Shulou(Shulou.com)05/31 Report--

How to use BurpSuite macros to get CSRF-TOKEN, for this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

Preface of 0X01

In WEB penetration, you can often see that there is an one-time token check on the page, that is, the request packet contains token, and the burpsuite value needs to be obtained from other pages, resulting in the inability to replay the TKen after grabbing the packet. In addition to brute force cracking, BurpSuite macros can also be used for other tests, but the ultimate goal is the same, allowing us to be faster and focus on mining information and penetration, rather than wasting time on repetitive work.

0X02 start

Let's take a simple example to illustrate. The target website is as follows, there is a picture verification code on the page, and the title requires brute force to crack to get the account password. This problem can be implemented in a variety of ways, and here we experiment with burpsuite macros.

0X03 title source code

Brute force cracking test questions: https://github.com/3sNwgeek/BruteForc_test these questions are changed to questions from a variety of CAPTCHA problems encountered in my usual work penetration.

0x04 discovery

Although the title is to use the sliding CAPTCHA to log in, it actually verifies the login to session. 1. The target URL is: http://1.1.1.1/c/hdyzma/welcome.php. Grab a packet for testing and find that it will check the token parameters and reject the replayed packet.

two。 The token value can be found on the landing page http://1.1.1.1/c/hdyzma/:

3. Through the above discovery, we can use the macro function of burpsuite to automatically grab the token value of the landing page and fill in the login request.

0x05 creates Macros

1. Create a Macros to get the token value

two。 Select the page in Macro Recorder that contains the token you want to get

3. Configure Macros

Select the token value with the mouse, and burpsuite will automatically fill in the opening and closing tags, and write Parameter name as token. Note that the parameter name token here is the same as the token name on the page to be exploded:

Define a Macro description to make it easy to distinguish:

0x06 creates Session Handling Rules

1. Then create a new rule in Session Handling Rules:

Set a name here called update_token:

Select the macro that has just been recorded, and set the parameter name to update. Here is token:

two。 Then, set the scope of influence of macros. Since we only need to violently crack the account password, we only need to select Repeater and Intruder here in Tools Scope, and other modules can be checked according to actual needs:

0x07 brute force cracking

1. When you go back to Repeater, click Go to resend the package, and you can see that the token parameter will be automatically refreshed:

two。 Use Intruder to violently crack the account password:

Because multithreading refreshes the token at the same time, the token obtained by some request packets has been refreshed, so you can only set a single-thread run:

Successfully broke and got the account admin/123456a.

This is the answer to the question about how to use BurpSuite macros to get CSRF-TOKEN. I hope the above content can be of some help to you. If you still have a lot of doubts to solve, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.