Burp Suite User Forum

Create new post

Turbo Intruder error

Anton | Last updated: Jun 12, 2023 02:26PM UTC

Hi everyone, I've just downloaded Turbo Intruder and was about to use it for the first time. I chose one of the easiest lab for this purpose: https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-different-responses So I sent the following request to the Turbo Intruder: POST /login HTTP/2 Host: 0a1c00170422e43880a4df9800ec0080.web-security-academy.net Cookie: session=mkigI3F3v74xX3UkvWnRHmxGsHFiTp8K User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 27 Origin: https://0a1c00170422e43880a4df9800ec0080.web-security-academy.net Referer: https://0a1c00170422e43880a4df9800ec0080.web-security-academy.net/login Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers username=%s&password=123 With the following Python script (almost unchanged from examples/basic.py): def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=5, requestsPerConnection=100, pipeline=False ) for word in open("C:\Burp\Usernames.txt"): engine.queue(target.req, word.rstrip()) def handleResponse(req, interesting): # currently available attributes are req.status, req.wordcount, req.length and req.response if req.status != 404: table.add(req) And this is the full error: Starting attack... There was an error executing your Python script. This is probably due to a flaw in your script, rather than a bug in Turbo Intruder :) If you think it is a Turbo Intruder issue, try out this script: https://raw.githubusercontent.com/PortSwigger/turbo-intruder/master/resources/examples/debug.py For your convenience, here's the full stack trace: java.lang.NullPointerException: Cannot read field "modules" because the return value of "org.python.core.Py.getSystemState()" is null at org.python.core.PyModule.module___init__(PyModule.java:64) at org.python.core.PyModule.<init>(PyModule.java:47) at org.python.util.PythonInterpreter.<init>(PythonInterpreter.java:112) at org.python.util.PythonInterpreter.<init>(PythonInterpreter.java:94) at org.python.util.PythonInterpreter.<init>(PythonInterpreter.java:71) at burp.Fast_httpKt.evalJython(fast-http.kt:35) at burp.TurboIntruderFrame$actionPerformed$1$ToggleAttack$actionPerformed$1.invoke(fast-http.kt:328) at burp.TurboIntruderFrame$actionPerformed$1$ToggleAttack$actionPerformed$1.invoke(fast-http.kt:277) at kotlin.concurrent.ThreadsKt$thread$thread$1.run(Thread.kt:30) Thank you in advance!

Anton | Last updated: Jun 13, 2023 11:17AM UTC

Hi, it has been 1 day, and I cannot progress in my studies without solving this problem with Turbo Intruder.

Ben, PortSwigger Agent | Last updated: Jun 14, 2023 05:17AM UTC

Hi Anton, I do not believe that there is anything intrinsically wrong with the script - I can run the same and get it working. Are you able to provide a screenshot of the entirety of the request and script within Turbo Intruder? Are you also able to provide a screenshot of the Extensions section within the Burp Settings?

Anton | Last updated: Jun 14, 2023 11:56AM UTC

Hi, thank you for the reply. Yes, I am sure that the problem is not with the scrip, as the error is the same for any scripts (even for debug.py). I am attaching screenshots of Turbo Intruder request, script and what is shows after I click "Attack" button, as well as 3 screenshots of the Extension section with 3 errors that appeared after I tried to click "Attack" button 3 times. https://imgur.com/gallery/s9JErJp

Ben, PortSwigger Agent | Last updated: Jun 15, 2023 08:00AM UTC

Hi Anton, Can you also provide a screenshot of the Extensions settings dialog (if you click the 'Extensions settings' cog button within the main Extensions tab), as requested?

Anton | Last updated: Jun 15, 2023 11:25AM UTC

Hi, sure: https://imgur.com/a/ybrDaAg

Mohsin | Last updated: Jun 15, 2023 06:01PM UTC

I accedently delete my account wiener:peter how can I reset It?

Dominyque, PortSwigger Agent | Last updated: Jun 16, 2023 08:23AM UTC

Hi Anton If you run the jython-standalone-2.7.3.jar file directly on the command line (via the 'java.exe -jar jython-standalone-2.7.3.jar' command on your Windows machine) - does the jar file run (again, probably a long shot but I just want to confirm there are no issues with the jar file that you have obtained that might be causing this)?

Anton | Last updated: Jun 16, 2023 12:54PM UTC

Hi, yes, the jar fule run: Jython 2.7.3 (tags/v2.7.3:5f29801fe, Sep 10 2022, 18:52:49) [Java HotSpot(TM) Client VM (Oracle Corporation)] on java1.8.0_371 Type "help", "copyright", "credits" or "license" for more information. >>> help() Welcome to Python 2.7! This is the online help utility. If this is your first time using Python, you should definitely check out the tutorial on the Internet at http://docs.python.org/2.7/tutorial/. Enter the name of any module, keyword, or topic to get help on writing Python programs and using Python modules. To quit this help utility and return to the interpreter, just type "quit". To get a list of available modules, keywords, or topics, type "modules", "keywords", or "topics". Each module also comes with a one-line summary of what it does; to list the modules whose summaries contain a given word such as "spam", type "modules spam". help>

Anton | Last updated: Jun 19, 2023 10:57AM UTC

Hi, it has been a week, and I cannot progress in my studies without solving this problem with Turbo Intruder. Could you please help me?

Dominyque, PortSwigger Agent | Last updated: Jun 19, 2023 11:54AM UTC

Hi Anton I can see that you are in email communication with my colleague. Please keep your eye out for their reply in your inbox instead of continuing the thread here.

Anton | Last updated: Jun 20, 2023 02:59PM UTC

Hi, I waited for the answer, but it did not help me at all: - Are you using the Installer version of Burp, or are you launching Burp from the JAR file? It looks like this issue has been reported to the extension author previously. It seems that this is a limitation of Jython. You can find this here: https://github.com/PortSwigger/turbo-intruder/issues/69 Could you tell me the language that you have your machine set to? - I've installed Burp through the Installer and I am launching it asBurpSuitePro.exe file. I've checked this link already but haven't found anything that could solve the problem. My machine is set to Russian language. - Is the issue resolved if you try changing your machine to English, relaunching Burp, and rerunning the script? - Unfortunately, I cannot change my machine to English as I see the following message when I try: " Your Windows license supports only one display language". Is is the only way to solve the problem? Is Turbo Intruder supposed to work only on machines with English display language? - Unfortunately, it seems that this is a limitation of Jython, which is not something that we can fix on our end. Burp Suite still includes Intruder, which you can use to solve the lab. We'd recommend using this. That's the end of our email communication. It has not solved my problem at all. There are other labs that could only be solved using Turbo Intruder or Macros. I have Burp Suite Professional and I know how to use usual Intruder, but I would like to learn Turbo Intruder as it's much more powerful for testing. So the only possible solutuon is to switch my machine to English? Again, is Turbo Intruder supposed to work only on machines with English display language? If it is the case, I will try to deal with my Windows problem and switch it. Are you sure it would help though?

Dominyque, PortSwigger Agent | Last updated: Jun 21, 2023 06:53AM UTC

Hi Anton My colleague, whom you communicate with, usually handles the BApp extensions, so you are in the best hands to deal with the problem. However, I suspect that if this is a limitation of Jython, there is not much we can do about this on our end. I will say that another user who had a similar issue changed their machine to English, and the issue was resolved.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.