GithubHelp home page GithubHelp logo

trojanazhen / burpy Goto Github PK

View Code? Open in Web Editor NEW

This project forked from mr-m0nst3r/burpy

0.0 0.0 1.0 2.53 MB

A plugin that allows you execute python and get return to BurpSuite.

License: MIT License

Python 8.14% Java 91.86%

burpy's Introduction

Burpy

A plugin that allows you execute python and get return to BurpSuite.

Intro

During Android APP pentesting, I found it very often that the traffic is encrypted and/or signed, it would be great to have a plugin so we can write python to enc/dec/sign.

And, sometimes, you may just want some customized function to modify part of the traffic, all you need is just Burpy Main.

If you wanna take advantage of the intruder with payloads need to be encrypted, you need to Enable Processor, and write your own payload processor function.

Author

m0nst3r(Song Xinlei)@ @CFCA

Changelog

  • change to use class instead of pure function, so that we can init webdriver+selenium when loading without init it per call
  • modified plugin to enable 4 function calls: main/enc/dec/sign
  • add payload processor

Usage

check the examples for scripts

  1. install PyRO, version 4 is used.
  2. configure python and pyro settings
  3. configure the python file you wanna run
  4. use spawn to test the result
  5. use Burpy Main/Burpy Enc/Burpy Dec/Burpy Sign context memu to invoke your script
  6. write own payload processor, especially usefull with enc/dec

the python script sample

Just write your own logic to modify the header/body as your need, and return the header/body, just that simple! Note: if you need to handle response data, e.g decrypt response, you need to check whether the header[0] is RESPONSE or not. If the data burpsuite sent to python comes from response, the header will be header[0] == 'RESPONSE'

class Burpy:
    '''
    header is list, append as your need
    body is string, modify as your need
    '''
    def main(self, header, body):
        return header, body
    
    def encrypt(self, header, body):
        header.append("Enc: AAA")
        return header, body

    def decrypt(self, header, body):
        '''
        You may want to add logic if the response differ from the request, for example in the request, the encrypted data is followed after "data=", but in the response, the whole response body is encrypted data, without "data="
        '''
        # header = magic(header)
        # body = magic(body)
        return header, body

    def sign(self, header, body):
        header.append("Sign: AAA")
        return header, body

    def processor(self, payload):
        '''
        payload processor function
        '''
        return payload+"123"

Reference

the great Brida

others

  • Good ideas and contributions are welcomed.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.