update

cyal1 · Aug 6, 2024 · c119597 · c119597
1 parent fcbd900
commit c119597
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 6 deletions.
diff --git a/build.gradle b/build.gradle
@@ -14,13 +14,14 @@ dependencies {
     compileOnly 'net.portswigger.burp.extensions:montoya-api:2023.12.1'
 //    compileOnly files('/Users/test/Downloads/montoya-api-2023.9.jar')
     implementation 'org.mozilla:rhino:1.7.14'
-    implementation 'org.json:json:20230227'
+    implementation 'org.json:json:20231013'
     implementation 'com.fifesoft:rsyntaxtextarea:3.3.3'
-    compileOnly 'org.python:jython-standalone:2.7.3'
+    implementation 'org.python:jython-standalone:2.7.3'
     runtimeOnly 'io.grpc:grpc-netty-shaded:1.54.1'
     implementation 'io.grpc:grpc-protobuf:1.54.1'
     implementation 'io.grpc:grpc-stub:1.54.1'
-    implementation group: 'org.xerial', name: 'sqlite-jdbc', version: '3.7.2'
+    implementation "com.github.kklisura.cdt:cdt-java-client:4.0.0"
+    implementation group: 'org.xerial', name: 'sqlite-jdbc', version: '3.41.2.2'
     compileOnly 'org.apache.tomcat:annotations-api:6.0.53' // necessary for Java 9+
 }
 

diff --git a/src/main/resources/examples/bambdas.py b/src/main/resources/examples/bambdas.py
@@ -1,7 +1,11 @@
 # https://portswigger.net/burp/documentation/desktop/tools/proxy/http-history/bambdas
-# https://portswigger.net/research/finding-that-one-weird-endpoint-with-bambdas#:~:text=Large%20redirect%20responses
+# https://portswigger.github.io/burp-extensions-montoya-api/javadoc/burp/api/montoya/http/message/HttpRequestResponse.html
+import re
 
 
+"""
+    Find large redirect responses
+"""
 for requestResponse in history(
         lambda rr: rr.hasResponse()
                    and rr.response().statusCode()/100 == 3
@@ -11,9 +15,49 @@
     print(requestResponse.request().url(), requestResponse.response().statusCode(), requestResponse.response().body().length())
 
 
+"""
+    Find secretKey from history
+"""
 for requestResponse in history(
         lambda rr: rr.hasResponse()
-                   and rr.response().hasCookie("rememberMe")
+                   and rr.response().contains("secretKey", False)
 ):
     print(requestResponse.request().url())
 
+
+"""
+    Custom word list generat from history
+"""
+
+words = []
+word_regex = r'[^a-zA-Z]'
+word_regex2 = r'[^a-zA-Z\-]' # word contain -
+word_regex3 = r'[^a-zA-Z_]'  # word contain _
+min_len = 2
+max_len = 20
+
+
+def starts_or_ends_with(text, c):
+    return text.startswith(c) or text.endswith(c)
+
+
+for requestResponse in history(
+        lambda rr: rr.httpService().host().endswith(".example.com")
+):
+    # todo - words from request, headers, url
+    if requestResponse.hasResponse() \
+            and requestResponse.response().mimeType() in [ MimeType.JSON, MimeType.PLAIN_TEXT, MimeType.SCRIPT, MimeType.XML, MimeType.HTML ]:
+        print(requestResponse.url())
+        body = requestResponse.response().bodyToString()
+        # body = body.lower()
+        words += set(re.split(word_regex, body) + re.split(word_regex2, body) + re.split(word_regex3, body))
+
+words = sorted(set(words))
+words = [i for i in words if ((i != '') and not starts_or_ends_with(i, '_') and not starts_or_ends_with(i, '-') and (len(i) >= min_len) and (len(i) <= max_len))]
+print(len(words))
+
+# save wordlist to file
+with open("/tmp/dicts.txt", 'w') as f:
+    for word in words:
+        f.write(word + "\n")
+
diff --git a/src/main/resources/examples/chrome_devtools_protocol.py b/src/main/resources/examples/chrome_devtools_protocol.py
@@ -0,0 +1,52 @@
+import json
+from com.github.kklisura.cdt.services.impl import ChromeServiceImpl
+# /~https://github.com/kklisura/chrome-devtools-java-client
+# Launch Chrome: /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --remote-debugging-port=9222 --remote-allow-origins='*'
+
+
+def getTabByUrl(url):
+    for tab in chromeService.getTabs():
+        # print(tab.getId(), tab.getTitle(), tab.getUrl())
+        if tab.getUrl() == url:
+            return tab
+    return None
+
+
+chromeService = ChromeServiceImpl(9222)  # the remote debugging port of chrome
+tab = getTabByUrl("https://www.example.com/")  # the first tab found that is equal to this URL
+devToolsService = chromeService.createDevToolsService(tab)
+runtime = devToolsService.getRuntime()
+
+
+def encrypt(s):
+    # js code
+    evaluation = runtime.evaluate('''
+        temp1(__REPLACEMENT__);
+    '''.replace("__REPLACEMENT__", json.dumps(s)))
+    ex = evaluation.getExceptionDetails()
+    if ex is not None:
+        print(ex.getException().getDescription())
+        return None
+    else:
+        return evaluation.getResult().getValue()
+
+print(encrypt("test"))
+
+
+def urlPrefixAllowed(urls):
+    urls.add("https://www.example.com/")
+
+
+def handleRequest(request, annotations):
+    json_obj = json.loads(request.bodyToString())
+    json_obj["password"] = encrypt(json_obj["password"])
+    return request.withBody(json.dumps(json_obj)), annotations
+
+
+def finish():
+    devToolsService.close()
+
+
+def registerContextMenu(menus):
+    menus.register("grpc encrypt", encrypt, MenuType.SELECTED_TEXT)
+
diff --git a/src/main/resources/examples/env_init.py b/src/main/resources/examples/env_init.py
@@ -17,7 +17,7 @@
 # Import common enumeration types
 from burp.api.montoya.http import HttpMode
 from burp.api.montoya.core import HighlightColor
-from burp.api.montoya.http.message import ContentType
+from burp.api.montoya.http.message import ContentType, MimeType
 from burp.api.montoya.http.message.params import HttpParameterType
 from burp.api.montoya.scanner.audit.issues import AuditIssueSeverity, AuditIssueConfidence
 from io.github.cyal1.turboburp.MyContextMenuItemsProvider import MenuType