Burpsuite plug-in development-RSA encryption and decryption

Burpsuite plug-in development-RSA encryption and decryption

This article mainly records the development process of a plug-in that decrypts the request packet, inserts payload, and encrypts. The plug-in application scenario is mainly used to analyze the implementation of the apk. The purpose of this discussion is to facilitate the personal study of security testers, orPenetrationTest.

1. Overview

Burpsuite is a very easy-to-use packet capture tool. I am also a heavy user, so I got started with the plug-in interface development of burpsuite. For detailed code, see the github code. In this document, the data first obtains the encryptKey by encrypting the des key in rsa mode, then uses the des key to encrypt the data packet to obtain the data, and then assembles the data into a JSON string, this is the encryption process, of course, the decryption process is reverse. Plug-in application scenarios are mainly used to obtain the encryption and decryption algorithm by analyzing the implementation of the apk or the leaked key, insert payload into the decrypted data packet, and detect injection problems.

Encrypted data packets are as follows:

c={"data":"21BhviedgtbwK6rdlK7vzltqxOLxUmU2g5qaO5LWPYTha5fXslmL6jrMkFnJBwpZPZMNl5foxTUHw2Mae++zkWwtzWkKXI9WJ/CJqxO9uORT5I6iUmIG7bBcgnHpmlSNKfFwBvnr9vj3v5ByvW2s2/pL9rSaeD+/8XsX01NA96mC4g5pVBeU5IY9F4tdxH9yobXfN6GzEVhLeiEd30xzMA\u003d\u003d","encryptKey":"bjWZgigAW/ZaAA55v7Yi9AGt2qsP7BfZZISu70qc/xVUVfh5L/Mw/mMbzxkcZ6uXb1vvgXvF7hHYwjsVzvEkRK0rIfIwkcYzn160fvQ/8+F8YBMDLzTEhf8r0KjOLlJV+HgOsS4QG/G9lOU5mnupfrVA9sf54b3OvXHU0TQVG7U\u003d"}

From the database package, we can see that big data is in json format, which contains data and encryptKey values. encryptKey is obtained by using the key of RSA encrypted des, you can set the RSA working mode and pem file through the interface, and then use this key to decrypt the content in data using the des method. The operation interface is as follows:

 

Burp_rsa

2. InsertPoint Interface

As the name suggests, InsertPoint is the injection point, that is, the place where the payload is inserted, such as the cookie and parameter location in the request. This interface is required to support some parameter formats not supported by burpsuite. It can be used in Active partition and Intruder.

2.1 Basic development knowledge

The best way is to modify the existing plug-in, which saves a lot of effort. Of course, if you want to step by step, the steps are as follows:

(1) interface file containing burp

(2) create a package named burp and create the BurpExtender class in it to implement the IBurpExtender interface. This BurpExtender class is the heart of all interfaces. Note that the name involved here cannot be changed, this is what the burp plug-in requires.

(3) implement unique interface functions

public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) {this. callbacks = callbacks ;}

Obtain core basic library capabilities through callbacks, such as logs, requests, and modification of return values.

(4) log Interface

PrintWriter stdout = new PrintWriter (callbacks. getStdout (), true); PrintWriter stderr = new PrintWriter (callbacks. getStderr (), true); // output to the outputstdout plug-in. println ("Hello output"); // output to alerts tabcallbacks. issueAlert ("Hello alerts"); // print the call stack e. printStackTrace (stderr)

With these log interfaces, you can better debug the code. To track requests well, you can add the M Logger plug-in BApp Store, records all requests and returned information.

2.2 getInsertionPoints

Let's talk about how to implementInsertionPointsInterface. Step 1 InheritanceIScannerInsertionPointProviderInterface to implement the getInsertionPoints () method.callbacks.registerScannerInsertionPointProvider(this)Method to register as insertion point provider. Let's take a look.getInsertionPoints().

@ Overridepublic List <IScannerInsertionPoint> getInsertionPoints (partition points) {// generate an insertPoints array List <IScannerInsertionPoint> insertionPoints = new ArrayList <IScannerInsertionPoint> (); // obtain the request parameter IRequestInfo requestInfo = helpers. analyzeRequest (baseRequestResponse. getRequest (); List <IParameter> requestParams = requestInfo. getParameters (); for (IParameter parameter: requestParams) {String value = parameter. getValue (); value = helpers. urlDecode (value ). trim (); EncryptBean encryptBean = new EncryptBean (); if (parameter. getName (). trim (). equals ("c") {// The parameter contains the c parameter to indicate the content to be encrypted. encryptBean = JSON. parseObject (value, EncryptBean. class); stdout. println ("private key:" + key. privateKey + "public key" + key. publicKey); try {value = decryptRSAAndDES (key, encryptBean); stdout. println ("after decrypted: Will scan data at parameter" + parameter + "with value decrypted" + value);} catch (Exception e) {e. printStackTrace (stderr);} if (value. isEmpty () continue; try {String basename = parameter. getName (); // insertionPoints. add (new InsertionPoint (this, baseRequestResponse. getRequest (), basename, value); JSONObject jsonObj = JSON. parseObject (value); String basevalue = ""; for (Map. entry <String, Object> entry: jsonObj. entrySet () {basename = entry. getKey (); basevalue = entry. getValue (). toString (); // input the total value here for decomposition in the InsertionPoint, construct the encrypted request, and construct the InsertionPoint as the total value insertionPoints. add (0, new InsertionPoint (this, baseRequestResponse. getRequest (), basename, value); stdout. println ("in for: Will scan AES encrypted data at parameter" + basename + "with value" + value) ;}} catch (Exception e) {}} return insertionPoints ;}

The general meaning of this piece of code is through helper. the analyzeRequest method obtains all request information and traverses the parameter information. If the parameter name is "c", the decryption process is called, this piece of code needs to customize the parsing parameter process according to the parameter format. The process of calling decryption is generally to parse the JSON format and then decrypt it to obtain the decrypted data and then call

`new InsertionPoint(this, baseRequestResponse.getRequest(), basename, value)`

Instantiate an injection point. In general, the basename and value correspond one to one, for example, param1 = phoneNum. However, here we pass in param1 as the basename, and the value is the decrypted value, as shown in figure

`{"userid":"51ba27cb-514d-3d86-0000-2f7515a40613","task_id":"1450147269","param1":"000000000000000","m":"https"}`，

This is passed to facilitate the instantiation of insertion points. Next, let's take a look at the InsertionPoint parameter construction.

2.3 InsertionPoint

InsertionPoint(BurpExtender newParent, byte[] baseRequest, String basename,                 String basevalue) {    this.parent = newParent; this.baseRequest = baseRequest; this.baseName = basename;      //this.baseValue = basevalue;     this.value = basevalue; this.baseValue = JSON.parseObject(basevalue).getString(basename);}

An important interface in the InsertionPoint code is buildRequest, which is used to add payload.

@ Overridepublic byte [] buildRequest (byte [] payload) {String payloadPlain = parent. helpers. bytesToString (payload); String payloadEncrypted = ""; String tmpAESKey = "0123456789 abcdef"; parent. stdout. println ("payloadPlain:" + payloadPlain); parent. callbacks. issueAlert ("payloadPlain:" + payloadPlain); try {Map <String, String> map = JSON. parseObject (this. value, new TypeReference <Map <String, String >> (){}. getType (); map. put (this. baseName, getBaseValue () + payloadPlain); String allPayloadPlain = JSON. toJSONString (map); payloadEncrypted = parent. encryptRSAAndDES (allPayloadPlain, tmpAESKey, parent. key);} catch (Exception e) {parent. callbacks. issueAlert (e. toString ();} parent. stdout. println ("Inserting" + payloadPlain + "[" + payloadEncrypted + "] in parameter" + baseName); // TODO: Only URL parameters, must change to support POST parameters, cookies, etc. // "c" decrypts the data format package consistent return parent. helpers. updateParameter (baseRequest, parent. helpers. buildParameter ("c", payloadEncrypted, IParameter. PARAM_BODY ));}

This code is used to obtain the payload, embed it into the decrypted request package, encrypt the request, and call updateParameter to update the parameter information. Note thatparent.helpers.buildParameter("c", payloadEncrypted, IParameter.PARAM_BODY)C is the request parameter in the body, which corresponds to our data format,IParameter.PARAM_BODYThis parameter indicates the request parameter in the Body.PARAM_URL。

2.4 interface relationship

I am confused about the functions of the above interfaces. That is how these interfaces are serialized and how data packets flow. Let's take a look at the active scanning process.

 

Burp-active-scan

The activetion engine obtains Insertion Points from the InsertionPoints Provider, then calls BuildRequest to send the Request, and the Requst is processed by the HttpListener to the webServer.