sobota, 29 października 2016

HTTP Server fuzzing with Burp


In the middle of time I was working on some HTTP server fuzzer created in python. I was wondering if I can get similar results when I will use only Burp proxy. Below example results.



For testing purposes I decided to install one old HTTP server called “Easy File Management Web Server”. You can find it here or here. As a ‘lab environment’ I prepared a WinXP SP3 machine on VirtualBox (with all other tools I’ll need to work, for example Windbg). Version of target software I used was 5.3:





Server is ready so we can start Burp and prepare our browser to connect to it via proxy. After we prepared an environment we can now start our “fuzzing”:




As an input I used 2 lists: first one was related for bugs I’m looking for during normal blackbox pentests, second one was prepared for basic fuzzing purposes, so I created a TXT file with multiple lines (length), contains “AAAA” strings (as a first case). Example of an attack, below:




“Easy File Management Web Server” is attached to Windbg, so we can observe results in “Server Logs” window. After a while I’ve got first results from first payload list – persistent XSS:




Another request, also seems to also be vulnerable:




Below results of an attack:




Ok, so basically: fuzzing in Burp is also possible. ;) Few results from 2nd list (“AAAA…”) you will find below. I used GET request to send multiple “A” characters to the application. Windbg presented results like on the screen below:




Another request/response looks like this:




And results of the request:




New result. Ok. I decided to observe this behavior a little more, and changed payload length again:




Changing length – and we’ll get new results:




Below screen from Burp with request, you can see different lengths for each request:



From ASM code, we can see that there will be no comparison between those 2 registers:
 





Base request I modified to work which is presented on the screen below:



Post probably will be continued but for now - maybe you will find it useful ;)

Cheers!

Brak komentarzy:

Prześlij komentarz