Burp Suite User Forum

Login to post

Turbo Intruder: Script with randomly generated strings

Peter | Last updated: Oct 23, 2023 10:52AM UTC

The integrated Intruder is great, but I still wanted to use the speed of the Turbo Intruder for some tests in our fuzzy lab. The handling of the characterstrings to be generated has to be very flexible and this is what came out of it (unfortunately I don't know how to format the script perfectly here). Feel free to test the script. ------------schnipp------------------------- """ You can manipulate the program in any way you want using the variables in the "MAKE YOUR CHANGES JUST HERE" block. The simplest value you need is the numeric variable "how_many_attacks". You use this variable to set the number of queries. Which area of the ASCII table should be used -------------------------------------------- You can also specify the area of the ASCII table that you want to use to generate the character strings (ASCII_start and ASCII_end). If there are characters in the range that you don't want, set the boolean variable "exclude_characters_flag" to "True". Then the predefined list (exclude_characters) is used to remove these characters from the generated string. Increasing character string lengths ----------------------------------- If you want to test the application with increasing character string lengths, no problem. Set the numeric variable "stringlength_min" to the value of the smallest length you need and "stringlength_max" to the largest length. But be careful: If the number of queries (how_many_attacks) is less than the value of "how_many_attacks", the value "stringlength_max" will never be reached. To achieve this, "stringlength_max" should have the same value as "how_many_attacks". If "stringlength_min" and "stringlength_max" have the same value, no iteration occurs. Number of markers (%s) ---------------------- The numeric variable "number_of_markers" contains the number of markers (%s) you set in the request. If the value of "number_of_markers" is higher than the number of %s in the request, nothing happens, the unnecessary values simply disappear into nirvana. However, if the number of "%s" in the request is greater than the value in "number_of_markers", problems may arise. The Turbo Intruder replaces the first occurrence of %s in the request, then the second, and so on. If the script does not provide any other string, the request will only send "%s" at this point. Ampersand and question mark --------------------------- The Boolean variables "ampersand" and "questionmark", as the name indicates, regulate the handling of the ampersand and the question mark. URLs use question marks as "separators". This marks the end of the navigable part of the URL. Parameters to an HTTP GET request are key/value pairs, separated by an ampersand. If these characters are also in the list, the test would only produce inaccurate results. As a result, ampersand and questionmark should be set to False. The characters cannot be easily removed from the string because the defined length of the variables "stringlength_min" and "stringlength_max" would no longer be correct. Therefore, the character that will be used instead can be defined in the numeric variable "use_instead". Sort list and remove duplicate entries -------------------------------------- Anyone who, for whatever reason, would like to have the characterlist sorted and duplicate entries removed can do this using the Boolean variable "clean_the_list". By default the value is False. However, if you want them cleaned and sorted, set the value to True. But be careful: By removing duplicate characters, the number of string lengths specified in the "stringlength_min" and "stringlength_max" variables is no longer correct. The program doesn't care. If it doesn't bother you, do it. Add characters that are outside the selected ASCII range -------------------------------------------------------- If you set the boolean variable "include_characters_flag" to True, additional characters contained in "include_characters" will be added to the list. This makes sense if, for example, you want the characters '!', '$', '%', '@' in the generated string, even though you have set "ASCII_start" to 48 and "ASCII_end" to 57 (the list only contains characters 0 to 9): Not a good example, I know, but I can't think of a better one at the moment. You'll probably come up with something that makes total sense. I tried to document the source code in such a way that it can be understood by Python beginners. If that's not the case, I certainly tried my best. (c) 2023, Peter Feil """ from random import choice #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# #------------MAKE YOUR CHANGES JUST HERE--------------------------------------------------------- # The following variables should be adjusted before starting the attack. how_many_attacks = 100 # How many attacks do you want to launch # The variables "stringlength_min" and "stringlength_max" defines the minimum and maximum length of the # generated strings. If both are at the same size, the size of the character string would remain constant. stringlength_min = 100 # Minimum length of the character string stringlength_max = 100 # Maximum length of the character string # The variable "number_of_markers" contains the number of markers you have set (%s in request). number_of_markers = 2 # By default, the program assumes that it should generate ASCII characters between 48 (ASCII_start) and # 122 (ASCII_end). Below is a list of the most popular settings for the value pair ASCII_start and ASCII_end # Lower case only : ASCII_start = 97 ASCII_end = 122 # Uppercase only : ASCII_start = 65 ASCII_end = 90 # Digits only : ASCII_start = 48 ASCII_end = 57 # Lower- + uppercase + digits : ASCII_start = 48 ASCII_end = 122 # On the other hand, if you really want to create real chaos, set "ASCII_start = 1" and "ASCII_end = 255" and # set "exclude_characters_flag = False". ASCII_start = 48 # These two variables defines the area of the ASCII table ASCII_end = 122 # from which the random values are generated. # These characters can optional removed from the ASCII list. It make sense to set "exclude_characters_flag" # to True if you want only small and capital letters and numbers. (chr(92) == backslash). If you want to # add more items to the list, go ahead. You see how it works. # The setting lowercase + uppercase + digits includes the following characters: # 0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz # The special characters in the list are annoying. This is especially true when manipulating "get statements" # (GET /index.php?search=%s HTTP/1.1). As a result, you can remove them from the list by setting the variable # exclude_characters_flag = True. exclude_characters = [':', ';', '<', '=', '>', '?', '@', '^', '_', '`', chr(92), '[', ']'] exclude_characters_flag = True # This exchange is necessary so that the stringlength value remains constant at the set value and the length # isn't changed ampersand = False # False = The generator ignores the ampersand and returns use_instead questionmark = False # False = The generator ignores the question mark and returns use_instead use_instead = 59 # ASCII value 59 == semicolon # These characters can optional added to the ASCII list. If you want to add own signs to the list, go ahead. # You see how it works. include_characters = ['!', '$', '%', '@'] include_characters_flag = False # If you want to filtered out duplicate entries of the ASCII list and that the ASCII list is sorted, set the # variable "clean_the_list" to True. clean_the_list = False #------------END OF CONTROLS--------------------------------------------------------------------- #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=5, requestsPerConnection=100, pipeline=False ) stringlength = 0 # The following list will contains all the elements of the ASCII list that are to be used ASCII_list = [] ASCII_list = generate_ascii_list(ASCII_list) # List, which contains the random strings words_of_attack = [] # The attack runs until the value, stored in how_many_attacks, is reached for attack_number in range(0, how_many_attacks): # In jython the function "clear()" does not exists , so I've done a workaround # to clear the list after each for statement words_of_attack[:] = [] # Fill the lists with the random stringlists if stringlength_min < stringlength_max: stringlength = stringlength_min + attack_number else: stringlength = stringlength_max # counter is nothing else as a counter and not use for other functions for counter in range(0,number_of_markers): words_of_attack.append(generate_random_chars(ASCII_list, stringlength)) engine.queue(target.req, words_of_attack) # Sets the ASCII range from which the random values are generated def generate_ascii_list(ASCII_list): for counter in range(ASCII_start, ASCII_end + 1): ASCII_list.append(counter) # Remove some characters from the ASCII_list if exclude_characters_flag == True: for character in exclude_characters: ASCII_list.remove(ord(character)) # Add some characters to the ASCII_list if include_characters_flag == True: for character in include_characters: ASCII_list.append(ord(character)) # If you want to clean the list if clean_the_list == True: # Removed duplicate entries ASCII_list = list(set(ASCII_list)) # List sort ASCII_list.sort() return ASCII_list # ASCII-character generator def generate_randomnumber(ASCII_list): rnd_num = random.choice(ASCII_list) # If ampersand = False and the ASCII value of the # ampersand was chosen by the random generator... if ampersand == False: if rnd_num == 38: rnd_num = use_instead # If questionmark = False and the ASCII value of the # question mark was chosen by the random generator... if questionmark == False: if rnd_num == 63: # Replace it with the value use_instead rnd_num = use_instead return rnd_num # The function generates an ASCII list with the random values and then returns them as a string def generate_random_chars(ASCII_list, stringlength): charlist = [] for x in range(0, stringlength): charlist.append(chr(generate_randomnumber(ASCII_list))) # Return a string instead of a list return ''.join(charlist) def handleResponse(req, interesting): # currently available attributes are req.status, req.wordcount, req.length and req.response if req.status != 404: table.add(req)

Michelle, PortSwigger Agent | Last updated: Oct 23, 2023 01:29PM UTC

Thanks for sharing this :)

Peter | Last updated: Oct 24, 2023 12:43PM UTC

Due to the error, the length of the generated string is exceeded when the stringlen_max is reached but there are still more queries left. After the changes it works. Please change this line: if stringlength_min < stringlength_max: and use instead this line: if (stringlength_min < stringlength_max) and (stringlength < stringlength_max):

You need to Log in to post a reply. Or register here, for free.