Merge pull request #2 from xl-sec/master

Added options to increment int or float and random GUID
alexlauerman · May 13, 2020 · b223e15 · b223e15
2 parents 9ca85fb + cf21d47
commit b223e15
Show file tree

Hide file tree

Showing 2 changed files with 127 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -1,9 +1,15 @@
 # IncrementMePlease
 A simple but useful Burp extension to increment a parameter in each request, intended for use with Active Scan.
 
-An example use case would be if  you are active scanning a "create user" form, which would normally produce an error if you created two users with the same username. You can use the text "IncrementMePlease" for the username parameter parameter and it will replace it with "Incremented[RandomInt][Counter]", so that you can successfully active scan this form.
+An example use case would be if you are active scanning a "create user" form, which would normally produce an error if you created two users with the same username. You can use the text `IncrementMePlease` for the username parameter parameter and it will replace it with `Incremented[RandomInt][Counter]`, so that you can successfully active scan this form.
+
+The extension also supports `IntMePlease` and `FloatMePlease` that will replace the text with an integer or float starting from 1. If you need the counter to start at another number, append this to the end of the string such as `IntMePlease2` or `FloatMePlease10.0`. To reset or change the numberin again, you'll need to unload and then load the extension.
+
+Lastly, the extension support a random GUID with the string `GUIDMePlease`
 
 ## Example
+
+### `IncrementMePlease`
 It will match:
 ```
 {"name":"IncrementMePlease"}
@@ -17,6 +23,49 @@ And replace it with:
 {"name":"Incremented291708"}
 ```
 
+### `IntMePlease` and `FloatMePlease`
+It will match:
+```
+{"name":"IntMePlease"}
+```
+And replace it with:
+```
+{"name":"1"}
+...
+{"name":"2"}
+...
+{"name":"3"}
+```
+
+or
+
+It will match:
+```
+{"name":"IntMePlease5"}
+```
+And replace it with:
+```
+{"name":"6"}
+...
+{"name":"7"}
+...
+{"name":"8"}
+```
+
+### `GUIDMePlease`
+It will match:
+```
+{"name":"GUIDMePlease"}
+```
+And replace it with:
+```
+{"name":"c2d733ef-dca0-468a-ad8e-3eb687e9a8a3"}
+...
+{"name":"606a6c73-f5e0-4049-9a18-7a1929029e27"}
+...
+{"name":"b9839038-a2a4-4ff1-b22c-e7213b292dff"}
+```
+
 ## Releases
 This is available in the BApp store as the "Token Incrementor" extension.
 

diff --git a/src/burp/BurpExtender.java b/src/burp/BurpExtender.java
@@ -3,6 +3,9 @@
 import java.io.PrintWriter;
 import java.util.Random;
 import java.util.List;
+import java.util.UUID;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 
 public class BurpExtender implements burp.IBurpExtender, burp.IHttpListener
@@ -12,8 +15,12 @@ public class BurpExtender implements burp.IBurpExtender, burp.IHttpListener
     private PrintWriter stderr;
 
     private int counter = 0;
+    private int counterInt = 0;
+    private float counterFloat = 0;
     private String nextToken = "";
     private String nextTimestamp = "";
+    private Boolean foundInt = false;
+    private Boolean foundFloat = false;
     private Random rand = new Random();
     int randomint = rand.nextInt(999);
 
@@ -57,14 +64,79 @@ public void processHttpMessage(int toolFlag, boolean messageIsRequest, burp.IHtt
             String reqBody = request.substring(iRequest.getBodyOffset());
 
             if (reqBody.contains("IncrementMePlease")) {
-
-                int offset = reqBody.indexOf("IncrementMePlease");
-                stdout.println(offset);
-                reqBody = reqBody.replaceAll("IncrementMePlease", "Incremented" + String.valueOf(randomint) + String.valueOf(counter));
+                // int offset = reqBody.indexOf("IncrementMePlease");
+                // stdout.println(offset);
                 counter++;
+                reqBody = reqBody.replaceAll("IncrementMePlease", "Incremented" + String.valueOf(randomint) + String.valueOf(counter));
+                updated = true;
+            }
+
+            if (reqBody.contains("IntMePlease")) {
+                // int offset = reqBody.indexOf("IntMePlease");
+                // stdout.println(offset);
+                if (!foundInt) {
+                    Pattern pattern = Pattern.compile(".*IntMePlease(\\d*).*");
+                    Matcher matcher = pattern.matcher(reqBody);
+                    if (matcher.find()){
+                        int counterIntFound = Integer.parseInt(matcher.group(1));
+                        // System.out.println(counterIntFound);
+                        counterInt = counterIntFound;
+                        foundInt = true;
+                    }
+                }
+
+                counterInt++;
+                reqBody = reqBody.replaceAll("IntMePlease\\d*", String.valueOf(counterInt));
+                updated = true;
+            }
+
+            if (reqBody.contains("FloatMePlease")) {
+                // int offset = reqBody.indexOf("FloatMePlease");
+                // stdout.println(offset);
+                if (!foundFloat) {
+                    Pattern pattern = Pattern.compile(".*FloatMePlease(\\d*\\.\\d*).*");
+                    Matcher matcher = pattern.matcher(reqBody);
+                    if (matcher.find()){
+                        float counterFloutFound = Float.parseFloat(matcher.group(1));
+                        // System.out.println(counterFloutFound);
+                        counterFloat = counterFloutFound;
+                        foundFloat = true;
+                    }
+                }
+
+                counterFloat++;
+                reqBody = reqBody.replaceAll("FloatMePlease(\\d*\\.\\d*)?", String.valueOf(counterFloat));
                 updated = true;
             }
 
+            if (reqBody.contains("GUIDMePlease")) {
+                // int offset = reqBody.indexOf("GUIDMePlease");
+                // stdout.println(offset);
+                reqBody = reqBody.replaceAll("GUIDMePlease", String.valueOf(UUID.randomUUID()));
+                updated = true;
+            }
+
+            for (int i = 0; i < headers.size(); i++) {
+                String header = headers.get(i);
+                if (header.contains("IncrementMePlease")) {
+                    header = header.replaceAll("IncrementMePlease", "Incremented" + String.valueOf(randomint) + String.valueOf(counter));
+                    updated = true;
+                }
+                if (header.contains("IntMePlease")) {
+                    header = header.replaceAll("IntMePlease\\d*", String.valueOf(counterInt));
+                    updated = true;
+                }
+                if (header.contains("FloatMePlease")) {
+                    header = header.replaceAll("FloatMePlease(\\d*\\.\\d*)?", String.valueOf(counterFloat));
+                    updated = true;
+                }
+                if (header.contains("GUIDMePlease")) {
+                    header = header.replaceAll("GUIDMePlease", String.valueOf(UUID.randomUUID()));
+                    updated = true;
+                }
+                headers.set(i, header);
+            }
+
             if (updated) {
                 stdout.println("-----Request Before Plugin Update-------");
                 stdout.println(helpers.bytesToString(messageInfo.getRequest()));
@@ -79,4 +151,4 @@ public void processHttpMessage(int toolFlag, boolean messageIsRequest, burp.IHtt
             }
         }
     }
-}
+}