Burp Suite User Forum

Login to post

Logic error in lntruder module

Mitnick | Last updated: Jan 13, 2021 02:42PM UTC

1、I need to brute force the username and password fields.See 1. JPG POST /xxx/xxx HTTP/1.1 Host: xxx.xxx.xxx.xxx Connection: close Content-Length: 56 Accept: application/json, text/javascript, /; q=0.01 Origin: file:// User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; TAS-AN00 Build/TAS-AN00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/75.0.3770.143 Mobile Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 X-Requested-With: xxx.xxx.xxx.xxx userCode=§admin§&password=§e10adc3949ba59abbe56e057f20f883e§ 2、When the second field is cracked with MD5 encryption, the order is reversed.Actually, I just want to encrypt the password.See 4. JPG POST /xxx/xxx HTTP/1.1 Host: xxx.xxx.xxx.xxx Connection: close Content-Length: 56 Accept: application/json, text/javascript, /; q=0.01 Origin: file:// User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; TAS-AN00 Build/TAS-AN00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/75.0.3770.143 Mobile Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 X-Requested-With: xxx.xxx.xxx.xxx userCode=21232f297a57a5a743894a0e4a801fc3&password=00000 3、At Payload Payload Processing2 fields are added MD5 at the same time, but I really only want to encrypt the second field, password,Please see the attached screenshot for the specific demonstration.See 2. JPG,3. JPG,4. JPG Impact Software logic error, resulting in failure to use the tool.

Hannah, PortSwigger Agent | Last updated: Jan 13, 2021 03:09PM UTC

Hi It looks like you've tried to include screenshots, which the forum does not support. You can drop us an email at support@portswigger.net if you'd like, where you can include the images as attachments. Have you had a look at the Hackvertor extension (https://portswigger.net/bappstore/65033cbd2c344fbabe57ac060b5dd100)? I believe you can use the Hackvertor encode or decode tags in Intruder.

You need to Log in to post a reply. Or register here, for free.