Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Recursive Grep results are not used in the following request

Matthias | Last updated: Jan 07, 2021 08:21PM UTC

Hi, I'm making my first steps with Burp and try using intruder for finding the password of an phpmyadmin interface. For that I use a pitchfork attack with a recursive grep to find the session_id and the token. Unfortunately this is not working reliably. Sometimes it works as expected, but most of the time the first request with a password payload is not including the greped values. Sometimes the whole run is executed without the greped values (see the linked images). https://imgur.com/a/580LPE2 What could be the source? Misconfiguration or bug? I tested it with Burp community v2020.12.1 and 2.1.07 in Kali. Thanks a lot!

Michelle, PortSwigger Agent | Last updated: Jan 08, 2021 01:30PM UTC

Thanks for getting in touch. Could you share some screenshots of the Intruder attack configuration so we can take a closer look, please? If you can email them to support@portswigger.net, that would be great.

martinez | Last updated: Mar 04, 2023 08:36AM UTC

Hello, I'm having exactly the same issue. I'm running version v2022.7.1 and trying to do a brute-force attach on the phpmyadmin on a HTB box. Positions tab: https://imgur.com/rJl801P Options tab: https://imgur.com/RbujUH4 Resource pool: https://imgur.com/nOJbTME (even tried to add some delay) Payloads (1+2): https://imgur.com/4PfbgS4 (tried both with and without encoding) Payloads (3): https://imgur.com/4KpV2bV Payloads (4): https://imgur.com/JikCcUR When I run the attack then extraction of the session and token value from the request 0 is correct. https://imgur.com/3mLqqJn But those values are not used for following requests and there are empty string inserted on defined positions. https://imgur.com/2Gb8leV Am I missing some config there? Best regards And thanks.

Michelle, PortSwigger Agent | Last updated: Mar 06, 2023 11:12AM UTC

Thanks for getting in touch. I'm afraid we're having issues using those links right now. Can you email copies of the screenshots to supprot@portswigger.net, please, so we can take a look through this for you?

You need to Log in to post a reply. Or register here, for free.