From: http://www.2cto.com/Article/201207/139493.html
0 × 00 digress
Recently I fell in love with the burp suite security tool. Baidu also sold RMB for tutorials on this tool... Ohno. I was going to buy a slide, but Daniel was so proud that he didn't buy it. So we have this article today. Thanks to some of my friends: Mickey and Sunge of cert.
0 × 01 Introduction
Installation requirements:
Java V1.5 + installation (the latest JRE is recommended), which is free of charge.
Http://java.sun.com/j2se/downloads.html
Burp Suite: http://portswigger.net/burp/download.html
Entry:
After the installation is complete, double-click the executable JAR file. If it does not work, you can run it at the command prompt or terminal and enter it.
Command: Java-jar burpsuite_v1.4.jar
Burp
Burp Suite contains a series of burp tools, which have a large number of interfaces to communicate with each other. The purpose of this design is to promote and improve the efficiency of the entire attack. All tools on the platform share the same robust framework to process HTTP requests, persistence, authentication, upstream proxy, logging, alarms, and scalability in a unified manner. Burp Suite allows attackers to enumerate, analyze, and attack Web applications by combining manual and automatic technologies. These different burp tools work collaboratively to effectively share information and support attacks based on information in a tool.
ProxyProvides an intuitive and friendly user interface. Its Proxy Server contains very detailed interception rules and can accurately analyze the HTTP message structure and content.
SpideThe crawling spider tool can be used to capture the target website to display the website content, basic structure, and other functions.
BytesWeb Application Security Vulnerabilities are automatically discovered. It is designed for penetration testing and works closely with your existing technologies and methods to adapt to performing manual and semi-automated Web application penetration testing.
RepeaterAllows you to manually resend a single HTTP Request
IntruderIs the advantage of the burp suite, which provides a set of particularly useful features. It can automatically launch various custom attacks, including resource enumeration, data extraction, fuzzy testing, and other common vulnerabilities. Among the various effective scanning tools, it can access the requests and responses it produces in the most detailed and simple way, allowing the combination of personal intelligence and the control advantages of this tool.
SequencerAnalyze the predictability of session tokens, session identifiers, or other key values that need to be randomly generated for security reasons.
DecoderConvert the data into a standard format, or convert the original data into various forms of encoding and hashing. It can intelligently identify multiple encoding formats and use heuristic technology.
ComparerIs a simple tool that executes the comparison between any two projects (a visual "difference") between data "). When you attack a Web application, this requirement usually appears when you want to quickly identify the differences between the responses of two applications (for example, between the two responses received during the attack, or the logon Failure response using valid and invalid usernames), or two application requests (for example, determine whether different behaviors cause different request parameters ).
0 × 02 Configuration
Open the Burp suite and configure the listening port
Once the proxy port is selected and the service starts in the burp suite, We need to configure our browser. In most browsers, you only need to open settings-Network-proxy, and then tell it to use "localhost" and port "8080" (or any port you are running, the default is Burp: 8080 ). Then save the updated settings.
Now we can enter the website we want to check in the browser. You will see the burp kit tool. The proxy tab is highlighted in red, indicating that it requires your input. The default behavior is to set the interception to ON, which means that all the sending requests it captures are then required by the user to input to determine whether the packets will be forwarded or discarded. You can forward and view the page and load it to the target website www.2cto.com. If you are in trouble, you can enable INTECEPTOR Off, just manually crawl the website and send the captured data to the "History" tab. You can manually check for review and test.
Turn Off interception. You will see all submitted data in the history. Here you can see all the request and response data. Right-click to perform other tests.
0 × 03 intruder custom attack Automation
Today I will use the SQL injection of DVWA for testing. You can see the following figure. SQL injection is very simple. Let's test it:
We need to capture the user ID request, click the submit button, capture the data packet, and test the ID value entered by the user with the payload.
To achieve this, we must ensure that Burp intercepts our requirements:
Submit a user ID request and send it to the intruder. You can see the following:
The tool has automatically created a location for the payload test. The start and end tags of each targeted attack location are marked with the § symbol. The position you want to test is marked with the symbol.
Then set the attack type. There are four modes available for you to choose from. For details about the differences between the four modes, refer to the official help document of burp.
SniperThis attack mode allows us to inject a single payload into the selected attack location. This requires the payload options to insert them to the selected location and repeat until it has tested all the payload options. If you select multiple locations, it will only apply to the test, one location at a time. I will show you how to use this test to show signs of SQL vulnerabilities in seconds
PitchforkThis attack mode allows you to test a variety of effective loads, up to 8 can be customized, based on the attack location. This attack mode sets different loads for each location to be tested one by one.
Cluster bombThis attack mode uses a variety of payloads and allows you to test each possible payload at each selected attack location, which means that the next test exchanges any other payload. It is very convenient when you have different injection needs.
Today I chose the sniper mode for testing. I will show you how to use this test SQL vulnerability. Although Burp comes with test statements, I still want to manually sort the statements. Below are some SQL injection test statements I have compiled myself:
'
"
/
/*
#
)
(
)'
('
And 1 = 1
And 1 = 2
And 1> 2
And 12
+ And + 12
/**/And/**/1
Let's configure the attack test.
Since I have prepared txt files, I directly load my statements.
After confirming, we will go to the grep-match option under the option label to set the test result matching option. You can use the default options or load error information collected by yourself.
After setting, we can run the test and click intruder-start sttack on the main menu.
Now, this opens a new window where we can see the results of the automatic test.
You can clearly see that the page size difference is returned. A check mark indicates the text we provide in grep-match. If you click a request, you can view the actual request and response. Therefore, we can see the error message clearly.
Now we have identified a potential SQL INJECTION vulnerability. This is a good start, but what should we do now? Now, let's go back to setting and working for intruders and change our settings for further testing and utilization. Now let's see if we can set intruders to test order by to determine the number of fast columns. With the same requirements, We can insert statements into the current position.
Order by 1-
Order by 2-
+ ORDER + BY + 1-
+ ORDER + BY + 2-
/**/ORDER/**/BY/**/1-
/**/ORDER/**/BY/**/2-
Now we have found 2 columns! You can determine the length of the Response Request. Now we send this request to the Repeater, And now we will use the Repeater to find the fragile column.
Now we know the fragile columns. Now we can transfer this request to the intruder for information spying and testing. We can insert some of our own database information for automated testing.
Basic.txt:
Version ()
User ()
Database ()
@ Hostname
@ Basedir
@ Datadir
Here we don't need to set grep. As for why do you want to do it yourself...
Next, we can use another intruder attack mode to check other available databases.
Now we have basic information, library. We can continue and reconfigure intruder to get all the table names. But remember that the database name must be converted to hexadecimal format, and the encoding can use the decoder that comes with the burp.
Reconfigure intruder-get column name
Now, you can directly use repeater to send a request to obtain data.
This article has come to an end. The burp-intruder is just a reference. You are welcome to discuss more powerful functions. If you want to share your 1.4.0.5 Professional Edition, please submit it to me. Thanks