├── AESDecode ├── AESDecode.iml ├── pom.xml ├── src │ └── main │ │ └── java │ │ └── burp │ │ └── BurpExtender.java └── target │ ├── AESCrack-1.0-SNAPSHOT-jar-with-dependencies.jar │ ├── AESCrack-1.0-SNAPSHOT.jar │ └── classes │ └── burp │ └── BurpExtender.class ├── README.md ├── key.png ├── success.png └── target.png /AESDecode/AESDecode.iml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /AESDecode/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | com.jas502n 8 | AESCrack 9 | 1.0-SNAPSHOT 10 | 11 | 12 | 13 | 14 | net.portswigger.burp.extender 15 | burp-extender-api 16 | 1.7.22 17 | 18 | 19 | 20 | 21 | 22 | 23 | org.apache.maven.plugins 24 | maven-assembly-plugin 25 | 26 | 27 | package 28 | 29 | single 30 | 31 | 32 | 33 | 34 | 35 | jar-with-dependencies 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /AESDecode/src/main/java/burp/BurpExtender.java: -------------------------------------------------------------------------------- 1 | package burp; 2 | 3 | import javax.crypto.BadPaddingException; 4 | import javax.crypto.Cipher; 5 | import javax.crypto.IllegalBlockSizeException; 6 | import javax.crypto.NoSuchPaddingException; 7 | import javax.crypto.spec.IvParameterSpec; 8 | import javax.crypto.spec.SecretKeySpec; 9 | import java.io.PrintWriter; 10 | import java.io.UnsupportedEncodingException; 11 | import java.security.InvalidAlgorithmParameterException; 12 | import java.security.InvalidKeyException; 13 | import java.security.Key; 14 | import java.security.NoSuchAlgorithmException; 15 | 16 | public class BurpExtender implements IBurpExtender, IIntruderPayloadProcessor { 17 | private static IExtensionHelpers helpers; 18 | public final static String extensionName = "AESCrack"; // 插件名称 19 | public final static String version = "1.0"; 20 | public final static String AES_IV = "1234567812345678"; // 设置 AES IV 值 21 | public final static String AES_KEY = "key12345key67890"; // 设置 AES KEY 值 22 | 23 | 24 | public void registerExtenderCallbacks(final IBurpExtenderCallbacks callbacks) { 25 | // obtain an extension helpers object 26 | helpers = callbacks.getHelpers(); 27 | 28 | // set our extension name 29 | callbacks.setExtensionName(extensionName); //// 插件名称 30 | 31 | // register ourselves as an Intruder payload processor 32 | callbacks.registerIntruderPayloadProcessor(this); 33 | 34 | // obtain our output and error streams 35 | PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true); 36 | stdout.println(getBanner()); 37 | } 38 | 39 | public String getProcessorName() { 40 | return "AESCrack"; 41 | } 42 | 43 | public static String decryptAES(String paramString1) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException { 44 | Object localObject = new byte[0]; 45 | { 46 | localObject = new SecretKeySpec(AES_KEY.getBytes(), "AES"); 47 | IvParameterSpec localIvParameterSpec = new IvParameterSpec(AES_IV.getBytes()); 48 | Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); 49 | cipher.init(2, (Key) localObject, localIvParameterSpec); 50 | return new String(cipher.doFinal(helpers.base64Decode(paramString1))); 51 | } 52 | } 53 | 54 | public static String encryptAES(String paramString1) 55 | throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, UnsupportedEncodingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException { 56 | SecretKeySpec key = new SecretKeySpec(AES_KEY.getBytes(), "AES"); 57 | IvParameterSpec iv = new IvParameterSpec(AES_IV.getBytes()); 58 | Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); 59 | cipher.init(1, key, iv); 60 | return helpers.base64Encode(cipher.doFinal(paramString1.getBytes())); 61 | } 62 | 63 | public byte[] processPayload(byte[] currentPayload, byte[] originalPayload, byte[] baseValue) { 64 | String dataParameter = helpers.bytesToString(currentPayload); 65 | String AesEncodeStr = null; 66 | try { 67 | AesEncodeStr = encryptAES(dataParameter); 68 | } catch (InvalidKeyException e) { 69 | e.printStackTrace(); 70 | } catch (NoSuchAlgorithmException e) { 71 | e.printStackTrace(); 72 | } catch (NoSuchPaddingException e) { 73 | e.printStackTrace(); 74 | } catch (UnsupportedEncodingException e) { 75 | e.printStackTrace(); 76 | } catch (InvalidAlgorithmParameterException e) { 77 | e.printStackTrace(); 78 | } catch (IllegalBlockSizeException e) { 79 | e.printStackTrace(); 80 | } catch (BadPaddingException e) { 81 | e.printStackTrace(); 82 | } 83 | return helpers.stringToBytes(AesEncodeStr); 84 | } 85 | 86 | public static String getBanner() { 87 | String bannerInfo = 88 | "[+] " + BurpExtender.extensionName + " is loaded\n" 89 | + "[+] ^_^\n" 90 | + "[+]\n" 91 | + "[+] #####################################\n" 92 | + "[+] " + BurpExtender.extensionName + " v" + BurpExtender.version + "\n" 93 | + "[+] anthor: Jas502n\n" 94 | + "[+] email: jas502n@gmail.com\n" 95 | + "[+] github: http://github.com/jas502n/Burp_AES_Plugin\n" 96 | + "[+] ####################################"; 97 | return bannerInfo; 98 | } 99 | 100 | } -------------------------------------------------------------------------------- /AESDecode/target/AESCrack-1.0-SNAPSHOT-jar-with-dependencies.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/Burp_AES_Plugin/92e0b15ad0905eb3ea5427924d6f1a46a8c581e9/AESDecode/target/AESCrack-1.0-SNAPSHOT-jar-with-dependencies.jar -------------------------------------------------------------------------------- /AESDecode/target/AESCrack-1.0-SNAPSHOT.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/Burp_AES_Plugin/92e0b15ad0905eb3ea5427924d6f1a46a8c581e9/AESDecode/target/AESCrack-1.0-SNAPSHOT.jar -------------------------------------------------------------------------------- /AESDecode/target/classes/burp/BurpExtender.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/Burp_AES_Plugin/92e0b15ad0905eb3ea5427924d6f1a46a8c581e9/AESDecode/target/classes/burp/BurpExtender.class -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Burpsuite Plugin For AES Crack 2 | 3 | ## 0x00 mvn install to get jar 4 | 5 | `git clone https://github.com/jas502n/Burp_AES_Plugin/` 6 | 7 | `cd ~/github/Burp_AES_Plugin/AESDecode` 8 | 9 | `vi src/main/java/burp/BurpExtender.java` 10 | 11 | `mvn install` 12 | 13 | 14 | ``` 15 | [INFO] --- maven-install-plugin:2.4:install (default-install) @ AESCrack --- 16 | [INFO] Installing /root/github/Burp_AES_Plugin/AESDecode/target/AESCrack-1.0-SNAPSHOT.jar to /root/.m2/repository/com/jas502n/AESCrack/1.0-SNAPSHOT/AESCrack-1.0-SNAPSHOT.jar 17 | [INFO] Installing /root/github/Burp_AES_Plugin/AESDecode/pom.xml to /root/.m2/repository/com/jas502n/AESCrack/1.0-SNAPSHOT/AESCrack-1.0-SNAPSHOT.pom 18 | [INFO] Installing /root/github/Burp_AES_Plugin/AESDecode/target/AESCrack-1.0-SNAPSHOT-jar-with-dependencies.jar to /root/.m2/repository/com/jas502n/AESCrack/1.0-SNAPSHOT/AESCrack-1.0-SNAPSHOT-jar-with-dependencies.jar 19 | [INFO] ------------------------------------------------------------------------ 20 | [INFO] BUILD SUCCESS 21 | [INFO] ------------------------------------------------------------------------ 22 | [INFO] Total time: 3.627 s 23 | [INFO] Finished at: 2020-06-18T00:17:09+08:00 24 | [INFO] ------------------------------------------------------------------------ 25 | ``` 26 | 27 | ## 0x01 最近遇到挺多网站前端用的 aes 加密登录,就想弄一个 Burpsuite AES 加密爆破插件 28 | 29 | ![](./key.png) 30 | 31 | ## 0x02 查阅资料,造轮子 32 | 33 | 如何编写自己的Burp Suite插件 34 | https://t0data.gitbooks.io/burpsuite/content/chapter16.html 35 | 36 | 开发BurpSuite扩展爆破某平台 37 | https://gorgias.me/2017/03/29/%E5%BC%80%E5%8F%91BurpSuite%E6%89%A9%E5%B1%95%E7%88%86%E7%A0%B4%E6%9F%90%E5%B9%B3%E5%8F%B0/ 38 | 39 | Burpsuite API Javadoc 40 | https://portswigger.net/burp/extender/api/ 41 | 42 | CoolCat 写的 AesDecode插件,支持菜单页面加密与解密,爆破 43 | https://github.com/TheKingOfDuck/ 44 | https://blog.gzsec.org/archives/ 45 | 46 | c0ny1 的jsEncrypter 47 | https://github.com/c0ny1/jsEncrypter 48 | 49 | 50 | ## 0x03 idea 新建 mvn 项目,pom.xml 中添加依赖 51 | 52 | ``` 53 | 54 | 55 | 56 | net.portswigger.burp.extender 57 | burp-extender-api 58 | 1.7.22 59 | 60 | 61 | ``` 62 | 63 | ``` 64 | 65 | 66 | 67 | org.apache.maven.plugins 68 | maven-assembly-plugin 69 | 70 | 71 | package 72 | 73 | single 74 | 75 | 76 | 77 | 78 | 79 | jar-with-dependencies 80 | 81 | 82 | 83 | 84 | 85 | ``` 86 | ## 0x04 新建包名 burp, java 类 BurpExtender,实现 AES 加密方法 87 | IBurpExtender 官方必须要implements 88 | 89 | IIntruderPayloadProcessor 由于我们要用到Intruder的爆破功能即可,所以需要implements 90 | 91 | ``` 92 | public class BurpExtender implements IBurpExtender, IIntruderPayloadProcessor { 93 | private static IExtensionHelpers helpers; 94 | public final static String extensionName = "AESCrack"; // 插件名称 95 | public final static String version = "1.0"; 96 | public final static String AES_IV = "1234567812345678"; // 设置 AES IV 值 97 | public final static String AES_KEY = "key12345key67890"; // 设置 AES KEY 值 98 | ``` 99 | 100 | ##### encryptAES (设置 AES iv 值) 101 | 102 | ``` 103 | public static String encryptAES(String paramString1, String paramString2) 104 | throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, UnsupportedEncodingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException { 105 | SecretKeySpec key = new SecretKeySpec(paramString2.getBytes(), "AES"); 106 | IvParameterSpec iv = new IvParameterSpec("your-iv-value".getBytes()); //set iv 107 | Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); 108 | cipher.init(1, key, iv); 109 | return helpers.base64Encode(cipher.doFinal(paramString1.getBytes())); 110 | } 111 | 112 | ``` 113 | 114 | processPayload 方法 (设置 AES KEY) 115 | 116 | ``` 117 | public byte[] processPayload(byte[] currentPayload, byte[] originalPayload, byte[] baseValue) { 118 | String dataParameter = helpers.bytesToString(currentPayload); 119 | String AesEncodeStr = null; 120 | try { 121 | AesEncodeStr = encryptAES(dataParameter, "your-aes-key"); //set aes key 122 | } catch (InvalidKeyException e) { 123 | e.printStackTrace(); 124 | } catch (NoSuchAlgorithmException e) { 125 | e.printStackTrace(); 126 | } catch (NoSuchPaddingException e) { 127 | e.printStackTrace(); 128 | } catch (UnsupportedEncodingException e) { 129 | e.printStackTrace(); 130 | } catch (InvalidAlgorithmParameterException e) { 131 | e.printStackTrace(); 132 | } catch (IllegalBlockSizeException e) { 133 | e.printStackTrace(); 134 | } catch (BadPaddingException e) { 135 | e.printStackTrace(); 136 | } 137 | return helpers.stringToBytes(AesEncodeStr); 138 | } 139 | ``` 140 | 141 | ## 0x05 idea mvn 编译 142 | 143 | Intellij-idea 如何编译maven工程 144 | https://blog.csdn.net/u013044029/article/details/71681891 145 | 146 | 编译运行成功,在 target 目录,得到 aes.jar 文件 147 | 148 | 一个没有依赖(文件小) `AESCrack-1.0-SNAPSHOT.jar` 149 | 一个有依赖(文件大) `AESCrack-1.0-SNAPSHOT-jar-with-dependencies.jar` 150 | 151 | Burpsuite 加载插件时,使用没有依赖的就行了 `AESCrack-1.0-SNAPSHOT.jar` 152 | 153 | ![](./target.png) 154 | 155 | 156 | ## 0x06 AES 爆破效果 157 | 158 | ![](success.png) 159 | 160 | 161 | 162 | 163 | 164 | -------------------------------------------------------------------------------- /key.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/Burp_AES_Plugin/92e0b15ad0905eb3ea5427924d6f1a46a8c581e9/key.png -------------------------------------------------------------------------------- /success.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/Burp_AES_Plugin/92e0b15ad0905eb3ea5427924d6f1a46a8c581e9/success.png -------------------------------------------------------------------------------- /target.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/Burp_AES_Plugin/92e0b15ad0905eb3ea5427924d6f1a46a8c581e9/target.png --------------------------------------------------------------------------------