Breaking
by Timo Schmid

Use Python for Burp plugins with pyBurp

One of our favorite tools for conducting penetration tests (especially, but not only, web application tests) is Portswiggers’s Burp Suite. Burp allows to extend its features by writing own plugins. But because Burp is written in Java, it only supports Java classes as plugins. Additionally, Burp only allows to use one plugin at the same time which has to be loaded on start-up.

Now we have written a Burp-Python proxy (called pyBurp) which adds some features to the plugin system:

  • write plugins in Python
  • load and unload plugins at every time
  • load multiple plugins

The only restriction is that one has to use Jython for compiling and interpreting the python  scripts. Actually we have tested it with Jython 2.5.2 (other versions might work, but this is the one we tested).

For setting up and using pyBurp, just follow these steps:
Setup up:

  1. download your desired package of pyBurp (src or binary, you can find the downloadlinks at the end of this post)
  2. download Jython and extract/install (Version 2.5.2 is recommended)
  3. If you want to build from source, you will need a JDK (for compiling) and GNU make installed (for the Makefile only, you need to compile it manually without it)
    1. update the paths in the Makefile for your Burp copy and Jython
    2. run make
  4. update the paths in the burp.sh for your Burp copy and Jython (Linux/Unix startscript)

Start and work with plugins (shown with sample plugin):

  1. start Burp via burp.sh
    • Burp should have told you on which port it waits for load and unload commands (e.g. 55666).
  2. Load a Pythonplugin: 
    $ nc localhost 55666            # or some other port reported at startup
pwd                             # shows you the current workingdir to load from
/home/foo
cd /home/foo/sources/pyBurp     # change the current workingdir
add PoCPlugin                   # load the PoC-Plugin
adding PoCPlugin
done
list                            # show loaded Plugins
Callback list:
1: PocPlugin
quit                            # quit communication
Bye
$
  3. Remove a Python plugin: 
    $ nc localhost 55666            # or some other port reported at startup
list                            # show loaded Plugins
Callback list:
1: PoCPlugin
rm 1                            # remove Plugin with no. 1
removing PoCPlugin
done
quit                            # quit communication
Bye
$

Possible commands:

Command Syntax Description
add add <plugin name> loads a plugin
list list lists all loaded plugins
rm rm <nr of loaded plugin> unloads a plugin
cd cd <absolute path> change current load path
pwd pwd displays current load path

Downloads:

  • Binary: burp_python.jar
    • SHA1: 500ed30f6473556093f1f388025932c41c262e72
    • MD5: 66526190fe6b4d0b149a2918c14336db
  • Sourcecode: pyBurp.tar.gz
    • SHA1: e3e4deb5f28a49c3e0a9518f7a8d2514c0a30225
    • MD5: 48f62186fcaf927b28f6e1c44e7fad74

 

We hope some of you find pyBurp useful. We’re happy to receive any feedback or bug reports in case you find some 😉

Merry Christmas and a happy new year to everybody

Timo