reCAPTCHA v0.1

reCAPTCHA v0.1

.gitignore

@@ -0,0 +1,5 @@
+
+.classpath
+*.class
+.settings/org.eclipse.core.resources.prefs
+.project

README.md

@@ -0,0 +1,43 @@
+### reCAPTCHA
+
+一个burp插件，自动识别图形验证码，并用于Intruder中的Payload。
+
+### 使用
+
+安装：
+
+1. 从[这里](https://github.com/bit4woo/reCAPTCHA/releases)下载插件。
+2. 将它添加到burp。如果没有遇到错误，你将看到一个新的名为“reCAPTCHA”的tab。
+
+准备：
+
+1. 通过burp代理访问目标网站（或APP）。
+2. 在proxy中找到获取图形验证码的请求，选中它并点击右键选择“Send to reCAPTCHA”。![Send to](doc/Send to.png)
+3. 切换到reCAPTCHA标签，并配置所需的参数。（http://www.ysdm.net API是目前唯一支持的接口），当参数配置好后，你可以点击“请求”按钮来测试配置。
+4. 完成了配置并测试成功后，现在可以在Intruder中使用该插件生成的payload了。
+
+在Intruder中使用：
+
+有2种情况：用户名或密码之一+验证码；用户名+密码+验证码；
+
+情况一：只有密码或只有用户名需要改变，我们可以用Pitchfork 模式来配置。运行效果如下：
+
+![index_condition1](doc/index_condition1.png)
+
+情况二：用户名和口令都需要改变，这是稍微负责点。我们还是使用Pichfork模式，但需要将用户名和密码一起标注为一个插入点。像这样:![img](doc/index_mark.png)
+
+然后对对一个插入点，做如下配置，使用“自定义迭代器（Custom interator）”。并在迭代器中组合用户名和密码。
+
+![index1](doc/index1.png)
+
+运行效果如图：
+
+![index_mark2](doc/index_mark2.png)
+
+### reCAPTCHA界面截图
+
+### ![screenshot](doc/screenshot.png)
+
+日志
+
+2017-11-01：第一个demo版本发布。

README_EN.md

@@ -0,0 +1,48 @@
+### **reCAPTCHA**
+
+A Burp Suite extender that **<u>auto reconginze CAPTCHA and use for intruder payload</u>**. 
+
+### **usage**
+
+**Install** 
+
+1. download this burp extender from [here](https://github.com/bit4woo/reCAPTCHA/releases).
+2. add it to burp suite. you will see a new tab named “reCAPTCHA”, if  no error encountered. 
+
+**prepare**
+
+1. visit your target website(or App) with burp proxy enabled, ensure burp recorded http or https traffic of your target.
+
+2. you need to find the request that get the CAPTCHA image, select it and right click to chose "send to reCAPTCHA".
+
+    ![Send to](doc/Send to.png)
+
+3. switch to reCAPTCHA tab and config the parameters that needed.(http://www.ysdm.net is the only vailiable API currently) you can click the "request" button to test the config.
+
+4. finished the config and test success, now you can use this extender for intruder payload.
+
+**use in Intruder**
+
+two scene:   username or password +CAPTCHA; username +password +CAPTCHA ;
+
+**scene one:** when only password or only username need change , We can use Pitchfork type to use this . as below:
+
+![index_condition1](doc/index_condition1.png)
+
+**scene two:** both username and password need change, it's more complex. we  also use Pitchfork type ,but need to mark username and password as one insert point. like this:![img](doc/index_mark.png)
+
+and config payload set 1 use "Custom iterator". combine username and password in the "payload options[custom iterator]"
+
+![index1](doc/index1.png)
+
+intruder running like below:
+
+![index_mark2](doc/index_mark2.png)
+
+### **screenshot**
+
+![screenshot](doc/screenshot.png)
+
+### **Log**
+
+2017-11-01: first demo release.

src/burp/BurpExtender.java

@@ -0,0 +1,242 @@
+package burp;
+
+import java.util.ArrayList;
+import java.util.List;
+import javax.swing.JMenuItem;
+import javax.swing.SwingUtilities;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
+
+import custom.YunSu;
+
+import java.awt.Component;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.PrintWriter;
+import custom.GUI;
+import custom.myYunSu;
+
+public class BurpExtender implements IBurpExtender, ITab, IContextMenuFactory, IIntruderPayloadGeneratorFactory,IIntruderPayloadGenerator
+{	
+	private GUI GUI;
+    private static IBurpExtenderCallbacks callbacks;
+    private IExtensionHelpers helpers;
+
+    public PrintWriter stdout;//现在这里定义变量，再在registerExtenderCallbacks函数中实例化，如果都在函数中就只是局部变量，不能在这实例化，因为要用到其他参数。
+    private String ExtenderName = "reCAPTCHA v0.1 by bit4";
+    private String github = "https://github.com/bit4woo/reCAPTCHA";
+
+	private String imgName;
+    public IHttpRequestResponse imgMessageInfo;
+
+    @Override
+    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks)
+    {
+    	stdout = new PrintWriter(callbacks.getStdout(), true);
+    	stdout.println(ExtenderName);
+    	stdout.println(github);
+        this.callbacks = callbacks;
+        helpers = callbacks.getHelpers();
+        callbacks.setExtensionName(ExtenderName); //插件名称
+        //callbacks.registerHttpListener(this); //如果没有注册，下面的processHttpMessage方法是不会生效的。处理请求和响应包的插件，这个应该是必要的
+        callbacks.registerContextMenuFactory(this);
+        callbacks.registerIntruderPayloadGeneratorFactory(this);
+        addMenuTab();        
+    }
+
+/////////////////////////////////////////自定义函数/////////////////////////////////////////////////////////////
+    public static IBurpExtenderCallbacks getBurpCallbacks() {
+        return callbacks;
+    }
+
+    public static byte[] subBytes(byte[] src, int begin, int count) {
+        byte[] bs = new byte[count];
+        for (int i=begin; i<begin+count; i++) bs[i-begin] = src[i];
+        return bs;
+    }
+
+	public String getHost(IRequestInfo analyzeRequest){
+    	List<String> headers = analyzeRequest.getHeaders();
+    	String domain = "";
+    	for(String item:headers){
+    		if (item.toLowerCase().contains("host")){
+    			domain = new String(item.substring(6));
+    		}
+    	}
+    	return domain ;
+	}
+
+	public String getImage(IHttpRequestResponse messageInfo) {
+		if (messageInfo != null) {
+			IHttpService service = messageInfo.getHttpService();
+			byte[] request =  messageInfo.getRequest();
+			IHttpRequestResponse messageInfo_issued = callbacks.makeHttpRequest(service,request);
+
+			byte[] response = messageInfo_issued.getResponse();
+			int BodyOffset = helpers.analyzeResponse(response).getBodyOffset();
+			int body_length = response.length -BodyOffset;
+			byte[] body = subBytes(response,BodyOffset,body_length);
+			//这里之前遇到一个坑：现将byte[]转换为string，取substring后转换回来，这样是有问题的。
+			//stdout.println("Response length:");
+			//stdout.println(response.length);
+			//stdout.println("offset");
+			//stdout.println(BodyOffset);
+			//stdout.println("body length");
+			//stdout.println(body.length);
+
+		    imgName = getHost(helpers.analyzeRequest(messageInfo))+System.currentTimeMillis()+".jpg";
+		    //stdout.println(imgName);
+		    try {
+		    	File imageFile = new File(imgName);
+		        //创建输出流  
+		        FileOutputStream outStream = new FileOutputStream(imageFile);  
+		        //写入数据  
+				outStream.write(body);
+				outStream.close();
+			} catch (IOException e) {
+				// TODO Auto-generated catch block
+				e.printStackTrace();
+			} 
+		    return imgName;
+		}
+		else {
+			return null;
+		}
+	}
+
+///////////////////////////////////自定义函数////////////////////////////////////////////////////////////
+
+
+///////////////////////////////////以下是各种burp必须的方法 --start//////////////////////////////////////////
+    public void addMenuTab()
+    {
+      SwingUtilities.invokeLater(new Runnable()
+      {
+        public void run()
+        {
+          BurpExtender.this.GUI = new GUI();
+          BurpExtender.this.callbacks.addSuiteTab(BurpExtender.this); //这里的BurpExtender.this实质是指ITab对象，也就是getUiComponent()中的contentPane.这个参数由CGUI()函数初始化。
+          //如果这里报java.lang.NullPointerException: Component cannot be null 错误，需要排查contentPane的初始化是否正确。
+        }
+      });
+    }
+
+
+    //ITab必须实现的两个方法
+	@Override
+	public String getTabCaption() {
+		// TODO Auto-generated method stub
+		return ("reCAPTCHA");
+	}
+	@Override
+	public Component getUiComponent() {
+		// TODO Auto-generated method stub
+		return this.GUI;
+	}
+
+
+	@Override
+	public List<JMenuItem> createMenuItems(IContextMenuInvocation invocation)
+	{ //需要在签名注册！！callbacks.registerContextMenuFactory(this);
+	    IHttpRequestResponse[] messages = invocation.getSelectedMessages();
+	    List<JMenuItem> list = new ArrayList<JMenuItem>();
+	    if((messages != null) && (messages.length ==1))
+	    {	
+	    	imgMessageInfo = messages[0];
+
+	    	final byte[] sentRequestBytes = messages[0].getRequest();
+	    	IRequestInfo analyzeRequest = helpers.analyzeRequest(sentRequestBytes);
+
+	        JMenuItem menuItem = new JMenuItem("Send to reCAPTCHA");
+	        menuItem.addActionListener(new ActionListener()
+	        {
+	          public void actionPerformed(ActionEvent e)
+	          {
+	            try
+	            {	
+	            	//stdout.println(new String(imgMessageInfo.getRequest()));
+	            	GUI.MessageInfo = imgMessageInfo;
+
+	            	GUI.imgRequestRaws.setText(new String(imgMessageInfo.getRequest())); //在GUI中显示这个请求信息。
+
+	            	//IHttpService httpservice =imgMessageInfo.getHttpService();
+	            	//String host = httpservice.getHost();
+	            	//int port = httpservice.getPort();
+	            	//String protocol = httpservice.getProtocol();
+
+
+	            	GUI.imgHttpService.setText(imgMessageInfo.getHttpService().toString());
+
+	            }
+	            catch (Exception e1)
+	            {
+	                BurpExtender.this.callbacks.printError(e1.getMessage());
+	            }
+	          }
+	        });
+	        list.add(menuItem);
+	    }
+	    return list;
+	}
+
+
+	//IIntruderPayloadGeneratorFactory 所需实现的2个函数
+	@Override
+	public String getGeneratorName() {
+		// TODO Auto-generated method stub
+		return "reCAPTCHA";
+	}
+
+	@Override
+	public IIntruderPayloadGenerator createNewInstance(IIntruderAttack attack) {
+		// TODO Auto-generated method stub
+		return this;
+	}
+
+
+
+	//IIntruderPayloadGenerator 所需实现的三个函数
+	@Override
+	public boolean hasMorePayloads() {
+		// TODO Auto-generated method stub
+		return true;
+	}
+
+	@Override
+	public byte[] getNextPayload(byte[] baseValue) {
+		// 获取图片验证码的值
+		int times = 0;
+		while(times <=5) {
+			if (imgMessageInfo!=null) {
+				String imgpath = getImage(imgMessageInfo);
+				String paraString = GUI.APIRequestRaws.getText();
+				String code = myYunSu.getCode(imgpath,paraString);
+				stdout.println(imgpath+" "+code);
+				return code.getBytes();
+			}
+			else {
+				stdout.println("Failed try!!! please send image request to reCAPTCHA first!");
+				times +=1;
+				continue;
+			}
+		}
+		return null;
+	}
+
+	@Override
+	public void reset() {
+		// TODO Auto-generated method stub
+
+	}
+
+//////////////////////////////////////////////各种burp必须的方法 --end//////////////////////////////////////////////////////////////
+}

src/burp/IBurpExtender.java

@@ -0,0 +1,31 @@
+package burp;
+
+/*
+ * @(#)IBurpExtender.java
+ *
+ * Copyright PortSwigger Ltd. All rights reserved.
+ *
+ * This code may be used to extend the functionality of Burp Suite Free Edition
+ * and Burp Suite Professional, provided that this usage does not violate the
+ * license terms for those products.
+ */
+/**
+ * All extensions must implement this interface.
+ *
+ * Implementations must be called BurpExtender, in the package burp, must be
+ * declared public, and must provide a default (public, no-argument)
+ * constructor.
+ */
+public interface IBurpExtender
+{
+    /**
+     * This method is invoked when the extension is loaded. It registers an
+     * instance of the
+     * <code>IBurpExtenderCallbacks</code> interface, providing methods that may
+     * be invoked by the extension to perform various actions.
+     *
+     * @param callbacks An
+     * <code>IBurpExtenderCallbacks</code> object.
+     */
+    void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks);
+}