Exploring with Burst

25 April 2014

Introduction

I do use Burst for every step of a web application pentest, including the content discovery. This phase usually consists of guessing common subdirectories that may be present on the server (/admin, /conf, ...).

Preparation

By default, Burst does not come with a list of potential directories. But you can find a lot of them online (or make your own). In this example, we are going to use one from WFuzz.

Before starting, drop that file into the "burst/payload" directory and rename it to "explore".

Use case

First, let's create a request to the server. We are using the create() function or its alias c.

>>> r  = c("http://192.168.1.1/")
>>> print r
GET / HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 0.9; en-US)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Let's add a placeholder in that request where the elements of our dictionary will be injected:

>>> r.edit()

Now use your editor to add "$url" after the "GET /". Let's print that request again:

>>> p r
GET /$url HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 0.9; en-US)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Now, the pièce de résistance, let's use the inject function (or its alias i) to create a RequestSet:

>>> irs = i(r, at="$url", payloads="explore")
>>> irs
{unknown:950 | 192.168.1.1}

If you get a PayloadNotFound exception while running the command above, you probably have skipped the preparation section.

Let's run the RequestSet with 4 threads (default):

>>> irs.parallel()

Once this is done, you can check the results. For instance, to sort the responses by status:

>>> v irs.by_status()

Extra

The first steps of this use case can be replaced by:

>>> r = c("http://192.168.1.1/$url")