Skip to content
A Burp Extender plugin, that will take deserialized AMF objects and encode them in XML using the Xtream library
Java HTML
Branch: master
Clone or download
Pull request Compare This branch is 4 commits ahead of nccgroup:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
executables
lib
src
BappDescription.html
BappManifest.bmf
LICENSE.md
README.md
build.gradle
settings.gradle

README.md

#AMFDSer-ngng

A Burp Extender plugin, that will take deserialized AMF objects and encode them in XML using the Xtream library. Based on the original work of Khai Tran, all hail https://blog.netspi.com/ AMFDSer-ngng also utilizes part of Kenneth Hill's Jmeter source code for custom AMF deserialization (https://github.com/steeltomato/jmeter-amf). And the Xtream library (http://xstream.codehaus.org/)

Why? This release fixes a bug where serialization wasn't being performed properly. It also adds in the (proper) ability to use the scanner in conjunction with AMF. I've also added the ability to use it with SQLMap. Copy and paste the output of the "send deserialized to intruder" into a file, and sqlmap.py -r --proxy "http://burp:port"

Basically, it will deserialize, modify, reserialize, send on and (only in the case of the scanner) deserialize any responses that look like AMF objects (to allow burp to flag any exception strings, etc.)

nb. XML entity flagged scan results are false positives, the XML burp enters will be executed locally, this is NOT indicative of a problem on the remote server.

##Usage

###1) java -classpath burp.jar;AMFDSer-ngng.jar;xstream-1.4.2.jar burp.StartBurp

cheers

You can’t perform that action at this time.