replaceAll(this.Host_URL, "");
    }

    public String get_param(byte[] _tmp_req, String _req_param){
    IParameter _parameters = this.helpers.getRequestParameter(_tmp_req, _req_param);
    String _param = _parameters.getValue().toString();
    _param = this.helpers.urlDecode(_param);
    return _param;
    }

    public String remove_padding(String _pad_param){
    _pad_param = _pad_param.replaceAll("\u0000", "");
    _pad_param = _pad_param.substring(4, _pad_param.length());
    _pad_param = _pad_param.substring(0, _pad_param.length() - 8);
    return _pad_param;
    }

    public String add_padding(String _nml_param){
    return "1234"+_nml_param+"12345678";
    }

    public String get_dec_params(byte[] _tmp_req, String _endpoint){
    String _dec_params = "";
    int _index = endpoints.indexOf(_endpoint);
    String[] _params = this.parameters[_index];

    _dec_params = this.grant_type[_index] + "&";
    for(int i=0; i< _params.length; i++){
    String _param = get_param(_tmp_req, _params[i]);
    _param = this.helpers.urlDecode(_param);
    _param = this.do_Decrypt(_param);

    _dec_params = _dec_params + _params[i] + "=" + remove_padding(_param) + "&";
    }

    return _dec_params;
    }

    public String get_enc_params(byte[] _tmp_req, String _endpoint){
    String _enc_params = "";
    int _index = endpoints.indexOf(_endpoint);
    String[] _params = this.parameters[_index];

    _enc_params = this.grant_type[_index] + "&";
    for(int i=0; i< _params.length; i++){
    String _param = get_param(_tmp_req, _params[i]);
    _param = add_padding(_param);
    _param = this.do_Encrypt(_param);

    _enc_params = _enc_params + _params[i] + "=" + _param + "&";
    }

    return _enc_params;
    }


    @Override
    public void processProxyMessage(boolean messageIsRequest, IInterceptedProxyMessage message) {
    if(messageIsRequest){
    IHttpRequestResponse messageInfo = message.getMessageInfo();
    IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
    String URL = new String(reqInfo.getUrl().toString());
    List headers = reqInfo.getHeaders();

    if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){
    String _endpoint = get_endpoint(URL);
    if(!endpoints.contains(_endpoint)){ return; }

    byte[] tmpreq = message.getMessageInfo().getRequest();
    String _dec_param = get_dec_params(tmpreq, _endpoint);
    headers.add(new String("AES-Killer: Parameter"));

    byte[] updateMessage = helpers.buildHttpMessage(headers, _dec_param.getBytes());
    messageInfo.setRequest(updateMessage);
    print_output("PPM", "decrypted request :: " + new String(updateMessage));
    }

    }else {
    // IHttpRequestResponse messageInfo = message.getMessageInfo();
    // IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
    // IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse());
    // String URL = new String(reqInfo.getUrl().toString());
    // List headers = resInfo.getHeaders();
    //
    // if(!headers.contains("AES-Killer: DecryptedResponse")){
    // return;
    // }
    //
    // if((URL.contains(this.Host_URL) ) && reqInfo.getMethod().toLowerCase().contains("post")){
    // String tmpreq = new String(messageInfo.getResponse());
    // String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim();
    // messageBody = do_Encrypt(messageBody);
    // byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
    // messageInfo.setResponse(updateMessage);
    // print_output("Final Request", new String(updateMessage));
    // }
    }
    }


    @Override
    public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
    if(messageIsRequest){
    IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
    String URL = new String(reqInfo.getUrl().toString());
    List headers = reqInfo.getHeaders();

    if(!headers.contains("AES-Killer: Parameter")){
    return;
    }

    if(URL.contains(this.Host_URL) && reqInfo.getMethod().toLowerCase().contains("post")){
    String _endpoint = get_endpoint(URL);
    if(!endpoints.contains(_endpoint)){ return; }

    String _enc_paramaters = this.get_enc_params(messageInfo.getRequest(), _endpoint);
    byte[] updateMessage = helpers.buildHttpMessage(headers, _enc_paramaters.getBytes());
    messageInfo.setRequest(updateMessage);
    print_output("PHTM :: Encrypted Request\n ", new String(updateMessage));
    }

    }
    else{
    // IRequestInfo reqInfo = helpers.analyzeRequest(messageInfo);
    // IResponseInfo resInfo = helpers.analyzeResponse(messageInfo.getResponse());
    // String URL = new String(reqInfo.getUrl().toString());
    // List headers = resInfo.getHeaders();
    //
    // if((URL.contains(this.Host_URL)) && reqInfo.getMethod().toLowerCase().contains("post")){
    // String tmpreq = new String(messageInfo.getResponse());
    // String messageBody = new String(tmpreq.substring(resInfo.getBodyOffset())).trim();
    // messageBody = do_Decrypt(messageBody);
    // headers.add("AES-Killer: DecryptedResponse");
    // byte[] updateMessage = helpers.buildHttpMessage(headers, messageBody.getBytes());
    // messageInfo.setResponse(updateMessage);
    // print_output("Decrypted Response", new String(updateMessage));
    // }
    }
    }

    }