113 lines
4.2 KiB
JavaScript
113 lines
4.2 KiB
JavaScript
/**
|
|
* Capture REQUEST BODY by hooking MoshiRequestBodyConverter
|
|
*/
|
|
|
|
console.log("\n[*] Capturing REQUEST Bodies via MoshiRequestBodyConverter\n");
|
|
|
|
Java.perform(function() {
|
|
|
|
// Hook MoshiRequestBodyConverter.convert() directly
|
|
try {
|
|
var MoshiRequestBodyConverter = Java.use("retrofit2.converter.moshi.MoshiRequestBodyConverter");
|
|
console.log("[+] Found MoshiRequestBodyConverter");
|
|
|
|
var convertOriginal = MoshiRequestBodyConverter.convert.overload('java.lang.Object');
|
|
|
|
convertOriginal.implementation = function(obj) {
|
|
// BEFORE calling original, serialize the object ourselves to capture it
|
|
try {
|
|
// Get the adapter field to serialize the object
|
|
var adapterField = this.getClass().getDeclaredField("adapter");
|
|
adapterField.setAccessible(true);
|
|
var adapter = adapterField.get(this);
|
|
|
|
// Create our own buffer and writer to capture the JSON
|
|
var Buffer = Java.use("r3.f");
|
|
var tempBuffer = Buffer.$new();
|
|
|
|
// Create JsonWriter with buffer
|
|
var JsonWriter = Java.use("Z2.t");
|
|
var JsonWriterConstructor = JsonWriter.class.getDeclaredConstructor([Java.use("r3.i").class]);
|
|
JsonWriterConstructor.setAccessible(true);
|
|
var tempWriter = JsonWriterConstructor.newInstance([tempBuffer]);
|
|
|
|
// Serialize to our buffer
|
|
adapter.toJson(tempWriter, obj);
|
|
tempWriter.close();
|
|
|
|
// Read the JSON
|
|
var jsonContent = tempBuffer.B0(); // readUtf8()
|
|
|
|
console.log("\n" + "=".repeat(80));
|
|
console.log("[CAPTURED REQUEST BODY]");
|
|
if (jsonContent && jsonContent.length > 0) {
|
|
if (jsonContent.length > 3000) {
|
|
console.log(jsonContent.substring(0, 3000));
|
|
console.log("\n... (truncated, total: " + jsonContent.length + " chars)");
|
|
} else {
|
|
console.log(jsonContent);
|
|
}
|
|
} else {
|
|
console.log("(empty)");
|
|
}
|
|
console.log("=".repeat(80) + "\n");
|
|
|
|
} catch (e) {
|
|
console.log("[CAPTURE ERROR] " + e);
|
|
}
|
|
|
|
// Call original to return the actual RequestBody
|
|
return convertOriginal.call(this, obj);
|
|
};
|
|
|
|
console.log("[*] MoshiRequestBodyConverter hook installed!\n");
|
|
|
|
} catch (e) {
|
|
console.log("[-] Failed to hook MoshiRequestBodyConverter: " + e);
|
|
}
|
|
|
|
// Also hook the Auth interceptor to show URLs
|
|
try {
|
|
var AuthHeaderInterceptor = Java.use("com.adif.elcanomovil.serviceNetworking.interceptors.AuthHeaderInterceptor");
|
|
console.log("[+] Found AuthHeaderInterceptor");
|
|
|
|
AuthHeaderInterceptor.intercept.implementation = function(chain) {
|
|
try {
|
|
// Cast chain
|
|
var ChainClass = Java.use("j3.g");
|
|
var chainObj = Java.cast(chain, ChainClass);
|
|
|
|
// Get request
|
|
var requestField = chainObj.getClass().getDeclaredField("e");
|
|
requestField.setAccessible(true);
|
|
var request = requestField.get(chainObj);
|
|
|
|
if (request) {
|
|
// Get URL
|
|
var urlField = request.getClass().getDeclaredField("a");
|
|
urlField.setAccessible(true);
|
|
var urlObj = urlField.get(request);
|
|
|
|
// Get method
|
|
var methodField = request.getClass().getDeclaredField("b");
|
|
methodField.setAccessible(true);
|
|
var method = methodField.get(request);
|
|
|
|
console.log("\n[REQUEST] " + method + " " + urlObj.toString());
|
|
}
|
|
|
|
} catch (e) {
|
|
console.log("[URL CAPTURE ERROR] " + e);
|
|
}
|
|
|
|
// Call original
|
|
return this.intercept(chain);
|
|
};
|
|
|
|
console.log("[*] Interceptor hook installed!\n");
|
|
|
|
} catch (e) {
|
|
console.log("[-] Failed to hook AuthHeaderInterceptor: " + e);
|
|
}
|
|
});
|