Turbo Intruder条件竞争代码

Ca1s1
#Burpsuite  #Extensions 

Turbo Intruder

条件竞争

不知道哪个版本Turbo Intruder少了这个默认的模版记录下。

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=30,
                           requestsPerConnection=100,
                           pipeline=False
                           )

    # the 'gate' argument blocks the final byte of each request until openGate is invoked
    for i in range(30):
        engine.queue(target.req, target.baseInput, gate='race1')

    # wait until every 'race1' tagged request is ready
    # then send the final byte of each request
    # (this method is non-blocking, just like queue)
    engine.openGate('race1')

    engine.complete(timeout=60)


def handleResponse(req, interesting):
    table.add(req)

jsEncrypter 加密

Ca1s1
#burpsuite  #encrypt 

burp 爆破 JS加密

首先右键登录按钮属性查看html源代码,发现id=‘rsa’

/img/burpjs/Untitled.png

ctrl+shift+f 查找rsa描点,发现调用了strEnr

/img/burpjs/Untitled%201.png

继续查找strEnr,并进入函数

/img/burpjs/Untitled%202.png

对加密函数添加断点进行判断,发现123123账号密码进入了此处,且3个key分别为1,2,3。

/img/burpjs/Untitled%203.png

我们直接控制台调用,尝试加密解密

/img/burpjs/Untitled%204.png

保存des.js到本地

/img/burpjs/Untitled%205.png

既然找到了加密解密函数现在就是通过burp调用函数使其加解密,修改phantomjs_server.js

/img/burpjs/Untitled%206.png

载入server.js

/img/burpjs/Untitled%207.png

burp连接server端口,test,我们现在已经可以成功加密了

/img/burpjs/Untitled%208.png

配置burp intruder,添加变量

/img/burpjs/Untitled%209.png

选择Custom ,1为用户

/img/burpjs/Untitled%2010.png

2为密码

/img/burpjs/Untitled%2011.png

添加payload加密

/img/burpjs/Untitled%2012.png

start attack,成功爆破

/img/burpjs/Untitled%2013.png

尝试解密下加密字符串,成功

/img/burpjs/Untitled%2014.png