Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Configure Cluster bomb

Marko | Last updated: Sep 07, 2017 05:03AM UTC

Let's say I use a cluster bomb attack with the repeater on this request (a quiz in which you can pass by checking the 3 corrects answers: &answer1=§0§&answer2=§0§&answer3=§0§&answer4=§0§&answer5=§0§&answer6=§0§&good_answers=3 For my payload type, I use a simple list with two string... 0( answer not chosen) and 1(answer choosen) This give me a total of 64 possible requests. I'd like to bring down this to 2^3 because I know that passing the quizz means I have to choose 3 right answers, not 4, 5 or 6. Can this be specified in the repeater? This means that

PortSwigger Agent | Last updated: Sep 07, 2017 06:56AM UTC

Hi Marko, Thanks for your message. Can you clear the § markers on answers 4, 5 and 6? I think that will do what you need.

Burp User | Last updated: Sep 08, 2017 02:14AM UTC

You misunderstood. The quizz look like that: Q: Choose the 3 correct answers: [ ] - answer number 1 [ ] - answer number 2 [ ] - answer number 3 [ ] - answer number 4 [ ] - answer number 5 [ ] - answer number 6 To pass the question, you need to choose the correct answers, there are three. Choosing more than three answers is useless. This means that theses would be good attempts &answer1=1&answer2=1&answer3=1&answer4=0&answer5=0&answer6=0&good_answers=3 (three answers choose) OR &answer1=0&answer2=1&answer3=0&answer4=0&answer5=1&answer6=1&good_answers=3 (three answers chosen) but not &answer1=1&answer2=1&answer3=1&answer4=1&answer5=1&answer6=1&good_answers=3 (6/all answers chosen) OR &answer1=1&answer2=0&answer3=0&answer4=1&answer5=1&answer6=1&good_answers=3 (4 answers chosen) because in theses, there are more than 3 answers chosen. So basically, I want to specify to the intruder that I don't want more than three of the items (0 or 1) in the simple list in any request. 0 , 0 , 1 , 1 , 1, 0 good 1 , 0 , 1 , 0 , 1, 0 good 0 , 0 , 1 , 0 , 1, 0 bad

PortSwigger Agent | Last updated: Sep 08, 2017 08:22AM UTC

Hi Marko, Thanks for the explanation, I think I understand your use case now. This isn't possible with Cluster Bomb, although you can use some scripting and a Pitchfork attack to do the same. First, use this script to generate 6 sets of payloads (you may need to tweak this): bc. length = 6 files = [open('%d.txt' % (i+1), 'w') for i in range(length)] for item in range((length+2)**2): cur = [1 if item & 2**i else 0 for i in range(6)] if len([x for x in cur if x]) == 3: print(cur) for i in range(6): files[i].write("%d\n" % cur[i]) Then configure a Pitchfork attack, using one of the generated files for each of the payload sets.

Burp User | Last updated: Sep 08, 2017 11:11PM UTC

Thank you very much, seem this will do the trick.

Burp User | Last updated: Sep 08, 2017 11:50PM UTC

Thank you very much, this method works great.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.