Jacking injection/fuzz strings for web hacking

Everyone who knows me knows i’m a huge fan of Burp Suite and the Fuzz Database. Today is just a quick reminder that instead of using a bunch of disparate tools against a target you can easily take an open source tool and jack it’s fuzz strings through parsing the output of something like… tshark:

tshark -n -R http.request -s 2000

Run your tool, in my case i’ve used sqlmap with some mixed tamper scripts, pangolins payloads (previous modsec bypass), etc ,etc. Capture the tshark output and then use some grep/sed/awk magic to parse out the fuzz strings. I”ll let you figure the last part out on your own 😉

One you’ve gathered the fuzz stings you can use them in Burp through Intruder. In most cases it is more useful as I can learn faster what characters are being filtered, I can sort by response types (page size, resp time, redirects, custom or non custom error pages, regex, etc), and just have way more control in identifying injection. Once you’ve identified injection you can choose your favorite tool to exploit.

Having your own modified fuzzdb comes in handy too. You never know when you might need some tricky injection to be encoded and dont have access to the web/tools/cmdline to do it.

Anyways, hope that made sense!

Leave a Reply

Your email address will not be published. Required fields are marked *