BurpSuite自动化解密插件开发指南<\/h1>

1. 前言<\/h2>
本指南详细介绍如何开发BurpSuite自动化解密插件，帮助安全测试人员高效处理加密数据包。主要内容包括环境配置、工程创建、加密算法复现和插件核心功能实现。<\/p>

2. 开发环境配置<\/h2>

2.1 必要工具<\/h3>

JDK 8<\/strong>：从Oracle官网下载安装<\/li>
BurpSuite社区版<\/strong>：从PortSwigger官网下载<\/li>
Maven<\/strong>：项目管理工具<\/li>

IDE<\/strong>：推荐IntelliJ IDEA或Eclipse<\/li> <\/ul>
2.2 环境设置步骤<\/h3>

安装JDK 8并配置环境变量<\/li>
安装BurpSuite社区版<\/li>
在IDE中配置Maven（可通过代理自动下载）<\/li> <\/ol>
3. 创建Burp插件工程<\/h2>
3.1 项目初始化<\/h3>

在IDE中创建Maven项目<\/li>
选择Java语言和Maven架构<\/li> <\/ol>
3.2 配置pom.xml<\/h3>
<dependencies><\/span> <\/span><\/span> <\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>net.portswigger.burp.extender<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>burp-extender-api<\/artifactId><\/span> <\/span><\/span> <version><\/span>2.3<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <\/span><\/span> <\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.bouncycastle<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>bcprov-jdk15on<\/artifactId><\/span> <\/span><\/span> <version><\/span>1.70<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span><\/code><\/pre>3.3 项目结构<\/h3> 创建burp<\/code>包<\/li> 在包内创建BurpExtender<\/code>主类（必须使用此名称）<\/li> 配置项目自动生成Jar包<\/li> <\/ol> 4. 加密算法复现<\/h2> 4.1 加密算法分析流程<\/h3> 捕获加密数据包（通常位于JSON的encryptData<\/code>参数）<\/li> 使用浏览器开发者工具搜索关键词定位加密代码<\/li> 下断点调试分析加密过程<\/li> 确定加密算法类型（如SM4 ECB模式）和密钥来源<\/li> <\/ol> 4.2 Java算法实现<\/h3> 使用BouncyCastle库实现标准加密算法：<\/p> import<\/span> org.bouncycastle.jce.provider.BouncyCastleProvider;<\/span> <\/span><\/span>import<\/span> org.bouncycastle.util.encoders.Hex;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> javax.crypto.Cipher;<\/span> <\/span><\/span>import<\/span> javax.crypto.spec.SecretKeySpec;<\/span> <\/span><\/span>import<\/span> java.security.Security;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> SM4Util<\/span> {<\/span> <\/span><\/span> static<\/span> {<\/span> <\/span><\/span> Security.<\/span>addProvider<\/span>(<\/span>new<\/span> BouncyCastleProvider());<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> String decrypt<\/span>(<\/span>String encryptedData,<\/span> String key)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> byte<\/span>[]<\/span> keyBytes =<\/span> Hex.<\/span>decode<\/span>(<\/span>key);<\/span> <\/span><\/span> byte<\/span>[]<\/span> encryptedBytes =<\/span> Hex.<\/span>decode<\/span>(<\/span>encryptedData);<\/span> <\/span><\/span> <\/span><\/span> Cipher cipher =<\/span> Cipher.<\/span>getInstance<\/span>(<\/span>"SM4\/ECB\/PKCS5Padding"<\/span>,<\/span> "BC"<\/span>);<\/span> <\/span><\/span> SecretKeySpec secretKeySpec =<\/span> new<\/span> SecretKeySpec(<\/span>keyBytes,<\/span> "SM4"<\/span>);<\/span> <\/span><\/span> cipher.<\/span>init<\/span>(<\/span>Cipher.<\/span>DECRYPT_MODE<\/span>,<\/span> secretKeySpec);<\/span> <\/span><\/span> <\/span><\/span> byte<\/span>[]<\/span> decryptedBytes =<\/span> cipher.<\/span>doFinal<\/span>(<\/span>encryptedBytes);<\/span> <\/span><\/span> return<\/span> new<\/span> String(<\/span>decryptedBytes);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5. 插件核心功能实现<\/h2> 5.1 主类结构<\/h3> package<\/span> burp;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> java.io.PrintWriter;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> BurpExtender<\/span> implements<\/span> IBurpExtender,<\/span> IHttpListener {<\/span> <\/span><\/span> private<\/span> IBurpExtenderCallbacks callbacks;<\/span> <\/span><\/span> private<\/span> IExtensionHelpers helpers;<\/span> <\/span><\/span> private<\/span> PrintWriter stdout;<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> registerExtenderCallbacks<\/span>(<\/span>IBurpExtenderCallbacks callbacks)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>callbacks<\/span> =<\/span> callbacks;<\/span> <\/span><\/span> this<\/span>.<\/span>helpers<\/span> =<\/span> callbacks.<\/span>getHelpers<\/span>();<\/span> <\/span><\/span> this<\/span>.<\/span>stdout<\/span> =<\/span> new<\/span> PrintWriter(<\/span>callbacks.<\/span>getStdout<\/span>(),<\/span> true<\/span>);<\/span> <\/span><\/span> <\/span><\/span> callbacks.<\/span>setExtensionName<\/span>(<\/span>"Auto Decrypt Plugin"<\/span>);<\/span> <\/span><\/span> stdout.<\/span>println<\/span>(<\/span>"Auto Decrypt Plugin loaded"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 注册HTTP监听器 <\/span><\/span><\/span><\/span> callbacks.<\/span>registerHttpListener<\/span>(<\/span>this<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> processHttpMessage<\/span>(<\/span>int<\/span> toolFlag,<\/span> boolean<\/span> messageIsRequest,<\/span> <\/span><\/span> IHttpRequestResponse messageInfo)<\/span> {<\/span> <\/span><\/span> \/\/ 解密逻辑实现 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5.2 processHttpMessage方法详解<\/h3> @Override<\/span> <\/span><\/span>public<\/span> void<\/span> processHttpMessage<\/span>(<\/span>int<\/span> toolFlag,<\/span> boolean<\/span> messageIsRequest,<\/span> <\/span><\/span> IHttpRequestResponse messageInfo)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> \/\/ 只处理Proxy和Repeater模块的流量 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>toolFlag ==<\/span> IBurpExtenderCallbacks.<\/span>TOOL_PROXY<\/span> ||<\/span> <\/span><\/span> toolFlag ==<\/span> IBurpExtenderCallbacks.<\/span>TOOL_REPEATER<\/span>)<\/span> {<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>messageIsRequest)<\/span> {<\/span> \/\/ 处理响应 <\/span><\/span><\/span><\/span> IResponseInfo responseInfo =<\/span> helpers.<\/span>analyzeResponse<\/span>(<\/span>messageInfo.<\/span>getResponse<\/span>());<\/span> <\/span><\/span> int<\/span> bodyOffset =<\/span> responseInfo.<\/span>getBodyOffset<\/span>();<\/span> <\/span><\/span> byte<\/span>[]<\/span> response =<\/span> messageInfo.<\/span>getResponse<\/span>();<\/span> <\/span><\/span> String responseBody =<\/span> helpers.<\/span>bytesToString<\/span>(<\/span> <\/span><\/span> Arrays.<\/span>copyOfRange<\/span>(<\/span>response,<\/span> bodyOffset,<\/span> response.<\/span>length<\/span>));<\/span> <\/span><\/span> <\/span><\/span> \/\/ 解析JSON获取加密数据 <\/span><\/span><\/span><\/span> JSONObject json =<\/span> new<\/span> JSONObject(<\/span>responseBody);<\/span> <\/span><\/span> String encryptedData =<\/span> json.<\/span>getString<\/span>(<\/span>"encryptData"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 解密数据 <\/span><\/span><\/span><\/span> String decryptedData =<\/span> SM4Util.<\/span>decrypt<\/span>(<\/span>encryptedData,<\/span> "硬编码密钥"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 修改响应体 <\/span><\/span><\/span><\/span> json.<\/span>put<\/span>(<\/span>"decryptedData"<\/span>,<\/span> decryptedData);<\/span> <\/span><\/span> byte<\/span>[]<\/span> newResponse =<\/span> helpers.<\/span>buildHttpMessage<\/span>(<\/span> <\/span><\/span> responseInfo.<\/span>getHeaders<\/span>(),<\/span> <\/span><\/span> json.<\/span>toString<\/span>().<\/span>getBytes<\/span>());<\/span> <\/span><\/span> <\/span><\/span> messageInfo.<\/span>setResponse<\/span>(<\/span>newResponse);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> stdout.<\/span>println<\/span>(<\/span>"Error processing message: "<\/span> +<\/span> e.<\/span>getMessage<\/span>());<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>6. 调试与部署<\/h2> 6.1 调试配置<\/h3> 在IDE中添加远程JVM调试配置<\/li> 使用以下命令启动BurpSuite： java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 -jar burpsuite_community.jar <\/code><\/pre> <\/li> 默认监听5005端口<\/li> <\/ol> 6.2 部署流程<\/h3> 使用Ctrl+F9<\/code>编译项目<\/li> 在out<\/code>目录获取生成的Jar文件<\/li> 在Burp的Extender<\/code>选项卡中加载该Jar文件<\/li> <\/ol> 7. 高级功能与问题解决<\/h2> 7.1 请求体解密问题<\/h3> 原文档提出的问题：如何在Proxy中直接修改解密后的明文数据并加密重放？<\/p> 解决方案：<\/p> 在processHttpMessage<\/code>中同时处理请求和响应<\/li> 对请求体进行解密→修改→加密流程：<\/li> <\/ol> if<\/span> (<\/span>messageIsRequest)<\/span> {<\/span> <\/span><\/span> IRequestInfo requestInfo =<\/span> helpers.<\/span>analyzeRequest<\/span>(<\/span>messageInfo);<\/span> <\/span><\/span> int<\/span> bodyOffset =<\/span> requestInfo.<\/span>getBodyOffset<\/span>();<\/span> <\/span><\/span> byte<\/span>[]<\/span> request =<\/span> messageInfo.<\/span>getRequest<\/span>();<\/span> <\/span><\/span> String requestBody =<\/span> helpers.<\/span>bytesToString<\/span>(<\/span> <\/span><\/span> Arrays.<\/span>copyOfRange<\/span>(<\/span>request,<\/span> bodyOffset,<\/span> request.<\/span>length<\/span>));<\/span> <\/span><\/span> <\/span><\/span> \/\/ 解密请求体 <\/span><\/span><\/span><\/span> JSONObject json =<\/span> new<\/span> JSONObject(<\/span>requestBody);<\/span> <\/span><\/span> String encryptedData =<\/span> json.<\/span>getString<\/span>(<\/span>"encryptData"<\/span>);<\/span> <\/span><\/span> String decryptedData =<\/span> SM4Util.<\/span>decrypt<\/span>(<\/span>encryptedData,<\/span> "硬编码密钥"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 修改解密后的数据 <\/span><\/span><\/span><\/span> JSONObject modifiedData =<\/span> modifyData(<\/span>new<\/span> JSONObject(<\/span>decryptedData));<\/span> <\/span><\/span> <\/span><\/span> \/\/ 重新加密 <\/span><\/span><\/span><\/span> String reEncryptedData =<\/span> SM4Util.<\/span>encrypt<\/span>(<\/span>modifiedData.<\/span>toString<\/span>(),<\/span> "硬编码密钥"<\/span>);<\/span> <\/span><\/span> json.<\/span>put<\/span>(<\/span>"encryptData"<\/span>,<\/span> reEncryptedData);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 更新请求 <\/span><\/span><\/span><\/span> byte<\/span>[]<\/span> newRequest =<\/span> helpers.<\/span>buildHttpMessage<\/span>(<\/span> <\/span><\/span> requestInfo.<\/span>getHeaders<\/span>(),<\/span> <\/span><\/span> json.<\/span>toString<\/span>().<\/span>getBytes<\/span>());<\/span> <\/span><\/span> messageInfo.<\/span>setRequest<\/span>(<\/span>newRequest);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>7.2 密钥管理改进<\/h3> 从配置文件中读取密钥<\/li> 实现密钥协商机制<\/li> 支持多密钥场景<\/li> <\/ol> 8. 总结<\/h2> 本指南详细介绍了BurpSuite自动化解密插件的完整开发流程，从环境配置到核心功能实现。关键点包括：<\/p> 正确配置开发环境和项目结构<\/li> 加密算法的分析和Java实现<\/li> Burp API的核心接口使用<\/li> 请求\/响应处理逻辑<\/li> 调试和部署技巧<\/li> <\/ol> 实际开发中，加密算法复现通常是最具挑战性的部分，需要结合前端调试、反混淆等技术。本指南提供的SM4示例相对简单，实际场景可能需要处理更复杂的加密方案。<\/p>

BurpSuite自动化解密插件开发指南<\/h1>

1. 前言<\/h2> 本指南详细介绍如何开发BurpSuite自动化解密插件，帮助安全测试人员高效处理加密数据包。主要内容包括环境配置、工程创建、加密算法复现和插件核心功能实现。<\/p>

2. 开发环境配置<\/h2>

3. 创建Burp插件工程<\/h2>

4. 加密算法复现<\/h2>

5. 插件核心功能实现<\/h2>

6. 调试与部署<\/h2>

7. 高级功能与问题解决<\/h2>

1. 前言<\/h2>
本指南详细介绍如何开发BurpSuite自动化解密插件，帮助安全测试人员高效处理加密数据包。主要内容包括环境配置、工程创建、加密算法复现和插件核心功能实现。<\/p>