Shulou(Shulou.com)06/03 Report--

This article mainly introduces the example analysis of the Burpsuite Intruder module of the Burpsuite module, which has a certain reference value, and interested friends can refer to it. I hope you will gain a lot after reading this article.

I. brief introduction

Burp Intruder is a powerful tool for automatically customizing attacks against Web applications. Burp Intruder is highly configurable and is used to automate attacks on a wide range of applications. You can use Burp Intruder to easily perform many tasks, including enumerating identifiers, getting useful data, and vulnerability ambiguity testing. The appropriate type of attack depends on the application, and may include: defect testing: SQL injection, cross-site scripting, buffer overflow, path traversal; brute force attacks on authentication systems; enumerations; manipulation of parameters; pull-out hidden content and functionality; session token sequencing and session hijacking; data mining; concurrency attacks; and a denial of service attack at the application layer.

II. Module description

Burp Intruder consists of four main modules:

1:Target is used to configure the details of the attack on the target server.

2:Positions sets the insertion point of Payloads and the type of attack (attack mode).

3:Payloads sets payload, configuration dictionary

4:Opetions this tab contains request headers,request engine,attack results, grep match,grep_extrack,grep payloads and redirections. You can edit these options on the UI of the main Intruder before launching an attack, and most of the settings can be changed to the window that is already running during the attack.

1:Target destination option (Target tab)

This option is used to configure the details of the target server:

2:Positions location option (Positions tab)

This option is used to configure the template for all HTTP requests generated in the attack:

Use a pair of §characters to mark the location of the payload, where the two symbols directly contain the content of the template text. When a payload is placed in a special location of a given request, the §symbol is placed in that position, and the text that appears between the two symbols is replaced by the payload. When there is a particular location where there is no payload for a given request (this only applies to the "sniper" attack type), the §characters in that location are deleted and the text that appears between them does not change.

When using Burp Suite to send a request from somewhere else, Burp Intruder makes the best guess about where you most want to place the payload, and it places these in the values of each URL and body parameters, as well as in each cookie. Each tag and the text in the middle of it are highlighted to make it clearer. You can use the options on the Intruder menu to mark whether to replace or append existing parameter values. In the request editor above, the number of defined locations and the size of the text template are indicated.

You can use the buttons on the options to control the marks on the location:

1. Add §- inserts a location marker at the current cursor position.

2. Clear §- removes the location mark in the entire template or selected part of the template.

3. Auto §- this will make a guess about where to place the tag, where it would be useful, and then put the tag in the appropriate location. This is a useful feature to quickly mark the appropriate location for exploiting regular vulnerabilities (SQL injection), and then manual marking is for custom attacks.

4.refresh-refresh the code with colors in the editor if necessary.

5.clear-deletes the entire editor content.

3:Payloads payload option (Payloads tab)

This option is used to configure a collection of one or more payloads. If the "cluster bomb" and "pitchfork" attack types are defined, then you must configure a separate payload for each defined payload location (up to 8). Use the payload set drop-down menu to select the payload you want to configure.

Option 1:Payload Sets Payload quantity type setting

Option 2:Payload Opetions [Simple list] this option changes according to the setting of Payload type in option 1

The option 3:Payload Processing encodes, encrypts, intercepts the generated Payload.

Option 4:Payload Encoding you can configure which characters in the payload should be secure transmissions in URL-encoded HTTP requests. Any configured URL coding is applied last, after any payload processing rules are executed. This is recommended to use this setting for final URL coding rather than a payload handling rule, as the grep option that can be used for payloads can be used to check before the final URL coding that responds to the payload is applied.

4:Opetions tab (Options tab) this tab contains request headers,request engine,attack results, grep match,grep_extrack,grep payloads, and redirections. You can edit these options on the UI of the main Intruder before launching an attack, and most of the settings can be changed to the window that is already running during the attack.

Option 1:Request Headers these settings control whether the configuration request header is updated in Intruder.

If the 'update Content-Length header' box is checked, Burp Intruder adds or updates the content length of the HTTP header in the request with the correct value of the HTTP body length for each request. This feature is necessary for attacks that require a variable length payload to be inserted into the body of the HTTP request template. This HTTP specification, like most web servers, requires the header content length to specify the correct value of the HTTP body length. If no correct value is specified, the target server returns an error, may return an outstanding request, or may wait indefinitely to receive further data in the request.

If the 'set Connection: close' box is checked, Burp Intruder adds or updates the connection of the HTTP header to request a connection that has been closed after each request. In most cases, this option makes the attack execute faster.

The option 2:Request Engine sets the thread to send the request, timeout retry, and so on.

The option 3:Attack Results sets the display of attack results.

The option 4:Grep-Match finds an item in the response that contains the specified content.

The option 5:Grep-Extract returns the contents of the information by regular extraction.

The option 6:Grep-Payloads these settings can be used for flag result items that contain reflections of the committed payload. If this option is enabled, BurpSuite adds a check box indicating the value of the current load to discover a new result column for each response.

The option 7:Redirections redirect response, which controls how Burp handles redirection during an attack.

Four attack types of Burp Suite Intruder-Sniper (sniper mode)

Sniper mode uses a set of payload collections that use only one payload location at a time. Assuming you mark two locations "A" and "B" and the payload values are "1" and "2", it attacks into the following combinations (in addition to the raw data):

Attack NO.location Alocation B11no replace22no replace3no replace14no replace2

The siege hammer mode is similar to the sniper mode in that it also uses only one payload collection, except that all payload tag positions are replaced with each attack, while sniper mode can only replace one payload tag position at a time. 2 Battering ram (siege hammer mode)

Attack NO.location Alocation B111222

Pitchfork mode allows you to use multiple sets of payload combinations, traversing all payload combinations at each marker location, assuming that there are two positions "A" and "B", the values of payload combination 1 are "1" and "2", and the values of payload combination 2 are "3" and "4", the attack mode is as follows: three Pitchfork (pitchfork mode)

Attack NO.location Alocation B113224

The difference between cluster bomb mode and pitchfork mode is that cluster bomb mode performs Cartesian product on payload group, or in the above example, if cluster bomb mode is used to attack, there will be four requests in addition to baseline requests: four Cluster bomb (cluster bomb mode)

Attack NO.location Alocation B113214323424

Thank you for reading this article carefully. I hope the article "sample Analysis of Burpsuite Intruder Module of Burpsuite Module" shared by the editor will be helpful to you. At the same time, I also hope that you will support and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.