119 lines
4.8 KiB
JavaScript
119 lines
4.8 KiB
JavaScript
/**
|
|
* Request Body Capture using Reflection
|
|
* Automatically finds the correct method names
|
|
*/
|
|
|
|
console.log("\n[*] Request Body Capture (Reflection-based)\n");
|
|
|
|
Java.perform(function() {
|
|
|
|
try {
|
|
var AuthHeaderInterceptor = Java.use("com.adif.elcanomovil.serviceNetworking.interceptors.AuthHeaderInterceptor");
|
|
console.log("[+] Found AuthHeaderInterceptor");
|
|
|
|
AuthHeaderInterceptor.intercept.implementation = function(chain) {
|
|
console.log("\n" + "=".repeat(80));
|
|
console.log("[HTTP REQUEST]");
|
|
|
|
try {
|
|
// Cast chain
|
|
var ChainClass = Java.use("j3.g");
|
|
var chainObj = Java.cast(chain, ChainClass);
|
|
|
|
// Get request
|
|
var requestField = chainObj.getClass().getDeclaredField("e");
|
|
requestField.setAccessible(true);
|
|
var request = requestField.get(chainObj);
|
|
|
|
if (request) {
|
|
// Get URL
|
|
var urlField = request.getClass().getDeclaredField("a");
|
|
urlField.setAccessible(true);
|
|
var urlObj = urlField.get(request);
|
|
console.log("[URL] " + urlObj.toString());
|
|
|
|
// Get method
|
|
var methodField = request.getClass().getDeclaredField("b");
|
|
methodField.setAccessible(true);
|
|
var method = methodField.get(request);
|
|
console.log("[METHOD] " + method);
|
|
|
|
// Get request body
|
|
var bodyField = request.getClass().getDeclaredField("d");
|
|
bodyField.setAccessible(true);
|
|
var reqBody = bodyField.get(request);
|
|
|
|
if (reqBody) {
|
|
try {
|
|
// Load Buffer class
|
|
var Buffer = Java.use("r3.f");
|
|
var buffer = Buffer.$new();
|
|
|
|
// Call writeTo with the buffer
|
|
reqBody.writeTo(buffer);
|
|
|
|
// Use reflection to find readUtf8() method
|
|
var methods = buffer.getClass().getMethods();
|
|
var readUtf8Method = null;
|
|
|
|
for (var i = 0; i < methods.length; i++) {
|
|
var method = methods[i];
|
|
var methodName = method.getName();
|
|
var returnType = method.getReturnType().getName();
|
|
var paramCount = method.getParameterTypes().length;
|
|
|
|
// Look for a method that returns String and has no parameters
|
|
if (returnType === "java.lang.String" && paramCount === 0) {
|
|
// This is likely readUtf8()
|
|
readUtf8Method = method;
|
|
console.log("[DEBUG] Found string method: " + methodName + "()");
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (readUtf8Method) {
|
|
readUtf8Method.setAccessible(true);
|
|
var bodyContent = readUtf8Method.invoke(buffer);
|
|
|
|
console.log("\n[REQUEST BODY]");
|
|
if (bodyContent && bodyContent.length > 0) {
|
|
if (bodyContent.length > 3000) {
|
|
console.log(bodyContent.substring(0, 3000));
|
|
console.log("\n... (truncated, total: " + bodyContent.length + " chars)");
|
|
} else {
|
|
console.log(bodyContent);
|
|
}
|
|
} else {
|
|
console.log("(empty)");
|
|
}
|
|
} else {
|
|
console.log("[REQUEST BODY] Could not find readUtf8() method");
|
|
}
|
|
|
|
} catch (e) {
|
|
console.log("[REQUEST BODY ERROR] " + e);
|
|
console.log("[STACK] " + e.stack);
|
|
}
|
|
} else {
|
|
console.log("[REQUEST BODY] null");
|
|
}
|
|
}
|
|
|
|
} catch (e) {
|
|
console.log("[ERROR] " + e);
|
|
console.log("[STACK] " + e.stack);
|
|
}
|
|
|
|
console.log("=".repeat(80) + "\n");
|
|
|
|
// Call original
|
|
return this.intercept(chain);
|
|
};
|
|
|
|
console.log("[*] Hook installed!\n");
|
|
|
|
} catch (e) {
|
|
console.log("[-] Failed: " + e);
|
|
}
|
|
});
|