Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

how do i convert multipart gzip to original file

rafael lima Aug 18, 2019 02:53AM UTC

during my research i'm intercepting some packages like this:

Content-Type: multipart/form-data; boundary=cLXA2xHy63hD9QS92t_yJwlwnL8vVb
Accept-Encoding: gzip, deflate
X-FB-HTTP-Engine: Liger
Connection: keep-alive
Content-Length: 1922

--cLXA2xHy63hD9QS92t_yJwlwnL8vVb
Content-Disposition: form-data; name="access_token"

567067343352427|f249176f09e26ce54212b472dbab8fa8
--cLXA2xHy63hD9QS92t_yJwlwnL8vVb
Content-Disposition: form-data; name="format"

json
--cLXA2xHy63hD9QS92t_yJwlwnL8vVb
Content-Disposition: form-data; name="cmsg"; filename="47b1a5f7-cd4c-4862-82e0-2eb9239479f3_2_zero.batch.gz"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary

µU[o›Hþ/<ô)TÌ…‰iÓ¦qìÖ¤N³Z¡a˜q°p Ø1Ùü÷=àT½¤ÚK¤•_Æç~¾sÎÇ£U©{ëŸXb³‰³Ô:µ\æ9Ì#”SìYGÕNmA‡çm÷CÞ[„9¨’&3i\4y§dˆz>cä©ÚeR& A¥ÄVŒ›2Žm.|iKF™æ‰Â>Wà¢Ež™Cü½§«<ÎѶ&Ø·©ÖÂN¤æ6!8‘H`‘"
ž•ªª¬,Ž>ÔKpµgË”J›ú Û>VŽUÂ1áÔ㚀OÓ;ð’w¢(”­Ú–±µ*äá¹í£bõâ”w½É²ÐÙ²C¤Ë
êþ&•wJ®«ûêOyæ*,]Ê9ñ ¢)õ`.A®Ö\a'EôM]!—1‡2Æé›ûÝÙ½©Î¤L(3¦}‡©DA ®4"„PÏë;HE-¬Óß­Bä
ÒeEU‹åVäq¡jµ,I“A‘]+uÖ›ô‰|×ñÜ·e ÏË´1F+•Æ•ÉŠn•È7ð\Æ[€Ã:E'–z¨·ïñG´Lµ§<˜‹c¢U0!ŠlÂ_k)4ÇÆÏ(2ÚW€}—wËó\篕M®»
êr­:”Õa„Ò¹YWe6^æzš®+cÆí’ƒËՏòàbáÓm0¸¹ ‹v<½Í>½í¡©| ¾o˜G›$¿¬Bòîngë6Ñû!¡` Þa¼:oÁ¯‰Âa®yŸwÿiuþ 9ö×Óa vÄÊB2k£p¤Å|’]¯>ìÇ燠´ÁtBÆíعþ²Ï’|æ„xV$ˆ;*|g ÖâÉ€g‹ùƒ–ÞŠðf“`
1†w¶’¤åÕh³À· »mǺï{™Pªå|9Ý<9 Ù07EHbפˆ#‰gx—“Ê«‡C4Q”ÃlŸ¥a`¤áë?T ¨;,Òy—ã¼ ¦Pq;qÇ+‰¨[„†ÚIˆMÓÅLf—dC–^Pô¬ŠÑ.™ñ&šÏÖjvÌ
8çÐWÛÙ,ÂÙª÷3|/s³Šf|—†7«£‡V‡ÎY7ïæ[ĪY.UUÃ66(6ë¸UF‰JÅßNw³-ÓN!Ò¬ŒŸCí3ÙEÙï3Ø–MQ«m¿mÎ÷‚ª“Ø{Œ`Œù÷ª©Ázz:ùŵ‰ôŸ.Í{å¥åqß;†(>æpù®ã:ÈEȏ vßs<ævDu´ûA–ÇuÑ\ÈùÀÌ`•/
ŸJ‰ãÁ;žCÖýGàÅѝ;Ÿ|úP³Q}¡ÚÏ÷¤ŠV¹<š|7»û8ø/Ç’Ž6wWÎgä®°¶ÇYÞ¤ÎÇ/ïu(îÔ]Ý޳Ÿ e¼«¶CQÞêb¾a¿ë½l¶Àõ¥Ž…¬\ú3<º4¦ÜÇ vÝ@CVQÖñQevÌRìTQ—ÛC| &¹J3—[˜LÎ×È{•H“Éu×noaÄ¡l ïÇ'h¼ÜÄ&[w3ïf߯HVŪÔÖ©¦Rÿ˲{H8v}âý÷-üwœÿÚM|5çSRìr†g˜þÄù/”ËùÑtAƒù¤]L/ÍøBÉõ…É¢|Ü.V“}4˜åÑt¸æ/9ÿ'Ž}ÉTõŒÙÿC1èµóljeÊå×°±°Þ±ê–Üzú
--cLXA2xHy63hD9QS92t_yJwlwnL8vVb
Content-Disposition: form-data; name="sent_time"

1566085075.770
--cLXA2xHy63hD9QS92t_yJwlwnL8vVb
Content-Disposition: form-data; name="cmethod"

deflate
--cLXA2xHy63hD9QS92t_yJwlwnL8vVb--

i would like to be to recreate the 47b1a5f7-cd4c-4862-82e0-2eb9239479f3_2_zero.batch.gz and decompress it.
how can i do it with burp?


Mike Eaton Aug 19, 2019 12:29PM UTC Support Center agent

In Burp Suite Community & Pro, we have a Decoding utility that allows you to encode/decode data you receive from HTTP requests into different formats: https://portswigger.net/burp/documentation/desktop/tools/decoder

Looking at your HTTP headers, I can’t see a Content-Encoding header, so it might be that the contents of that request aren’t GZIP encoded, this means it might not be possible to extract the information using Burp Decoder which would then require a more manual investigation depending upon the application you are intercepting requests from.

There are also a couple of settings in Proxy > Options > Miscellaneous labelled Unpack gzip / deflate in requests/responses that if enabled would allow Burp to automatically unpack GZIP encoded data, so that might also solve your issue and be a better solution going forward.


Post Your public answer

Your name
Your email address
Answer