0x13 - Optimizing Payload Lists
Did you know some of the best vulnerabilities are not discovered using default payload lists?
You've probably seen payload lists that include placeholders like {𝐟𝐢𝐥𝐞}
or {𝐜𝐨𝐥𝐥𝐚𝐛𝐨𝐫𝐚𝐭𝐨𝐫}
These lists work pretty well for
file inclusion
arbitrary file read
SSRF attacks
However they won't find any vulnerability because they require additional processing
There is no file named {𝐟𝐢𝐥𝐞}
either on Linux/Windows/Mac/etc.
And you won't get a hit on your collaborator server using the {𝐜𝐨𝐥𝐥𝐚𝐛𝐨𝐫𝐚𝐭𝐨𝐫}
payload
By using the Payload processing
feature in Burp however, you can add a regex rule that will match and replace the placeholder with an actual value to improve your chances
How to do it
Send your request to Intruder
Set the injection point for you chosen parameter
Load your favorite payload list
Scroll down to the
Payload processing
and proceed to add a new regex rule
Example 1 - look for passwd
file
𝐌𝐚𝐭𝐜𝐡: \{file\}
𝐑𝐞𝐩𝐥𝐚𝐜𝐞: passwd
Example 2 - listen for requests on collaborator
𝐌𝐚𝐭𝐜𝐡: \{collaborator\}
𝐑𝐞𝐩𝐥𝐚𝐜𝐞: ppi1cty6kllsnobn70ljb5g4bvhm5ct1.oastify.com
Example 3 - redirect to own domain
𝐌𝐚𝐭𝐜𝐡: \{collaborator\}
𝐑𝐞𝐩𝐥𝐚𝐜𝐞: yourdomain.com