添加分块长度随机和注释长度随机功能

README.md

@@ -2,7 +2,7 @@
 
 本插件主要用于分块传输绕WAF，不了解分块传输绕WAF的请阅读文末的文章。
 
-## 编译
+## 插件编译
 
 ```
 mvn package

src/main/java/burp/BurpExtender.java

@@ -1,21 +1,19 @@
 package burp;
 
-
 import java.io.PrintWriter;
-import java.net.URL;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 
+
 public class BurpExtender implements IBurpExtender,IHttpListener,IProxyListener {
     private IBurpExtenderCallbacks callbacks;
     private IExtensionHelpers helpers;
     private String extensionName = "Chunked coding converter";
     private String version ="0.1";
     private PrintWriter stdout;
     private PrintWriter stderr;
-    private ScheduledExecutorService executor = Executors.newSingleThreadScheduledExecutor();
-    private ExecutorService executorService = Executors.newSingleThreadExecutor();
+
     @Override
     public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
         this.callbacks = callbacks;
@@ -29,6 +27,7 @@ public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
         stdout.println(getBanner());
     }
 
+
     @Override
     public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
         //代理不走这，否则两次修改会导致数据包存在问题
@@ -40,7 +39,7 @@ public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequ
 
             if(reqInfo.getMethod().equals("POST") && reqInfo.getContentType() == IRequestInfo.CONTENT_TYPE_URL_ENCODED){
                 try {
-                    byte[] request = Transfer.encoding(helpers, messageInfo, Config.splite_len,Config.isComment);
+                    byte[] request = Transfer.encoding(helpers, messageInfo, Config.min_chunked_len,Config.max_chunked_len,Config.addComment,Config.min_comment_len,Config.max_comment_len);
                     if (request != null) {
                         messageInfo.setRequest(request);
                     }
@@ -51,6 +50,7 @@ public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequ
         }
     }
 
+
     @Override
     public void processProxyMessage(final boolean messageIsRequest, final IInterceptedProxyMessage proxyMessage) {
         if(messageIsRequest && isValidTool(IBurpExtenderCallbacks.TOOL_PROXY)){
@@ -59,7 +59,7 @@ public void processProxyMessage(final boolean messageIsRequest, final IIntercept
 
             if(reqInfo.getMethod().equals("POST") && reqInfo.getContentType() == IRequestInfo.CONTENT_TYPE_URL_ENCODED){
                 try {
-                    byte[] request = Transfer.encoding(helpers, messageInfo, Config.splite_len,Config.isComment);
+                    byte[] request = Transfer.encoding(helpers, messageInfo, Config.min_chunked_len,Config.max_chunked_len,Config.addComment,Config.min_comment_len,Config.max_comment_len);
                     if (request != null) {
                         messageInfo.setRequest(request);
                     }
@@ -70,6 +70,7 @@ public void processProxyMessage(final boolean messageIsRequest, final IIntercept
         }
     }
 
+
     private boolean isValidTool(int toolFlag){
         return (Config.act_on_all_tools ||
                 (Config.act_on_proxy && toolFlag== IBurpExtenderCallbacks.TOOL_PROXY) ||
@@ -82,10 +83,15 @@ private boolean isValidTool(int toolFlag){
                 (Config.act_on_target && toolFlag== IBurpExtenderCallbacks.TOOL_TARGET));
     }
 
+
+    /**
+     * 插件Banner信息
+     * @return
+     */
     public String getBanner(){
         String bannerInfo =
                 "[+]\n"
-                        + "[+] ###############################################\n"
+                        + "[+] ##############################################\n"
                         + "[+]    " + extensionName + " v" + version +"\n"
                         + "[+]    anthor: c0ny1\n"
                         + "[+]    email:  root@gv7.me\n"

src/main/java/burp/Config.java

@@ -1,8 +1,11 @@
 package burp;
 
 public class Config {
-    public static Integer splite_len = 2;
-    public static boolean isComment = true;
+    public static Integer min_chunked_len = 1;
+    public static Integer max_chunked_len = 3;
+    public static boolean addComment = true;
+    public static Integer min_comment_len = 5;
+    public static Integer max_comment_len = 25;
     public static boolean act_on_all_tools = false;
     public static boolean act_on_target = false;
     public static boolean act_on_proxy = false;

src/main/java/burp/ConfigDlg.java

@@ -5,15 +5,21 @@
 import java.awt.event.ActionEvent;
 import java.awt.event.ActionListener;
 
+
 public class ConfigDlg extends JDialog {
     private final JPanel mainPanel = new JPanel();
     private final JPanel topPanel =  new JPanel();
     private final JPanel centerPanel = new JPanel();
     private final JPanel bottomPanel = new JPanel();;
-    private final JLabel lbSplitLen = new JLabel("Length of chunked:");;
-    private final JSpinner spSplitLen = new JSpinner(new SpinnerNumberModel(2, 1, 100, 1));
-    private final JLabel lbRange = new JLabel("(1-100)");
+    private final JLabel lbSplitLen = new JLabel("Length of chunked:");
+    private final JSpinner spMinChunkedLen = new JSpinner(new SpinnerNumberModel(1, 1, 100, 1));
+    private final JSpinner spMaxChunkedLen = new JSpinner(new SpinnerNumberModel(3, 1, 100, 1));
     private final JCheckBox cbComment = new JCheckBox("Add comments");
+    private final JLabel lbCommentLen = new JLabel("Length of comment:");
+    private final JSpinner spMinCommentLen = new JSpinner(new SpinnerNumberModel(5, 1, 50, 1));
+    private final JLabel lbCommentLenRangeSymbols = new JLabel("-");
+    private final JSpinner spMaxCommentLen = new JSpinner(new SpinnerNumberModel(25, 1, 50, 1));
+    private final JLabel lbCommentLenRange = new JLabel("(1-50)");
     private final JLabel lbActOnModel = new JLabel("Act on:");
     private final JCheckBox chkAllTools = new JCheckBox("All Tools");
     private final JCheckBox chkSpider = new JCheckBox("Spider");
@@ -34,13 +40,27 @@ public ConfigDlg(){
         initValue();
         this.setTitle("Chunked coding converter config");
     }
+
+
+    /**
+     * 初始化UI
+     */
     private void initGUI(){
         topPanel.setLayout(new FlowLayout(FlowLayout.LEFT));
         topPanel.add(lbSplitLen);
-        topPanel.add(spSplitLen);
-        topPanel.add(lbRange);
+        topPanel.add(spMinChunkedLen);
+        topPanel.add(new JLabel("-"));
+        topPanel.add(spMaxChunkedLen);
+        topPanel.add(new JLabel("(1-100)"));
+        topPanel.add(Box.createHorizontalStrut(20));
         topPanel.add(cbComment);
         cbComment.setSelected(true);
+        topPanel.add(Box.createHorizontalStrut(5));
+        topPanel.add(lbCommentLen);
+        topPanel.add(spMinCommentLen);
+        topPanel.add(lbCommentLenRangeSymbols);
+        topPanel.add(spMaxCommentLen);
+        topPanel.add(lbCommentLenRange);
 
         centerPanel.setLayout(new FlowLayout(FlowLayout.LEFT));
         centerPanel.add(lbActOnModel);
@@ -64,14 +84,17 @@ private void initGUI(){
         mainPanel.add(bottomPanel,BorderLayout.SOUTH);
 
         this.setModal(true);
-        this.setSize(640,150);
-        //this.setSize(mainPanel.getWidth(),mainPanel.getHeight());
+        this.setSize(680,150);
         Dimension screensize=Toolkit.getDefaultToolkit().getScreenSize();
         this.setBounds(screensize.width/2-this.getWidth()/2,screensize.height/2-this.getHeight()/2,this.getWidth(),this.getHeight());
         this.setDefaultCloseOperation(javax.swing.WindowConstants.DISPOSE_ON_CLOSE);
         this.add(mainPanel);
     }
 
+
+    /**
+     * 初始化事件
+     */
     private void initEvent(){
         chkAllTools.addActionListener(new ActionListener() {
             @Override
@@ -97,6 +120,26 @@ public void actionPerformed(ActionEvent e) {
             }
         });
 
+        cbComment.addActionListener(new ActionListener() {
+            @Override
+            public void actionPerformed(ActionEvent e) {
+                if(cbComment.isSelected()){
+                    lbCommentLen.setEnabled(true);
+                    spMinCommentLen.setEnabled(true);
+                    lbCommentLenRangeSymbols.setEnabled(true);
+                    spMaxCommentLen.setEnabled(true);
+                    lbCommentLenRange.setEnabled(true);
+
+                }else{
+                    lbCommentLen.setEnabled(false);
+                    spMinCommentLen.setEnabled(false);
+                    lbCommentLenRangeSymbols.setEnabled(false);
+                    spMaxCommentLen.setEnabled(false);
+                    lbCommentLenRange.setEnabled(false);
+                }
+            }
+        });
+
         btCancel.addActionListener(new ActionListener() {
             @Override
             public void actionPerformed(ActionEvent e) {
@@ -107,8 +150,26 @@ public void actionPerformed(ActionEvent e) {
         btSave.addActionListener(new ActionListener() {
             @Override
             public void actionPerformed(ActionEvent e) {
-                Config.splite_len = (Integer) spSplitLen.getValue();
-                Config.isComment = cbComment.isSelected();
+                Integer min_chunked_len = (Integer)spMinChunkedLen.getValue();
+                Integer max_chunked_max = (Integer)spMaxChunkedLen.getValue();
+                Integer min_comment_len = (Integer)spMinCommentLen.getValue();
+                Integer max_comment_len = (Integer)spMaxCommentLen.getValue();
+
+                if(min_chunked_len > max_chunked_max){
+                    JOptionPane.showConfirmDialog(ConfigDlg.this,"Please set minimum chunked length less than maximum！","Warning",JOptionPane.CLOSED_OPTION,JOptionPane.WARNING_MESSAGE);
+                    return;
+                }
+
+                if(min_comment_len > max_comment_len){
+                    JOptionPane.showConfirmDialog(ConfigDlg.this,"Please set the minimum comment length to be less than the maximum!","Warning",JOptionPane.CLOSED_OPTION,JOptionPane.WARNING_MESSAGE);
+                    return;
+                }
+
+                Config.min_chunked_len = min_chunked_len;
+                Config.max_chunked_len = max_chunked_max;
+                Config.addComment = cbComment.isSelected();
+                Config.min_comment_len = min_comment_len;
+                Config.max_comment_len = max_comment_len;
                 Config.act_on_all_tools = chkAllTools.isSelected();
                 Config.act_on_target = chkTarget.isSelected();
                 Config.act_on_proxy = chkProxy.isSelected();
@@ -124,9 +185,30 @@ public void actionPerformed(ActionEvent e) {
 
     }
 
+
+    /**
+     * 为控件赋值
+     */
     public void initValue(){
-        spSplitLen.setValue(Config.splite_len);
-        cbComment.setSelected(Config.isComment);
+        spMinChunkedLen.setValue(Config.min_chunked_len);
+        spMaxChunkedLen.setValue(Config.max_chunked_len);
+        cbComment.setSelected(Config.addComment);
+        if(cbComment.isSelected()){
+            lbCommentLen.setEnabled(true);
+            spMinCommentLen.setEnabled(true);
+            lbCommentLenRangeSymbols.setEnabled(true);
+            spMaxCommentLen.setEnabled(true);
+            lbCommentLenRange.setEnabled(true);
+
+        }else{
+            lbCommentLen.setEnabled(false);
+            spMinCommentLen.setEnabled(false);
+            lbCommentLenRangeSymbols.setEnabled(false);
+            spMaxCommentLen.setEnabled(false);
+            lbCommentLenRange.setEnabled(false);
+        }
+        spMinCommentLen.setValue(Config.min_comment_len);
+        spMaxCommentLen.setValue(Config.max_comment_len);
         chkAllTools.setSelected(Config.act_on_all_tools);
         chkTarget.setSelected(Config.act_on_target);
         chkProxy.setSelected(Config.act_on_proxy);
@@ -137,4 +219,4 @@ public void initValue(){
         chkSequencer.setSelected(Config.act_on_sequencer);
         chkExtender.setSelected(Config.act_on_extender);
     }
-}
+}

src/main/java/burp/Menu.java

@@ -7,19 +7,22 @@
 import java.util.ArrayList;
 import java.util.List;
 
+
 public class Menu implements IContextMenuFactory {
     private IBurpExtenderCallbacks callbacks;
     private final IExtensionHelpers m_helpers;
     private PrintWriter stdout;
     private PrintWriter stderr;
 
+
     public Menu(IBurpExtenderCallbacks callbacks) {
         this.callbacks = callbacks;
         this.m_helpers = callbacks.getHelpers();
         this.stdout = new PrintWriter(callbacks.getStdout(),true);
         this.stderr = new PrintWriter(callbacks.getStderr(),true);
     }
 
+
     public List<JMenuItem> createMenuItems(final IContextMenuInvocation invocation)
     {
         List<JMenuItem> menus = new ArrayList();
@@ -37,18 +40,18 @@ public List<JMenuItem> createMenuItems(final IContextMenuInvocation invocation)
 
         encodeChunked.addActionListener(new ActionListener(){
 
-        public void actionPerformed(ActionEvent arg0) {
-            IHttpRequestResponse iReqResp = invocation.getSelectedMessages()[0];
-            try {
-                byte[] request = Transfer.encoding(m_helpers, iReqResp, Config.splite_len,Config.isComment);
-                if (request != null) {
-                    iReqResp.setRequest(request);
+            public void actionPerformed(ActionEvent arg0) {
+                IHttpRequestResponse iReqResp = invocation.getSelectedMessages()[0];
+                try {
+                    byte[] request = Transfer.encoding(m_helpers, iReqResp, Config.min_chunked_len,Config.max_chunked_len,Config.addComment,Config.min_comment_len,Config.max_comment_len);
+                    if (request != null) {
+                        iReqResp.setRequest(request);
+                    }
+                } catch (Exception e) {
+                    stderr.println(e.getMessage());
                 }
-            } catch (Exception e) {
-                stderr.println(e.getMessage());
             }
-        }
-    });
+        });
 
         decodeChunked.addActionListener(new ActionListener(){
 

src/main/java/burp/Transfer.java

@@ -4,7 +4,7 @@
 import java.util.*;
 
 public class Transfer {
-    public static  byte[] encoding(IExtensionHelpers helpers, IHttpRequestResponse requestResponse, int split_len, boolean isComment) throws UnsupportedEncodingException {
+    public static  byte[] encoding(IExtensionHelpers helpers, IHttpRequestResponse requestResponse,int minChunkedLen, int maxChunkedLen, boolean isComment,int minCommentLen,int maxCommentLen) throws UnsupportedEncodingException {
         byte[] request = requestResponse.getRequest();
         IRequestInfo requestInfo = helpers.analyzeRequest(request);
         int bodyOffset = requestInfo.getBodyOffset();
@@ -15,11 +15,12 @@ public static  byte[] encoding(IExtensionHelpers helpers, IHttpRequestResponse r
             return request;
         }
 
-        List<String> str_list = Util.getStrList(body,Config.splite_len);
+        List<String> str_list = Util.getStrList1(body,minChunkedLen,maxChunkedLen);
         String encoding_body = "";
         for(String str:str_list){
-            if(Config.isComment){
-                encoding_body += String.format("%s;%s",Util.decimalToHex(str.length()),Util.getRandomString(10));
+            if(isComment){
+                int commentLen = Util.getRandomNum(minCommentLen,maxCommentLen);
+                encoding_body += String.format("%s;%s",Util.decimalToHex(str.length()),Util.getRandomString(commentLen));
             }else{
                 encoding_body += Util.decimalToHex(str.length());
             }