fix: 修复Burp插件(Legacy/Montoya)中文乱码问题 - 强制使用UTF-8编码处理HTTP请求body和完整报文

Author: lanshuizhiyue

src/burpEx/legacy-api/src/main/java/com/sqlmapwebui/burp/BurpExtender.java

@@ -6,6 +6,7 @@
 
 import javax.swing.*;
 import java.awt.*;
+import java.nio.charset.StandardCharsets;
 import java.io.PrintWriter;
 import java.util.ArrayList;
 import java.util.List;
@@ -323,7 +324,7 @@ private void sendRequestToBackend(IHttpRequestResponse requestResponse, ScanConf
             int bodyOffset = requestInfo.getBodyOffset();
             String body = "";
             if (bodyOffset < request.length) {
-                body = new String(request, bodyOffset, request.length - bodyOffset);
+                body = new String(request, bodyOffset, request.length - bodyOffset, StandardCharsets.UTF_8);
             }
 
             StringBuilder headersJson = new StringBuilder("[");

src/burpEx/legacy-api/src/main/java/com/sqlmapwebui/burp/RequestDeduplicator.java

@@ -154,15 +154,15 @@ public static String generateFingerprint(IHttpRequestResponse requestResponse, I
             int bodyOffset = requestInfo.getBodyOffset();
             String body = "";
             if (bodyOffset < request.length) {
-                body = new String(request, bodyOffset, request.length - bodyOffset);
+                body = new String(request, bodyOffset, request.length - bodyOffset, StandardCharsets.UTF_8);
             }
             String normalizedBody = normalizeBody(body, getContentType(requestInfo));
             sb.append("body:").append(normalizedBody);
 
         } catch (Exception e) {
             // 如果解析失败，使用原始请求的hash
             byte[] request = requestResponse.getRequest();
-            sb.append("raw:").append(new String(request));
+            sb.append("raw:").append(new String(request, StandardCharsets.UTF_8));
         }
 
         // 生成MD5哈希作为指纹

src/burpEx/legacy-api/src/main/java/com/sqlmapwebui/burp/dialogs/AdvancedScanConfigDialog.java

@@ -11,6 +11,7 @@
 import javax.swing.table.TableRowSorter;
 import java.awt.*;
 import java.io.PrintWriter;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
@@ -623,7 +624,7 @@ private void loadRequestToEditor(int index) {
                     currentRequestEditor.setText(requestEditors.get(index).getText());
                 } else {
                     IHttpRequestResponse msg = textMessages.get(index);
-                    String requestText = new String(msg.getRequest());
+                    String requestText = new String(msg.getRequest(), StandardCharsets.UTF_8);
                     currentRequestEditor.setText(requestText);
                     // 缓存
                     while (requestEditors.size() <= index) {
@@ -789,7 +790,7 @@ private void sendWithInjectionMarks(ScanConfig config) {
             if (i < requestEditors.size() && requestEditors.get(i) != null) {
                 markedRequest = requestEditors.get(i).getText();
             } else {
-                markedRequest = new String(msg.getRequest());
+                markedRequest = new String(msg.getRequest(), StandardCharsets.UTF_8);
             }
 
             // 检查是否有标记
@@ -822,7 +823,7 @@ private void sendRequestToBackend(IHttpRequestResponse requestResponse, ScanConf
             int bodyOffset = requestInfo.getBodyOffset();
             String body = "";
             if (bodyOffset < request.length) {
-                body = new String(request, bodyOffset, request.length - bodyOffset);
+                body = new String(request, bodyOffset, request.length - bodyOffset, StandardCharsets.UTF_8);
             }
 
             // 构建JSON payload

src/burpEx/legacy-api/src/main/java/com/sqlmapwebui/burp/dialogs/BatchInjectionMarkDialog.java

@@ -10,6 +10,7 @@
 import javax.swing.table.TableRowSorter;
 import java.awt.*;
 import java.io.PrintWriter;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
@@ -458,7 +459,7 @@ private void loadRequestToEditor(int index) {
                     currentRequestEditor.setText(requestEditors.get(index).getText());
                 } else {
                     IHttpRequestResponse msg = textMessages.get(index);
-                    String requestText = new String(msg.getRequest());
+                    String requestText = new String(msg.getRequest(), StandardCharsets.UTF_8);
                     currentRequestEditor.setText(requestText);
                     // 缓存
                     while (requestEditors.size() <= index) {
@@ -537,7 +538,7 @@ private void sendScan() {
             if (i < requestEditors.size() && requestEditors.get(i) != null) {
                 markedRequest = requestEditors.get(i).getText();
             } else {
-                markedRequest = new String(msg.getRequest());
+                markedRequest = new String(msg.getRequest(), StandardCharsets.UTF_8);
             }
 
             // 检查是否有标记

src/burpEx/montoya-api/src/main/java/com/sqlmapwebui/burp/BinaryContentDetector.java

@@ -6,6 +6,7 @@
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;
+import java.nio.charset.StandardCharsets;
 
 /**
  * 二进制内容检测器
@@ -215,7 +216,8 @@ private static boolean containsBinaryInMultipart(byte[] body) {
         }
 
         try {
-            String bodyStr = new String(body);
+            // 使用UTF-8编码解析body，避免编码问题
+            String bodyStr = new String(body, StandardCharsets.UTF_8);
             // 简单检查：如果包含Content-Type: image/、video/、audio/、application/octet-stream等
             String lowerBody = bodyStr.toLowerCase();
             return lowerBody.contains("content-type: image/") ||

src/burpEx/montoya-api/src/main/java/com/sqlmapwebui/burp/HttpRequestUtils.java

@@ -0,0 +1,71 @@
+package com.sqlmapwebui.burp;
+
+import burp.api.montoya.http.message.requests.HttpRequest;
+import burp.api.montoya.core.ByteArray;
+
+import java.nio.charset.StandardCharsets;
+
+/**
+ * HTTP请求处理工具类
+ * 
+ * 解决 Burp Montoya API 默认使用 ISO-8859-1 编码导致的中文乱码问题。
+ * 强制使用 UTF-8 编码来正确处理包含中文等非ASCII字符的请求。
+ */
+public class HttpRequestUtils {
+    
+    /**
+     * 获取请求体内容（UTF-8编码）
+     * 
+     * 注意：Burp的 request.bodyToString() 可能使用 ISO-8859-1 编码，
+     * 导致中文等 UTF-8 字符出现乱码。此方法强制使用 UTF-8 编码。
+     * 
+     * @param request HTTP请求对象
+     * @return UTF-8编码的请求体字符串
+     */
+    public static String getBodyAsUtf8(HttpRequest request) {
+        if (request == null) {
+            return "";
+        }
+        
+        try {
+            ByteArray body = request.body();
+            if (body == null || body.length() == 0) {
+                return "";
+            }
+            
+            byte[] bodyBytes = body.getBytes();
+            return new String(bodyBytes, StandardCharsets.UTF_8);
+        } catch (Exception e) {
+            // 如果获取失败，回退到默认方法
+            return request.bodyToString();
+        }
+    }
+    
+    /**
+     * 获取完整的HTTP请求内容（UTF-8编码）
+     * 
+     * 注意：Burp的 request.toString() 可能使用 ISO-8859-1 编码，
+     * 导致中文等 UTF-8 字符出现乱码。此方法强制使用 UTF-8 编码。
+     * 
+     * @param request HTTP请求对象
+     * @return UTF-8编码的完整HTTP请求字符串
+     */
+    public static String getRequestAsUtf8(HttpRequest request) {
+        if (request == null) {
+            return "";
+        }
+        
+        try {
+            ByteArray requestBytes = request.toByteArray();
+            if (requestBytes == null || requestBytes.length() == 0) {
+                return "";
+            }
+            
+            byte[] bytes = requestBytes.getBytes();
+            return new String(bytes, StandardCharsets.UTF_8);
+        } catch (Exception e) {
+            // 如果获取失败，回退到默认方法
+            return request.toString();
+        }
+    }
+}

src/burpEx/montoya-api/src/main/java/com/sqlmapwebui/burp/RequestDeduplicator.java

@@ -137,14 +137,15 @@ public static String generateFingerprint(HttpRequest request) {
             sb.append("query:").append(normalizedQuery).append("|");
 
             // 7. Body参数 (对于POST/PUT等)
-            String body = request.bodyToString();
+            // 使用UTF-8编码获取body，避免中文乱码
+            String body = HttpRequestUtils.getBodyAsUtf8(request);
             String normalizedBody = normalizeBody(body, getContentType(request));
             sb.append("body:").append(normalizedBody);
 
         } catch (Exception e) {
             // 如果解析失败，使用原始URL和body的hash
             sb.append("raw:").append(request.url()).append("|");
-            sb.append("body:").append(request.bodyToString());
+            sb.append("body:").append(HttpRequestUtils.getBodyAsUtf8(request));
         }
 
         // 生成MD5哈希作为指纹

src/burpEx/montoya-api/src/main/java/com/sqlmapwebui/burp/SqlmapContextMenuProvider.java

@@ -263,7 +263,8 @@ private void sendRequestToBackend(HttpRequest request, ScanConfig config) {
         try {
             String url = request.url();
             String method = request.method();
-            String body = request.bodyToString();
+            // 使用UTF-8编码获取body，避免中文乱码
+            String body = HttpRequestUtils.getBodyAsUtf8(request);
 
             // 构建headers列表
             List<String> headersList = new ArrayList<>();

src/burpEx/montoya-api/src/main/java/com/sqlmapwebui/burp/dialogs/AdvancedScanConfigDialog.java

@@ -609,19 +609,15 @@ private void loadRequestToEditor(int index) {
                 currentMarkCountLabel.setText("标记数: -");
                 currentMarkCountLabel.setForeground(Color.GRAY);
             } else {
-                // 从缓存加载或原始请求
-                if (index < requestEditors.size() && requestEditors.get(index) != null) {
-                    currentRequestEditor.setText(requestEditors.get(index).getText());
-                } else {
-                    HttpRequestResponse msg = textMessages.get(index);
-                    currentRequestEditor.setText(msg.request().toString());
-                    // 缓存
-                    while (requestEditors.size() <= index) {
-                        requestEditors.add(null);
-                    }
-                    JTextArea cached = new JTextArea(msg.request().toString());
-                    requestEditors.set(index, cached);
+                // 使用UTF-8编码获取请求内容，避免中文乱码
+                HttpRequestResponse msg = textMessages.get(index);
+                currentRequestEditor.setText(HttpRequestUtils.getRequestAsUtf8(msg.request()));
+                // 缓存
+                while (requestEditors.size() <= index) {
+                    requestEditors.add(null);
                 }
+                JTextArea cached = new JTextArea(HttpRequestUtils.getRequestAsUtf8(msg.request()));
+                requestEditors.set(index, cached);
                 currentRequestEditor.setEditable(true);
                 currentRequestEditor.setBackground(Color.WHITE);
                 updateCurrentMarkCount();
@@ -779,7 +775,8 @@ private void sendWithInjectionMarks(ScanConfig config) {
             if (i < requestEditors.size() && requestEditors.get(i) != null) {
                 markedRequest = requestEditors.get(i).getText();
             } else {
-                markedRequest = msg.request().toString();
+                // 使用UTF-8编码获取请求内容，避免中文乱码
+                markedRequest = HttpRequestUtils.getRequestAsUtf8(msg.request());
             }
 
             // 检查是否有标记
@@ -804,7 +801,8 @@ private void sendRequestToBackend(HttpRequest request, ScanConfig config, String
         try {
             String url = request.url();
             String method = request.method();
-            String body = request.bodyToString();
+            // 使用UTF-8编码获取body，避免中文乱码
+            String body = HttpRequestUtils.getBodyAsUtf8(request);
 
             // 构建headers列表
             List<String> headersList = new ArrayList<>();

src/burpEx/montoya-api/src/main/java/com/sqlmapwebui/burp/dialogs/BatchInjectionMarkDialog.java

@@ -449,13 +449,14 @@ private void loadRequestToEditor(int index) {
                 if (index < requestEditors.size() && requestEditors.get(index) != null) {
                     currentRequestEditor.setText(requestEditors.get(index).getText());
                 } else {
+                    // 使用UTF-8编码获取请求内容，避免中文乱码
                     HttpRequestResponse msg = textMessages.get(index);
-                    currentRequestEditor.setText(msg.request().toString());
+                    currentRequestEditor.setText(HttpRequestUtils.getRequestAsUtf8(msg.request()));
                     // 缓存
                     while (requestEditors.size() <= index) {
                         requestEditors.add(null);
                     }
-                    JTextArea cached = new JTextArea(msg.request().toString());
+                    JTextArea cached = new JTextArea(HttpRequestUtils.getRequestAsUtf8(msg.request()));
                     requestEditors.set(index, cached);
                 }
                 currentRequestEditor.setEditable(true);
@@ -528,7 +529,8 @@ private void sendScan() {
             if (i < requestEditors.size() && requestEditors.get(i) != null) {
                 markedRequest = requestEditors.get(i).getText();
             } else {
-                markedRequest = msg.request().toString();
+                // 使用UTF-8编码获取请求内容，避免中文乱码
+                markedRequest = HttpRequestUtils.getRequestAsUtf8(msg.request());
             }
 
             // 检查是否有标记