133 lines
5.1 KiB
JavaScript
133 lines
5.1 KiB
JavaScript
/**
|
|
* Capture REQUEST BODY using writeTo() method
|
|
*/
|
|
|
|
console.log("\n[*] Capturing REQUEST Bodies\n");
|
|
|
|
Java.perform(function() {
|
|
|
|
try {
|
|
var AuthHeaderInterceptor = Java.use("com.adif.elcanomovil.serviceNetworking.interceptors.AuthHeaderInterceptor");
|
|
console.log("[+] Found AuthHeaderInterceptor");
|
|
|
|
// Try to find Buffer class
|
|
var Buffer = null;
|
|
var bufferNames = ["r.f", "r3.f", "okio.Buffer", "r3.Buffer"];
|
|
for (var i = 0; i < bufferNames.length; i++) {
|
|
try {
|
|
Buffer = Java.use(bufferNames[i]);
|
|
console.log("[+] Found Buffer class: " + bufferNames[i]);
|
|
break;
|
|
} catch (e) {
|
|
// Try next
|
|
}
|
|
}
|
|
|
|
if (!Buffer) {
|
|
console.log("[-] Could not find Buffer class, trying without pre-loading");
|
|
}
|
|
|
|
AuthHeaderInterceptor.intercept.implementation = function(chain) {
|
|
console.log("\n" + "=".repeat(80));
|
|
console.log("[HTTP REQUEST]");
|
|
|
|
try {
|
|
// Cast chain
|
|
var ChainClass = Java.use("j3.g");
|
|
var chainObj = Java.cast(chain, ChainClass);
|
|
|
|
// Get request
|
|
var requestField = chainObj.getClass().getDeclaredField("e");
|
|
requestField.setAccessible(true);
|
|
var request = requestField.get(chainObj);
|
|
|
|
if (request) {
|
|
// Get URL
|
|
var urlField = request.getClass().getDeclaredField("a");
|
|
urlField.setAccessible(true);
|
|
var urlObj = urlField.get(request);
|
|
console.log("[URL] " + urlObj.toString());
|
|
|
|
// Get method
|
|
var methodField = request.getClass().getDeclaredField("b");
|
|
methodField.setAccessible(true);
|
|
var method = methodField.get(request);
|
|
console.log("[METHOD] " + method);
|
|
|
|
// Get request body
|
|
var bodyField = request.getClass().getDeclaredField("d");
|
|
bodyField.setAccessible(true);
|
|
var reqBody = bodyField.get(request);
|
|
|
|
if (reqBody) {
|
|
try {
|
|
// If Buffer wasn't found, try to load it now
|
|
if (!Buffer) {
|
|
var bufferNames = ["r.f", "r3.f", "okio.Buffer", "r3.Buffer"];
|
|
for (var i = 0; i < bufferNames.length; i++) {
|
|
try {
|
|
Buffer = Java.use(bufferNames[i]);
|
|
break;
|
|
} catch (e) {}
|
|
}
|
|
}
|
|
|
|
if (Buffer) {
|
|
// Create a temporary buffer
|
|
var buffer = Buffer.$new();
|
|
|
|
// Try to cast buffer to BufferedSink if needed
|
|
try {
|
|
var BufferedSink = Java.use("r3.i");
|
|
var sink = Java.cast(buffer, BufferedSink);
|
|
|
|
// Call writeTo passing the sink
|
|
reqBody.writeTo(sink);
|
|
} catch (e) {
|
|
// If cast fails, try direct call
|
|
reqBody.writeTo(buffer);
|
|
}
|
|
|
|
// Read the content as UTF-8 string
|
|
var bodyContent = buffer.B0(); // readUtf8()
|
|
|
|
console.log("\n[REQUEST BODY]");
|
|
if (bodyContent && bodyContent.length > 0) {
|
|
if (bodyContent.length > 2000) {
|
|
console.log(bodyContent.substring(0, 2000));
|
|
console.log("\n... (truncated, total: " + bodyContent.length + " chars)");
|
|
} else {
|
|
console.log(bodyContent);
|
|
}
|
|
} else {
|
|
console.log("(empty)");
|
|
}
|
|
} else {
|
|
console.log("\n[REQUEST BODY] Could not load Buffer class");
|
|
}
|
|
|
|
} catch (e) {
|
|
console.log("[REQUEST BODY ERROR] " + e);
|
|
}
|
|
} else {
|
|
console.log("[REQUEST BODY] null");
|
|
}
|
|
}
|
|
|
|
} catch (e) {
|
|
console.log("[ERROR] " + e);
|
|
}
|
|
|
|
console.log("=".repeat(80) + "\n");
|
|
|
|
// Call original
|
|
return this.intercept(chain);
|
|
};
|
|
|
|
console.log("[*] Hook installed!\n");
|
|
|
|
} catch (e) {
|
|
console.log("[-] Failed: " + e);
|
|
}
|
|
});
|