BurpSuite combat

Category: Tag:

Burpsuite is a powerful integrated platform for attacking web applications. It usually acts as a two-way proxy between the server and the client to intercept data packets in the communication process. The intercepted packets can be modified artificially. And replay. The BurpSuite actual combat mainly includes two experiments: the use of burp for brute force cracking and MIME upload bypass examples.

Experiment 1: Use burp to brute force

1. Introduction to the experiment

Experiment series: web security
Subject: Information Security Major
Related courses and majors: network security, computer network
Experiment category: practical experiment

2. Preliminary knowledge

1. Burp’s working mode: before burp, the client uses a browser to directly communicate with the server. With burp, burp acts as a proxy between the client and the server. In this way, the request sent by the browser to the server will be captured by burp. Compared with audit tools such as wireshark, burp is powerful in that it can not only do audit work, but also modify and send data packets. The structure using burp is shown in the figure below.

 

2. Brute force cracking: Generally, there are two reasons for using brute force cracking:

The test for this vulnerability can be done by humans, but it is too expensive or too time-consuming. It is because of this problem that the emergence of some software helps people complete these tests. This is the real benefit of brute force cracking. From a practical point of view, because users use weak passwords too often, many vulnerabilities can be easily obtained by brute force cracking. The most valuable aspect of brute force cracking is the construction of the password dictionary. This is a technique that requires long-term accumulation of experience.

3. The purpose of the experiment

Through this experiment, we can master the configuration method of burp and the usage method of related modules, and use burp to brute force a virtual website to enable the website builder to analyze the problem from the attacker’s point of view, thereby enhancing website security.

4, the experimental environment

 

Server: windows xp sp3 ip address: 10.1.1.163 tester: windows xp sp3 ip address random

5. Experimental steps

step one:

Burp is a very powerful web analysis tool. Burp acts as a two-way proxy between the browser and the server. In this way, the data packets generated in the communication process of the user or the server can be intercepted and let the professionals analyze. (For the introduction of Burpsuite, please refer to Experiment 2) In this experiment, the tasks to be completed are as follows:

Configure burp and browser proxy to enable burp to run normally;

Learn to use the compare module in burp;

Learn to use the repeat module in burp;

Learn to use the intruder module in burp.

We have provided a website with potential for brute force cracking. Configure burp and set up ie proxy: Burp exists as a proxy in the browser (client). Therefore, if we want the packets we send to be truncated by burp, both parties need to negotiate a listening port. First, double-click to open the burp on the desktop to enter the main interface.

1). Set the burp listening port: select proxy, and select options after entering. We see that burp at Proxy listeners adds a local listening item on port 8080 for us by default. Of course, you can also create a new listening port, click ADD on the left to set it.

2. Configure the proxy item of the browser: Here, take the IE that comes with the system as an example (chrome and firefox users can use the proxy plug-in to set it). Use the win+R key to open the command window and enter inetcpl.cpl to enter IE settings. In the Connection tab, select the LAN settings。

Enter the listening port number(default 8080)0 and address 127.0.0.1 we specified for burp

At this time, we have established the basic configuration.

3. Test: open intercept is on in burp:

Visit with a browser: 10.1.1.163/crack, we will see in burp:

This shows that we have successfully intercepted the request from the browser. Click forward to send this request to the server, and the server will return the result to the browser and record the response in burp. Drop will drop this packet, that is, it will not be sent to the server.

Step two:

Familiar with the comparer, repeater and intruder modules.
1. Compare module: The compare module can compare different data packets (whether it is a request packet or a response packet). First, we add a request to the compare module. Right-click on the intercepted data packet and select send to comparer:

At this time, we will see an extra record in the upper and lower interfaces of the comparator module at the same time:

Using the same method, we add another record for the comparator module:

 

We plan to use 1 and 2 for comparison, select 1 and 2 (the order does not matter), and then click on the compare word in the lower right corner (bytes means that the file is compared according to the byte stream):

As we can see from the figure, the window title reminds us how many differences are between the two files. The legend in the lower left corner tells us which ones are added, which are modified, and which are deleted compared to the left.

2. Repeater module: Sometimes we need to send the same request to the server multiple times to test the server’s response. Here, we only need to right-click send to repeater to operate the request intercepted by burp in the repeater.

After entering the repeater, click the go button, and the server’s response will be returned on the right. There is no limit to the number of times of Go. When you click Go, burp will send the current request page to the server as many times. The purpose of using the repeater is to perform a replay attack test to see if the server will respond to the replay test.

3. Intruder module: This module is the main module used for brute force cracking.
(1) Similarly, right-click on the intercepted request page, and select send to intruder. Enter the intruder module. You will see four tabs, namely Target, Positions, Payloads, Options. Target is mainly to set the host address and corresponding port number for brute force cracking access:

The Positions setting is to choose the position we want to brute force. By default, burp will automatically check all variables. In actual operation, we tend to select “clear$” for a single point. At this time, all the default blasting points have disappeared.

(2) Use the mouse to select the value of the variable that needs brute force cracking. Then select “add$” on the right side, so we add a blasting point. The payload position of this blasting point is between the two “$”s.

Payloads setting: What kind of dictionary or payload to choose is what this module has to do. The Payload type drop-down list box provides us with commonly used payload types, which can be selected according to the situation.

If you have a suitable dictionary, after selecting the payload type as simple list, you can then select the dictionary file you want to load in the payload options and click load.

Sometimes we need to process the payload again, such as md5 encryption, base64 encryption, and so on. Of course, burp also takes this into consideration. Some common algorithms are integrated in payload processing. Click add, you can choose according to your needs in the pop-up window.

There are settings for other details in Options, such as the number of threads used in the attack, and some storage settings for the attack. I won’t repeat it here.

Step three:
Next, try to blast the password: the known user name is hetian, and the password is a number between 50-100. 1. Visit http://10.1.1.163/crack/, this is a login interface:

2. Use hetian to log in with any password. Submit after completing the form. At this time burp will intercept our request:

3. Right-click on the request page and select send to repeater, let’s perform a replay test. Click go and the response from the server will be returned on the right. After going several times, it is found that the length and content returned by the server have not changed, and it will prompt sorry:

 

In other words, the server does not impose restrictions on multiple tests, so we can use brute force cracking. In order to verify again, we enter a different password again on the login interface. We will use the comparator to compare the responses of the two requests. (Select the sub-option HTTP History in proxy, select the two history records of post, click on each post record, when you see different post data below, this should be our two request records with different passwords, right click Select send to comparer(response)):

 

From the figure, we can find that after comparing the returned results of the two different requests, burp has marked two differences for us in the upper left corner, but they are all reflected in time, and the rest are the same. So brute force can be used.

4. After entering the intruder, first click Clear$, then select the value of the pas field we just filled in, and click Add$. In this way, it is determined that the blasting point is the pas position.

5. Open the payload tab and select the number for the payload type:

 

6. After selecting the number, we fill in the number range. Because the password range is already implied, we choose 50 to 100. Generate sequentially, add 1 for each step (step setting):

7. Start the attack:

8. At this time we saw the attack test interface. We focus on payload and length, where length represents the server’s response length. From a theoretical analysis, the length of the return should be different for a successful login and a failed login, which can facilitate us to find the correct password. The progress bar in the lower right corner shows our progress.

9. After a period of time, the test ends. Double-click on length to sort length.

 

We found that among the 50 payloads tested, the return value of payload 69 is different from the return value of other payloads. We suspect 69 is the answer. Let’s take a look. Double-click on the request whose payload is 69, and select response after entering. Browse the response until you find: “you got it.

Yes, you catch the flag! Successfully get the password.

Note: Please conduct experiments in a specific environment (such as a virtual machine).

Experiment 2: Introduction to Burpsuite and MIME upload bypass examples

1. Introduction to the experiment

Experiment series: web security
Subject: Information Security Major
Related courses and majors: Introduction to Information Network Security
Experiment category: practical experiment

2. Preliminary knowledge

1. Understand burpsuite: Burp Suite is an integrated platform for attacking web applications. Contains many tools, and designed many interfaces for these tools to facilitate the process of attacking applications. All tools share an extensible framework that can process and display HTTP messages, persistence, authentication, proxy, logs, and alerts. When a tool processes HTTP requests and responses, it can choose to call any other Burp tool. For example, the request recorded by the proxy can be used by Intruder to construct a custom automatic attack criterion, it can also be used by Repeater for manual attack, it can also be used by Scanner to analyze vulnerabilities, or it can be used by Spider (web crawler) to search automatically. content. Burpsuite mainly has the following modules/functions:

Target, display the target site directory structure

Proxy, a proxy server that intercepts HTTP/S, acts as an intermediary between the browser and the target application, allowing you to intercept, view, and modify the original data flow in both directions.

Spider is a web crawler that uses intelligent sensing. It can enumerate the content and functions of the application.

Scanner, is an advanced tool, after execution, it can automatically find security vulnerabilities in web applications.

Intruder, is a customized and highly configurable tool that automates attacks on web applications, such as enumerating identifiers, collecting useful data, and using fuzzing techniques to detect common vulnerabilities.

Repeater is a tool that triggers individual HTTP requests by manual operation and analyzes the response of the application.

Sequencer is a tool used to analyze the randomness of unpredictable application session tokens and important data items.

Decoder is a tool for manual execution or intelligent decoding and encoding of application data.

Comparer usually obtains a visual “difference” between two pieces of data through some related requests and responses.

Extender allows you to load Burp Suite extensions and use your own or third-party code to extend Burp Suite’s functions.

Options, some settings for Burp Suite.

2. Understand the server-side MIME type detection: whether the Content-Type of the http package is image/jpeg during the server-side MIME detection type image upload process, if it is, it can be uploaded successfully. Related source code:

You can see that the if statement in the red area only judges the Content-Type and the size of the picture.

3. The purpose of the experiment
Through this experiment, understand the process of using Burpsuite to bypass MIME upload detection.

4. Experimental environment

Server: win2003, IP address: 10.1.1.59:81 Tester: win7, IP address is random

5. Experimental steps

step one:

1. Use Burpsuite’s proxy function: visit http://10.1.1.59:81, enter user name: admin, password: password, open burpsuite, set the browser proxy, and click sql injection:

 

The intercepted data packets are as follows:

Right-click, as shown in the figure below:

 

Send to XXX means to send the intercepted data to each module, and then perform the next step under each module. Pull down the menu and click Send to Spider to switch to the Spider module. Burpsuite will automatically crawl the website. Switch to the Control tab to view the crawling status and set the crawling range. You can set the crawling settings in the Options tab. After a while, switch to the Target module to view the results:

 

Change request method means to change the request method, such as the GET request used before, after clicking the Change request method, it becomes POST:

 

Don’t intercept requests means not to intercept requests. For example, when we choose To this host, burp will not intercept requests from this host when Intercept is on. We can visit the webpage normally.

 

Then switch to the Options tab of the Proxy and check Intercept Client Requests. A record has been added:

 

The Response to this request function under Do intercept can be used to modify the information sent by the server to deceive the browser. If you turn on URL-encode as you type, it means that the &, = characters you enter will be replaced by URL encoding.

2. Target module: There are two tabs under this module. Site map is mainly used to display crawling sites in a tree structure, and Scope is mainly used to set the scope for filtering. Sometimes when we test a target URL, many irrelevant URLs will appear under the Site map. We can use Filter to filter, leaving only the target URL:

 

Click Filter and check Show only in-scope items:

At this point, only the target URL remains under the Site map:

Then we randomly click on a directory and many functions will appear:

Click Remove from scope, for example, if I select css at this time, the directory will disappear, and there will be an extra record under the corresponding Scope tab:

Click Spider this branch, burp will crawl the directory. Click Expand branch to expand the branch. Other functions are not very commonly used. If you are interested, you can study by yourself. You can see some requested information on the right side of the Site map tab. You can choose to highlight the link under Host, add comments under the comment, and right-click on a single link.

Step two:
Use burpsuite upload to bypass server MIME type detection:

1. First create a 1.txt on the desktop, here I write “hello_world”. Because the target host only allows us to upload jpg files, then we must bypass this restriction when downloading, and upload a txt file:

2. Open http://10.1.1.59:81, enter user name: admin password: password, click Upload:

3. After setting the browser proxy, we select the txt file we just created to upload. At this time burpsuite has intercepted the data packet, we right-click and select “send to reprater”:

 

4. Switch to Repeater and modify the text/plain after Content-Type to image/jpeg:

5. Click go, you can see from the right side that the upload has been successful, enter 1.txt at the bottom right to search for the image just uploaded:

6. Close the agent and open the searched path:

 

Note: Please experiment in a specific environment (such as a virtual machine)

Reviews

There are no reviews yet.

Be the first to review “BurpSuite combat”

Your email address will not be published. Required fields are marked *