Added base64 encode option & selection serialization

NetSPI · Mar 9, 2016 · 24e587b · 24e587b
1 parent 92837c9
commit 24e587b
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 6 deletions.
diff --git a/src/main/java/burp/ChildTab.java b/src/main/java/burp/ChildTab.java
@@ -1,9 +1,12 @@
 package burp;
 
+import com.google.common.primitives.Bytes;
+
 import javax.swing.*;
 import java.awt.*;
 import java.awt.event.ActionEvent;
 import java.awt.event.ActionListener;
+import java.util.Arrays;
 
 public class ChildTab implements IMessageEditorController, ActionListener {
 
@@ -16,9 +19,14 @@ public class ChildTab implements IMessageEditorController, ActionListener {
     private byte[] request;
     private byte[] response;
 
+    public static byte[] selectedMessage;
+
     private final JPanel panel;
 
+    public static boolean isEncoded;
+
     JButton goButton;
+    JCheckBox base64CheckBox;
 
     private final JComboBox<String> payloadComboBox;
 
@@ -58,13 +66,16 @@ public ChildTab(final IBurpExtenderCallbacks callbacks, JTabbedPane tabbedPane,
         serializeButton.setActionCommand("serialize");
         serializeButton.addActionListener(ChildTab.this);
 
+        base64CheckBox = new JCheckBox("Base64 Encode");
+
         String[] typeStrings = { "BeanShell1","CommonsBeanutilsCollectionsLogging1", "CommonsCollections1", "CommonsCollections2", "CommonsCollections3", "CommonsCollections4","Groovy1","Jdk7u21","Spring1"};
         payloadComboBox = new JComboBox<>(typeStrings);
         JButton helpButton = new JButton("?");
         helpButton.setActionCommand("?");
         helpButton.addActionListener(ChildTab.this);
         topButtonPanel.add(goButton);
         topButtonPanel.add(serializeButton);
+        topButtonPanel.add(base64CheckBox);
         topButtonPanel.add(payloadComboBox);
         topButtonPanel.add(helpButton);
 
@@ -122,13 +133,17 @@ private void serializeRequest() {
 
         byte[] message = requestViewer.getMessage();
 
+        byte[] selectedMessage = requestViewer.getSelectedData();
+
         // String[] command = Utilities.formatCommand(commandTextField.getText());
 
+        boolean isEncoded = base64CheckBox.isSelected();
+
         String command = commandTextField.getText();
 
         String payloadType = payloadComboBox.getSelectedItem().toString();
 
-        byte[] httpMessage = Utilities.serializeRequest(message,command,helpers,payloadType);
+        byte[] httpMessage = Utilities.serializeRequest(message,selectedMessage,isEncoded,command,helpers,payloadType);
 
         requestViewer.setMessage(httpMessage, true);
 

diff --git a/src/main/java/burp/Utilities.java b/src/main/java/burp/Utilities.java
@@ -1,26 +1,74 @@
 package burp;
 
 
+import com.google.common.primitives.Bytes;
 import ysoserial.Serializer;
 import ysoserial.payloads.ObjectPayload;
 
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Base64;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 public class Utilities {
 
-    public static byte[] serializeRequest(byte[] message, String command, IExtensionHelpers helpers, String payloadType) {
+    public static byte[] serializeRequest(byte[] message, byte[] selectedMessage, boolean isEncoded, String command, IExtensionHelpers helpers, String payloadType) {
 
-        byte[] exploitArray = getExploitPayload(payloadType,command);
+        int selectedOffset = 0;
+        int endingOffset = 0;
 
-        IRequestInfo iRequestInfo = helpers.analyzeRequest(message);
+        if (selectedMessage != null){
+            selectedOffset = Bytes.indexOf(message, selectedMessage);
+            endingOffset = selectedOffset + selectedMessage.length;
 
-        java.util.List<String> headers = iRequestInfo.getHeaders();
+        } else if(ChildTab.selectedMessage != null) {
 
-        return helpers.buildHttpMessage(headers, exploitArray);
+            if (ChildTab.isEncoded) {
+                selectedOffset = Bytes.indexOf(message, Base64.getEncoder().encode(ChildTab.selectedMessage));
+                endingOffset = selectedOffset + Base64.getEncoder().encode(ChildTab.selectedMessage).length;
+            } else {
+                selectedOffset = Bytes.indexOf(message, ChildTab.selectedMessage);
+                endingOffset = selectedOffset + ChildTab.selectedMessage.length;
+            }
+        }
+
+        if (ChildTab.selectedMessage != null || selectedMessage != null) {
+
+            byte[] beginningArray = Arrays.copyOfRange(message, 0, selectedOffset);
+            byte[] endingArray = Arrays.copyOfRange(message, endingOffset, message.length);
+
+            byte[] exploitArray = getExploitPayload(payloadType, command);
+
+            ChildTab.selectedMessage = exploitArray;
+
+            byte[] output;
+
+            if (isEncoded) {
+                ChildTab.isEncoded = true;
+                byte[] base64EncodedExploit = Base64.getEncoder().encode(exploitArray);
+
+                output = Bytes.concat(beginningArray, base64EncodedExploit, endingArray);
+            } else {
+                ChildTab.isEncoded = false;
+                output = Bytes.concat(beginningArray, exploitArray, endingArray);
+            }
+
+            IRequestInfo iRequestInfo = helpers.analyzeRequest(output);
+
+            int bodyOffset = iRequestInfo.getBodyOffset();
+
+            java.util.List<String> headers = iRequestInfo.getHeaders();
+
+            byte[] newBody = new byte[output.length - bodyOffset];
+
+            System.arraycopy(output, bodyOffset, newBody, 0, output.length - bodyOffset);
 
+            return helpers.buildHttpMessage(headers, newBody);
+        } else {
+             return message;
+         }
     }
 
     private static byte[] getExploitPayload(String payloadType, String command){