In the middle of time I was working on some HTTP server fuzzer created in python. I was wondering if I can get similar results when I will use only Burp proxy. Below example results.
For testing purposes I decided to install one old HTTP server called “Easy File Management Web Server”. You can find it here or here. As a ‘lab environment’ I prepared a WinXP SP3 machine on VirtualBox (with all other tools I’ll need to work, for example Windbg). Version of target software I used was 5.3:
Server is ready so we can
start Burp and prepare our browser to connect to it via proxy. After we prepared an
environment we can now start our “fuzzing”:
As an input I used 2 lists:
first one was related for bugs I’m looking for during normal blackbox pentests, second one was
prepared for basic fuzzing purposes, so I created a TXT file with multiple
lines (length), contains “AAAA” strings (as a first case). Example of an attack, below:
“Easy File Management Web
Server” is attached to Windbg, so we can observe results in “Server Logs”
window. After a while I’ve got first results from first payload list –
persistent XSS:
Another request, also seems to
also be vulnerable:
Below results of an attack:
Ok, so basically: fuzzing in
Burp is also possible. ;) Few results from 2nd
list (“AAAA…”) you will find below. I used GET request to send multiple “A”
characters to the application. Windbg presented results like on the screen below:
Another request/response looks
like this:
And results of the request:
New result. Ok. I decided to
observe this behavior a little more, and changed payload length again:
Changing length – and we’ll
get new results:
Below screen from Burp with
request, you can see different lengths for each request:
From ASM code, we can see that
there will be no comparison between those 2 registers:
Base request I modified to
work which is presented on the screen below:
Post probably will be continued but for now - maybe you will find it useful ;)
Cheers!
Brak komentarzy:
Prześlij komentarz