0x01 Introduction
Installation Requirements:
Java V1.5 + installation (recommended with the latest JRE), available from here for free
Http://java.sun.com/j2se/downloads.html
Burp suite:http://portswigger.net/burp/download.html
Entry:
After the installation is complete, you can double-click the executable jar file and if it does not work, you can run it at the command prompt or terminal input.
Command: Java–jar Burpsuite_v1.4.jar
Burp
Burp Suite includes a range of burp tools that have a number of interfaces that can communicate with each other, and are designed to promote and improve the efficiency of the entire attack. All the tools in the platform share the same robust framework for unified processing of HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility. Burp Suite allows attackers to enumerate, analyze, and attack Web applications in combination with manual and automated techniques. These different burp tools work together to effectively share information and support the use of information in one tool to launch attacks in a way that is used by another tool
Proxy provides an intuitive, user-friendly interface with a proxy server that contains very detailed interception rules and the ability to accurately analyze the structure and content of HTTP messages.
The Spide crawler spider tool can be used to crawl the target site to show the site's content, basic structure, and other features.
Scanner WEB Application security vulnerabilities for the Autodiscover tool. It is designed for penetration testing and is closely associated with your existing techniques and methodologies to adapt to perform manual and semi-automated web application penetration testing.
Repeater allows you to manually resend a single HTTP request
Intruder is an advantage of the Burp suite, and he offers a set of particularly useful features. It can automatically implement a variety of custom attacks, including resource enumeration, data extraction, fuzzy testing and other common vulnerabilities. In a variety of effective scanning tools, it is able to access its production requests and responses in the most granular and simplest way, allowing the combination of personal intelligence and the control advantages of the tool.
Sequencer analyzes the predictability of Session tokens, session identifiers, or other key values that need to be randomly generated for security reasons.
Decoder are converted into canonical forms to encode data, or to convert the raw data into various forms of encoding and hashing. It can intelligently identify a variety of encoding formats, using heuristic techniques.
Comparer is a simple tool that performs comparison of data between any two items (a visual "diff"). In the case of an attack on a Web application, this requirement typically occurs when you want to quickly identify the difference between the responses of two applications (for example, between two reactions received during an intruder attack, or the response of a login failure to use a valid and invalid user name), or two application requests (for example, Determine the different behavior that causes different request parameters).
0x02 Configuration
Open the Burp kit and configure the listening port (click on the image to enlarge)
Once the proxy port selection and service starts in the Burp suite, we need to configure our browser. In most browsers, you simply open the settings-network-agent and then tell it to use "localhost" and port "8080" (or any port that you are running, default burp:8080). Then save the updated settings.
Now we can enter the website we want to check in the browser. You will see the burp Kit tool, the Proxy tab will be lit red, indicating that it needs your input. The default behavior is that the interception is set to on, which means that it captures all send requests and then asks the user to enter to determine whether the packets will be forwarded or discarded. You can forward and view the page to load the target site. If you're in trouble, you can inteceptor Off, just manually crawl the site, send the captured data to the "History" tab, and you can manually check for reviews and tests.
Turn off intercept you'll see all the submitted data in the history, where you can see all the request and response data. Now, we can right-click for other tests.
0X03 Intruder Custom Attack automation
Today I'm going to test with DVWA's SQL injection. You can see the following picture, SQL injection is very simple, we
Test:
We need to capture the user ID request, click the Submit button, and after fetching the packet, use the payload to test the user's input ID value.
To do this, we must ensure that burp intercepts our requirements:
The user ID request will be submitted and sent to intruder as you can see below:
The tool has automatically created the location of the payload test for us. The location of the payload uses the § symbol as the starting and closing tag for each targeted attack position. The position you want to test is marked with a §§ symbol before and after.
Then set the attack type, there are 4 modes for everyone to choose. The differences between these four models can be found in the official Help documentation for BURP.
Sniper This mode of attack allows us to inject a single payload into the attack location of our choice. This takes the payload options, inserts them into the selected location, and then repeats until it has tested all the payload options. If you select more than one location, it will only apply to the test one location at a time. I'll show you how to use this test in a few seconds for signs of SQL vulnerability
Pitchfork This attack mode allows you to test multiple payloads, up to 8 customizable, based on attack location. This attack mode sets different payloads to test each location at the same time.
Cluster Bomb This attack mode uses a variety of payloads and allows you to test each possible payload at each selected attack location, which means the next test, swapping any other payloads. It will be very handy when you have different places to inject.
Today I'm using sniper mode for testing and I'll show you how to use this to test SQL vulnerabilities. Although Burp has its own test statement but I would like to manually organize the statements, here are some of my own SQL injection test statements:
'//*#) '(' and 1=1and 1=2and 1>2and 12+and+12/**/and/**/1
Let's configure the attack test.
Since I've personally compiled txt, I'm just loading my statement
After confirming, we come to the Options tab below the Grep-match set test results matching option. You can use the default options, or you can load the error messages you collect.
Once setup is complete, we can run the test and click Intruder-start Sttack on the main menu.
Now, this will open a new window where we can see the results of the automated tests
You can clearly see that the page size difference is returned. The place behind the tick indicates the text we provided in the discovery Grep-match. If you click on a request, you can view the actual request that we sent, as well as the response, so we can now clearly see the error message.
Now we have determined that a potential SQL injection vulnerability has been found. It's a good start, but what now? Now, we go back to set up and work for intruders, change our settings to further test and exploit. Now let's see if we can set the intruder test order by to determine the number of fast columns. Using the same requirements, we insert the current position into the statement.
ORDER by1-ORDER by 2–+order+by+1–+order+by+2 -/**/order/**/by/**/1-/**/order/**/by/**/ 2-
Now we've found the number of columns to be 2! You can use clues that respond to the length of the request to determine. Now we send this request to repeater, and now we will use repeater to find the vulnerable column.
Okay, now that we know the fragile column, we can now put this request into the intruder for the next step of information spying and testing, we insert our own compiled database information for automated testing.
Basic.txt:
Version()User()Database()@@hostname@@basedir@@datadir
We don't have to set up grep here. As for why everyone wants to put ...
Next we can use another attack mode of intruder to check our other available databases.
Now that we have the basic information, the library, we can go on and reconfigure intruder to get all the table names. But remember the name of the library to do 16-in-one conversion, the code can be used with burp decoder.
Reconfigure intruder-to get column names
Now it's time to send the request directly with the repeater to get the data.
The article is over here. This explanation burp-intruder just to stimulate, more powerful function welcome everybody and I discuss. If a friend is willing to share 1.4.0.5 Professional Edition, please pass me a. Thanks
Small: Burp Suite is a Web application integration attack platform that contains a series of burp tools that have a large number of interfaces that can communicate with each other, designed to promote and improve the efficiency of the entire attack. All the tools in the platform share the same robust framework for unified processing of HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility.
Burp Suite allows attackers to enumerate, analyze, and attack Web applications in combination with manual and automated techniques. These different burp tools work together to effectively share information and support the attack in a way that is based on information in one tool for use by another tool.
Today FREEBUF members Xiaoice bring you this burp suite using a detailed tutorial, the article is well-organized, all the details are mentioned, is a masterpiece of Burp Suite usage Guide!
0x00 digression
Recently fascinated by the Burp suite This security tool, Baidu has a tutorial on this tool also sell 900RMB ... Ohno. Originally prepared to buy drops, but Daniel is too arrogant, so did not buy. So there's this article today. Thank you for helping me with a few friends: Mickey, Ann Sunge.
0x01 Introduction
Installation Requirements:
Java V1.5 + installation (recommended with the latest JRE), available from here for free
Http://java.sun.com/j2se/downloads.html
Burp suite:http://portswigger.net/burp/download.html
Entry:
After the installation is complete, you can double-click the executable jar file and if it does not work, you can run it at the command prompt or terminal input.
Command: Java–jar Burpsuite_v1.4.jar
Burp
Burp Suite includes a range of burp tools that have a number of interfaces that can communicate with each other, and are designed to promote and improve the efficiency of the entire attack. All the tools in the platform share the same robust framework for unified processing of HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility. Burp Suite allows attackers to enumerate, analyze, and attack Web applications in combination with manual and automated techniques. These different burp tools work together to effectively share information and support the use of information in one tool to launch attacks in a way that is used by another tool
Proxy provides an intuitive, user-friendly interface with a proxy server that contains very detailed interception rules and the ability to accurately analyze the structure and content of HTTP messages.
The Spide crawler spider tool can be used to crawl the target site to show the site's content, basic structure, and other features.
Scanner WEB Application security vulnerabilities for the Autodiscover tool. It is designed for penetration testing and is closely associated with your existing techniques and methodologies to adapt to perform manual and semi-automated web application penetration testing.
Repeater allows you to manually resend a single HTTP request
Intruder is an advantage of the Burp suite, and he offers a set of particularly useful features. It can automatically implement a variety of custom attacks, including resource enumeration, data extraction, fuzzy testing and other common vulnerabilities. In a variety of effective scanning tools, it is able to access its production requests and responses in the most granular and simplest way, allowing the combination of personal intelligence and the control advantages of the tool.
Sequencer analyzes the predictability of Session tokens, session identifiers, or other key values that need to be randomly generated for security reasons.
Decoder are converted into canonical forms to encode data, or to convert the raw data into various forms of encoding and hashing. It can intelligently identify a variety of encoding formats, using heuristic techniques.
Comparer is a simple tool that performs comparison of data between any two items (a visual "diff"). In the case of an attack on a Web application, this requirement typically occurs when you want to quickly identify the difference between the responses of two applications (for example, between two reactions received during an intruder attack, or the response of a login failure to use a valid and invalid user name), or two application requests (for example, Determine the different behavior that causes different request parameters).
0x02 Configuration
Open the Burp kit and configure the listening port (click on the image to enlarge)
Once the proxy port selection and service starts in the Burp suite, we need to configure our browser. In most browsers, you simply open the settings-network-agent and then tell it to use "localhost" and port "8080" (or any port that you are running, default burp:8080). Then save the updated settings.
Now we can enter the website we want to check in the browser. You will see the burp Kit tool, the Proxy tab will be lit red, indicating that it needs your input. The default behavior is that the interception is set to on, which means that it captures all send requests and then asks the user to enter to determine whether the packets will be forwarded or discarded. You can forward and view the page to load the target site. If you're in trouble, you can inteceptor Off, just manually crawl the site, send the captured data to the "History" tab, and you can manually check for reviews and tests.
Turn off intercept you'll see all the submitted data in the history, where you can see all the request and response data. Now, we can right-click for other tests.
0X03 Intruder Custom Attack automation
Today I'm going to test with DVWA's SQL injection. You can see the following picture, SQL injection is very simple, we
Test:
We need to capture the user ID request, click the Submit button, and after fetching the packet, use the payload to test the user's input ID value.
To do this, we must ensure that burp intercepts our requirements:
The user ID request will be submitted and sent to intruder as you can see below:
The tool has automatically created the location of the payload test for us. The location of the payload uses the § symbol as the starting and closing tag for each targeted attack position. The position you want to test is marked with a §§ symbol before and after.
Then set the attack type, there are 4 modes for everyone to choose. The differences between these four models can be found in the official Help documentation for BURP.
Sniper This mode of attack allows us to inject a single payload into the attack location of our choice. This takes the payload options, inserts them into the selected location, and then repeats until it has tested all the payload options. If you select more than one location, it will only apply to the test one location at a time. I'll show you how to use this test in a few seconds for signs of SQL vulnerability
Pitchfork This attack mode allows you to test multiple payloads, up to 8 customizable, based on attack location. This attack mode sets different payloads to test each location at the same time.
Cluster Bomb This attack mode uses a variety of payloads and allows you to test each possible payload at each selected attack location, which means the next test, swapping any other payloads. It will be very handy when you have different places to inject.
Today I'm using sniper mode for testing and I'll show you how to use this to test SQL vulnerabilities. Although Burp has its own test statement but I would like to manually organize the statements, here are some of my own SQL injection test statements:
'//*#) '(' and 1=1and 1=2and 1>2and 12+and+12/**/and/**/1
Let's configure the attack test.
Since I've personally compiled txt, I'm just loading my statement
After confirming, we come to the Options tab below the Grep-match set test results matching option. You can use the default options, or you can load the error messages you collect.
Once setup is complete, we can run the test and click Intruder-start Sttack on the main menu.
Now, this will open a new window where we can see the results of the automated tests
You can clearly see that the page size difference is returned. The place behind the tick indicates the text we provided in the discovery Grep-match. If you click on a request, you can view the actual request that we sent, as well as the response, so we can now clearly see the error message.
Now we have determined that a potential SQL injection vulnerability has been found. It's a good start, but what now? Now, we go back to set up and work for intruders, change our settings to further test and exploit. Now let's see if we can set the intruder test order by to determine the number of fast columns. Using the same requirements, we insert the current position into the statement.
ORDER by1-ORDER by 2–+order+by+1–+order+by+2 -/**/order/**/by/**/1-/**/order/**/by/**/ 2-
Now we've found the number of columns to be 2! You can use clues that respond to the length of the request to determine. Now we send this request to repeater, and now we will use repeater to find the vulnerable column.
Okay, now that we know the fragile column, we can now put this request into the intruder for the next step of information spying and testing, we insert our own compiled database information for automated testing.
Basic.txt:
Version()User()Database()@@hostname@@basedir@@datadir
We don't have to set up grep here. As for why everyone wants to put ...
Next we can use another attack mode of intruder to check our other available databases.
Now that we have the basic information, the library, we can go on and reconfigure intruder to get all the table names. But remember the name of the library to do 16-in-one conversion, the code can be used with burp decoder.
Reconfigure intruder-to get column names
Now it's time to send the request directly with the repeater to get the data.
The article is over here. This explanation burp-intruder just to stimulate, more powerful function welcome everybody and I discuss. If a friend is willing to share 1.4.0.5 Professional Edition, please pass me a. Thanks
Burp Intruder Module Detailed