{"id":17,"date":"2023-10-15T12:50:30","date_gmt":"2023-10-15T04:50:30","guid":{"rendered":"http:\/\/54.254.190.68\/note\/archives\/17"},"modified":"2025-07-27T18:23:26","modified_gmt":"2025-07-27T10:23:26","slug":"burpsuite-intruder","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/17","title":{"rendered":"burpsuite intruder"},"content":{"rendered":"\n

<\/p>\n\n\n\n

position<\/h1>\n\n\n\n

\u5728attack type\u67094\u7a2e\u53ef\u9078\uff0c\u8aaa\u660e\u5982\u4e0b<\/p>\n\n\n\n

Sniper<\/h3>\n\n\n\n

\u53ef\u91dd\u5c0d\u8acb\u6c42\u4e2d\u7684\u4e00\u500b\u4f4d\u7f6e\u9032\u884c\u653b\u64ca\u6e2c\u8a66<\/p>\n\n\n\n

\u4f8b\u5982\u5728\u8acb\u6c42\u4e2d\u6709\u00a7p1\u00a7
\u767c\u9001\u7b2c1\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c1\u500b
\u767c\u9001\u7b2c2\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c2\u500b
\u767c\u9001\u7b2cn\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2cn\u500b <\/p>\n\n\n\n

\u7528\u6cd5\u7bc4\u4f8b\u5982\u4e0b<\/p>\n\n\n\n

    \n
  1. \u5728positions\/payload options<\/code>\u3002 \u9078\u64c7\u653b\u64ca\u985e\u578bSniper<\/code>\u3002<\/li>\n\n\n\n
  2. \u6309\u4e00\u4e0b\u300cclear<\/code>\u300d\u4ee5\u522a\u9664\u4efb\u4f55\u81ea\u52d5\u6307\u6d3e\u7684\u6709\u6548\u8ca0\u8f09\u4f4d\u7f6e\u3002 \u5728\u4f7f\u7528\u8005\u540d\u7a31\u53c3\u6578\u4e2d\uff0c\u53cd\u767d\u986f\u793a\u8a72\u503c\u4e26\u6309\u4e00\u4e0b\u300cadd<\/code>\u300d\u4ee5\u5411\u8a72\u53c3\u6578\u65b0\u589e\u6709\u6548\u8ca0\u8f09\u4f4d\u7f6e\u3002 \u8a72\u4f4d\u7f6e\u5c07\u7531\u5169\u500b\u00a7\u7b26\u865f\u6307\u793a\uff0c\u4f8b\u5982\uff1ausername=\u00a7invalid-username\u00a7<\/li>\n<\/ol>\n\n\n\n

    refer
    Lab: Username enumeration via different responses<\/p>\n\n\n\n

    Battering ram<\/h3>\n\n\n\n

    \u53ef\u91dd\u5c0d\u8acb\u6c42\u4e2d\u7684\u591a\u500b\u4f4d\u7f6e\u9032\u884c\u540c\u6a23\u7684\u653b\u64ca\u6e2c\u8a66<\/p>\n\n\n\n

    \u4f8b\u5982\u5728\u8acb\u6c42\u4e2d\u6709\u00a7p1\u00a7\u548c\u00a7p2\u00a7,
    \u767c\u9001\u7b2c1\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u548c\u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c1\u500b
    \u767c\u9001\u7b2c2\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u548c\u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c2\u500b
    \u767c\u9001\u7b2cn\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u548c\u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2cn\u500b <\/p>\n\n\n\n

    Pitchfork<\/h3>\n\n\n\n

    \u53ef\u91dd\u5c0d\u8acb\u6c42\u4e2d\u7684\u591a\u500b\u4f4d\u7f6e\uff0c\u540c\u6642\u505a\u4e0d\u540c\u7684\u653b\u64ca\u6e2c\u8a66<\/p>\n\n\n\n

    \u4f8b\u5982\u5728\u8acb\u6c42\u4e2d\u6709\u00a7p1\u00a7\u548c\u00a7p2\u00a7,
    \u767c\u9001\u7b2c1\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c1\u500b, \u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c2\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c1\u500b
    \u767c\u9001\u7b2c2\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c2\u500b, \u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c2\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c2\u500b
    \u767c\u9001\u7b2cn\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2cn\u500b, \u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c2\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2cn\u500b<\/p>\n\n\n\n

    refer
    Lab: Username enumeration via response timing
    Lab: Broken brute-force protection, IP block<\/p>\n\n\n\n

    cluster comb<\/h3>\n\n\n\n

    \u53ef\u91dd\u5c0d\u8acb\u6c42\u4e2d\u7684\u591a\u500b\u4f4d\u7f6e\uff0c\u505a\u6240\u6709\u7d44\u5408\u7684\u653b\u64ca\u6e2c\u8a66<\/p>\n\n\n\n

    \u4f8b\u5982\u5728\u8acb\u6c42\u4e2d\u6709\u00a7p1\u00a7\u548c\u00a7p2\u00a7,
    \u767c\u9001\u7b2c1\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c1\u500b, \u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c2\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c1\u500b
    \u767c\u9001\u7b2c2\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c2\u500b, \u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c2\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c1\u500b
    \u767c\u9001\u7b2cn\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2cn\u500b, \u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c2\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c1\u500b
    \u767c\u9001\u7b2cn+1\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c1\u500b, \u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c2\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c2\u500b
    \u767c\u9001\u7b2cn+2\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c2\u500b, \u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c2\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c2\u500b
    \u767c\u9001\u7b2cn+n\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2cn\u500b, \u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c2\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2c2\u500b
    \u767c\u9001\u7b2cn^n\u500b\u8acb\u6c42\u6642\uff0c\u00a7p1\u00a7\u6703\u4f7f\u7528\u7b2c1\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2cn\u500b, \u00a7p2\u00a7\u6703\u4f7f\u7528\u7b2c2\u7a2e\u653b\u64ca\u5b57\u4e32\u7684\u7b2cn\u500b<\/p>\n\n\n\n

    \u7528\u6cd5\u7bc4\u4f8b\u5982\u4e0b<\/p>\n\n\n\n

    \u5728positions\/payload options<\/code> \u5340\u57df\u4e2d\u53ef\u4ee5\u8a2d\u5b9a2payload\u5206\u5225\u70ba \u00a71\u00a7 \u548c \u00a7a\u00a7 \u5982\u4e0b<\/p>\n\n\n\n

    TrackingId=x’+UNION+SELECT+’a’+FROM+users+WHERE+username=’administrator’+AND+substring(password,\u00a71\u00a7,1)=’\u00a7a\u00a7’–<\/p>\n\n\n\n

    payload1, \u8a2d\u5b9a1~20
    payload2, Simple list , \u589e\u52a0payloads \u5728 a – z \u548c 0 – 9\u7684\u7bc4\u570d <\/p>\n\n\n\n

    refer
    Lab: Blind SQL injection with conditional responses
    Lab: Blind SQL injection with conditional errors
    Lab: Username enumeration via account lock<\/p>\n\n\n\n

    <\/p>\n\n\n\n

    \n\n\n\n

    <\/p>\n\n\n\n

    payload<\/h1>\n\n\n\n

    payload type\u6709\u5f88\u591a\u53ef\u4ee5\u9078,\u4ee5\u4e0b\u90783\u500b\u6700\u5e38\u898b\u7684\u505a\u7c21\u4ecb<\/p>\n\n\n\n

    simple <\/h3>\n\n\n\n

    \u53ef\u9078\u64c7\u653b\u64ca\u6e05\u55ae\u9010\u4e00\u767c\u9001\u653b\u64ca\u8acb\u6c42\uff0c\u4ee5 xss \u70ba\u4f8b\u5982\u4e0b<\/p>\n\n\n\n

      \n
    1. \u5728payload sets<\/code>\u5340\u57df\u4e2d, payload type<\/code>\u9078simple list<\/code><\/li>\n\n\n\n
    2. \u5728payload settings<\/code>\u5340\u57df\u4e2d\uff0c\u628axss\u653b\u64ca\u7bc4\u4f8b\u6e05\u55ae\u8cbc\u4e0a\u3002( \u6e05\u55ae\u53ef\u53c3\u8003 XSS cheat sheet <\/a>)<\/li>\n\n\n\n
    3. \u9ede\u9078start attack<\/code>\u3002<\/li>\n<\/ol>\n\n\n\n

      refer
      Lab: Reflected XSS into HTML context with most tags and attributes blocked<\/p>\n\n\n\n

      number <\/h3>\n\n\n\n

      \u53ef\u4ee5\u7522\u751f\u591a\u500b\u6578\u5b57\u5167\u5bb9\u7684\u8acb\u6c42,\u4ee51-255\u500b\u6578\u5b57\u70ba\u4f8b<\/p>\n\n\n\n

        \n
      1. \u5728payload sets<\/code>\u5340\u57df\u4e2d, payload type<\/code>\u9078numbers<\/code><\/li>\n\n\n\n
      2. \u5728payload settings<\/code>\u5340\u57df\u4e2d\uff0c\u4e26\u5206\u5225\u5728from<\/code>\u3001to<\/code>\u548cstep<\/code>\u65b9\u584a\u4e2d\u8f38\u5165 1\u3001255 \u548c 1\u3002\u5c31\u53ef\u4ee5\u7522\u751f1\u5230255\u7684\u6578\u5b57\u4e26\u4f9d\u7e8c\u767c\u9001255\u500b\u8acb\u6c42<\/li>\n\n\n\n
      3. \u9ede\u9078start attack<\/code>\u3002<\/li>\n<\/ol>\n\n\n\n

        refer<\/p>\n\n\n\n

        Lab: Basic SSRF against another back-end system
        Lab: 2FA bypass using a brute-force attack<\/p>\n\n\n\n

        <\/p>\n\n\n\n

        null payload <\/h3>\n\n\n\n
          \n
        1. \u5728payload sets<\/code>\u5340\u57df\u4e2d, payload type<\/code>\u9078null payload<\/code><\/li>\n\n\n\n
        2. \u5728payload settings<\/code>\u5340\u57df\u4e2d\uff0c\u53ef\u5728generate<\/code>\u4e2d\u9078\u64c7\u8981\u91cd\u8986\u591a\u5c11\u6b21\u8acb\u6c42\uff0c\u6216\u9078\u64c7continue indefinitely<\/code>\u6301\u7e8c\u50b3\u9001\u76f8\u540c\u8acb\u6c42 <\/li>\n<\/ol>\n\n\n\n

          refer
          Lab: Low-level logic flaw<\/p>\n\n\n\n

          <\/p>\n\n\n\n

          <\/p>\n\n\n\n

          payload processing<\/h3>\n\n\n\n

          \u7528\u6cd5:\u53ef\u5728\u91cd\u9001\u8acb\u6c42\u6642\u5c0d\u5167\u5bb9\u505a\u8655\u7406<\/p>\n\n\n\n

          \u4f8b\u5982:\u60f3\u5c0d\u8acb\u6c42\u505aMD5\uff0c\u5728\u589e\u52a0wiener\uff0c\u5728\u505aBase64-encode\uff0c\u90a3\u53ef\u4ee5\u5728Payload processing<\/code>\u5340\u57df\u5167\uff0c\u589e\u52a0\u4ee5\u4e0b\u898f\u5247\uff0c\u53ef\u4f9d\u5e8f\u5c0d\u8acb\u6c42\u7684\u5167\u5bb9\u505a\u8655\u7406<\/p>\n\n\n\n

            \n
          1. Hash: MD5<\/li>\n\n\n\n
          2. Add prefix: wiener:<\/li>\n\n\n\n
          3. Encode: Base64-encode<\/li>\n<\/ol>\n\n\n\n

            <\/p>\n\n\n\n

            refer
            Lab: Brute-forcing a stay-logged-in cookie<\/p>\n\n\n\n

            <\/p>\n\n\n\n

            \n\n\n\n

            <\/p>\n\n\n\n

            Settings<\/h1>\n\n\n\n

            \u5176\u4ed6\u4e00\u4e9b\u8a2d\u5b9a,\u5e7e\u500b\u6bd4\u8f03\u5e38\u7528\u7684\u9078\u9805\u5982\u4e0b<\/p>\n\n\n\n

            grep match<\/h3>\n\n\n\n

            \u5982\u679c\u60f3\u904e\u6ffe\u8fd4\u56de\u5167\u5bb9,\u53ef\u900f\u904egrep match<\/p>\n\n\n\n

            \u4f8b\u5982:\u6211\u53ea\u60f3\u770b\u8fd4\u56de\u5167\u5bb9\u6709welcome back\u7684\u503c,\u5247\u6e05\u9664\u6240\u6709\u9805\u76ee\u4e26\u65b0\u589ewelcome back\u5373\u53ef<\/p>\n\n\n\n

            refer
            Lab: Blind SQL injection with conditional responses
            Lab: Blind SQL injection with conditional errors<\/p>\n\n\n\n

            Grep – Extract<\/h3>\n\n\n\n

            \u5728grep match\u4f7f\u7528\u6b63\u898f\u8868\u793a\u5f0f<\/p>\n\n\n\n

            refer
            Lab: Username enumeration via subtly different responses<\/p>\n\n\n\n

            <\/p>\n\n\n\n

            \n\n\n\n

            <\/p>\n\n\n\n

            start attack windows<\/h1>\n\n\n\n

            \u653b\u64ca\u958b\u59cb\u5f8c\u6703\u5f48\u51fa\u4e00\u500b\u653b\u64ca\u8996\u7a97\u986f\u793a\u76ee\u524d\u7684\u8acb\u6c42\u60c5\u6cc1<\/p>\n\n\n\n

            \u653b\u64ca\u8996\u7a97\u4e0d\u6703\u5c07\u6240\u6709\u8cc7\u8a0a\u90fd\u6703\u986f\u793a\u51fa\u4f86\uff0c\u4f8b\u5982\uff0c\u5982\u679c\u60f3\u770b\u6bcf\u500b\u8acb\u6c42\u7684Response time<\/code>\uff0c\u90a3\u8981\u5230Columns<\/code>\u9078\u55ae\u53e6\u5916\u52fe\u9078Response received<\/code>\u548cResponse completed<\/code>\u3002<\/p>\n\n\n\n

            refer
            Lab: Blind SQL injection with time delays and information retrieval
            Lab: Username enumeration via response timing
            Lab: Username enumeration via response timing<\/p>\n","protected":false},"excerpt":{"rendered":"

            position \u5728attack type\u67094\u7a2e\u53ef\u9078\uff0c\u8aaa\u660e\u5982 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[369],"tags":[3],"class_list":["post-17","post","type-post","status-publish","format-standard","hentry","category-red-team","tag-tool"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/17","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=17"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/17\/revisions"}],"predecessor-version":[{"id":2404,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/17\/revisions\/2404"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=17"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=17"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=17"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}