Skip to content

Latest commit

 

History

History
39 lines (26 loc) · 1.74 KB

File metadata and controls

39 lines (26 loc) · 1.74 KB

Burp Intruder File Payload Generator

This extension provides a way to use file contents as custom Intruder payloads.

Suppose you need to test a file upload request with your library of carefully crafted files, such as gifar, php files, jpeg, jpegs with embedded php, stuff with wrong magic numbers, etc. You can paste those binaries contents on the Repeater one by one but that is boring. Instead you can use the Intruder configured to the payloads generated by this extension. The extension just needs to be pointed to the file payloads folder.

Choosing the input files:

Extension Tab

Configuring the Intruder:

Intruder payload

The source includes the Netbeans project stuff. You can use the native Netbeans GUI to modify the Extension Tab layout.

Usage

  • load the extension: a new PayloadTab should appear
  • at the PayloadTab, choose the payload folder
  • the extensions reads all files recursively and lists them
  • in the payloads tab of the Intruder tool:
    • select Extension-generated at Payload Sets -> Payload Type
    • select File as Payload or Filename as Payload at Payload Options
    • disable the "URL-encode these characters" option, at Payloads -> Payload Encoding (specially for multipart POST requests)

If you just need to use the file contents as payload, select File as Payload. If you need both the content and filename then choose Pitchfork as the Attack type and use File as Payload for one Payload set and Filename as Payload for the other.

TODO

  • exclude files like .DS_Store
  • button to disable the "URL-encode these characters" option
  • verify file read permissions upon folder selection